LaunchDarkly Data Processing Addendum
This Data Processing Addendum, including the Standard Contractual Clauses where applicable (“DPA”), is entered into between Catamorphic Co. dba LaunchDarkly (“LaunchDarkly”) and the customer entity (“Customer”) identified in the applicable subscription agreement governing use of the LaunchDarkly Service (the “Agreement”). This DPA is incorporated by reference into the Agreement. All capitalized terms used in this DPA but not defined will have the meaning set forth in the Agreement. To the extent of any conflict or inconsistency between this DPA, any previously executed data processing agreement, and the remaining terms of the Agreement, this DPA will govern. LaunchDarkly and Customer are each referred to herein as a “Party” and collectively as the “Parties.”
In the course of providing the Service under the Agreement, LaunchDarkly may Process certain Personal Data (such term defined below) on behalf of Customer and where LaunchDarkly Processes such Personal Data on behalf of Customer, the Parties agree to comply with the terms and conditions in this DPA in connection with such Personal Data.
1. Definitions
“Applicable SCCs” means the Standard Contractual Clauses (i.e. EU SCCs and/or UK SCCs) that apply to Personal Data Processed pursuant to this DPA.
“Data Privacy Laws” means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”), the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”), the Swiss Federal Data Protection Act, and the United Kingdom Data Protection Act of 2018. For the avoidance of doubt, if LaunchDarkly’s Processing activities involving Personal Data are not within the scope of a given Data Privacy Law, such law is not applicable for purposes of this DPA.
“Data Subject” means an identified or identifiable natural person about whom Personal Data relates.
“EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, completed as set forth in Schedule A to this DPA.
“Personal Data” includes “personal data,” “personal information,” “personally identifiable information,” and similar terms, and such terms shall have the same meaning as defined by applicable Data Privacy Laws, that is Processed in the performance of the Service under the Agreement, but does not include the Parties’ business contact information (specifically, business addresses, phone numbers, and email addresses) used solely to facilitate the Parties’ communications for administration of the Agreement.
“Personal Data Breach” means any accidental, unlawful or unauthorized access, acquisition, use, modification, disclosure, loss, destruction of or damage to Personal Data or any other unauthorized Processing of Personal Data.
“Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Service” means the services LaunchDarkly is obligated to provide pursuant to the Agreement.
“Subprocessor” means any LaunchDarkly affiliate or other direct or indirect subcontractor with which LaunchDarkly contracts to Process Personal Data in relation to the Agreement.
“UK SCCs” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (available as of the Effective Date at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/), completed as set forth in this DPA.
2. Relationship of the Parties and Scope
a. LaunchDarkly as a Processor. The Parties acknowledge and agree that with regard to Personal Data, Customer is a “Controller” and LaunchDarkly is a “Processor,” as such terms are defined by Data Privacy Laws. For purposes of the CCPA, Customer is a “business,” and LaunchDarkly is a “service provider,” as such terms are defined in the CCPA. In some circumstances, Customer may be a Processor of Personal Data, in which case Customer appoints LaunchDarkly as its Subprocessor, which shall not change the obligations of either Customer or LaunchDarkly under this DPA.
b. Processing Details. The details of the Processing are set forth in Annex I.B of the EU SCCs (Schedule A).
c. Processing Limitations.
i. LaunchDarkly will Process Personal Data solely: (1) to fulfill its obligations to Customer under the Agreement, including this DPA; (2) on Customer’s behalf; (3) in accordance with Customer’s instructions, which include the terms of this DPA; and (4) in compliance with Data Privacy Laws. LaunchDarkly will not sell Personal Data or otherwise Process Personal Data for any purpose other than for the specific purposes set forth herein. For purposes of this paragraph, “sell” shall have the meaning set forth in the CCPA.
ii. Where explicitly required by Data Privacy Laws, LaunchDarkly shall (1) implement the same degree of security to protect Personal Data as required by Data Privacy Laws; (2) as set forth in Section 6 (Customer’s Audit Rights), grant Customer the right to take reasonable and appropriate steps to (a) ensure LaunchDarkly uses the Personal Data consistent with Customer’s obligations and (b) upon notice, stop and remediate any unauthorized user of Personal Data; and (3) notify Customer if it can no longer meet its obligations under this DPA.
d. Compliance with Laws. LaunchDarkly will comply with all Data Privacy Laws applicable to LaunchDarkly in its role as provider of the Service. Customer will comply with all applicable Data Privacy Laws relevant to use of the Service, including by obtaining any consents and providing any notices required under applicable Data Privacy laws for LaunchDarkly to provide the Service. Customer will ensure that Customer and its Authorized Users are entitled to transfer the Personal Data to LaunchDarkly so that LaunchDarkly and its Subprocessors may lawfully Process the Personal Data in accordance with this DPA. LaunchDarkly will promptly inform Customer if, in LaunchDarkly’s opinion, an instruction from Customer infringes Data Privacy Laws.
e. Certification. LaunchDarkly hereby certifies that it understands the restrictions and obligations set forth in this DPA and that it will comply with them.
3. Assistance and Cooperation
a. Data Subject Requests. Taking into account the nature of the Processing and to the extent legally permitted, LaunchDarkly will promptly notify Customer, or refer the individual back to the Customer, if LaunchDarkly receives any requests from an individual seeking to exercise any rights afforded to them under Data Privacy Laws regarding their Personal Data. LaunchDarkly shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a request from a Data Subject to exercise rights under applicable Data Privacy Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from LaunchDarkly’s provision of such assistance, including any fees associated with provision of additional functionality.
b. Complaints or Requests for Personal Data. LaunchDarkly will promptly notify Customer of (1) any third-party or Data Subject complaints regarding the Processing of Personal Data; or (2) any government or Data Subject requests for access to or information about LaunchDarkly’s Processing of Personal Data on Customer’s behalf, unless prohibited by applicable laws. LaunchDarkly will provide Customer with reasonable cooperation and assistance in relation to any such request.
c. Data Protection Impact Assessment. Taking into account the nature of the Processing and the information available to LaunchDarkly, LaunchDarkly will provide reasonable assistance to and cooperation with Customer for Customer’s performance of any legally required data protection impact assessment of the Processing or proposed Processing of Personal Data involving LaunchDarkly in the form of publicly-available documentation for the Service. Additional support for data protection impact assessments may require mutual agreement on fees, the scope of LaunchDarkly’s involvement, and any other terms that the Parties deem appropriate.
d. Supervisory and Other Regulatory Authorities. LaunchDarkly shall provide reasonable assistance to and cooperation with Customer for Customer’s consultation with regulatory authorities in relation to the Processing or proposed Processing of Personal Data, including complying with any obligation applicable to LaunchDarkly under Data Privacy Laws to consult with a regulatory authority in relation to LaunchDarkly’s Processing or proposed Processing of Personal Data.
4. Subprocessors
a. Appointment of Subprocessors. Customer acknowledges and agrees that LaunchDarkly’s Affiliates and certain third parties may be retained as subprocessors (“Subprocessors”) to Process Personal Data on LaunchDarkly’s behalf in order to provide the Service. LaunchDarkly’s Subprocessors are listed at https://launchdarkly.com/policies/subprocessors/. LaunchDarkly will impose contractual obligations on any Subprocessor LaunchDarkly appoints requiring it to protect Customer Personal Data to standards which are no less protective than those set forth under this DPA. LaunchDarkly remains liable for its Subprocessors’ performance under this DPA to the same extent LaunchDarkly is liable for its own performance.
b. Notification of New Subprocessors. Customer must subscribe for updates on Subprocessors through the mechanism available at https://launchdarkly.com/policies/subprocessors/ or by emailing subprocessors@launchdarkly.com to request to receive such updates, Customer will be notified of new Subprocessors at least thirty (30) days before LaunchDarkly authorizes such Subprocessor to Process Personal Data (or in the case of an emergency, as soon as reasonably practicable).
c. Right to Object to Subprocessors. Customer may object to LaunchDarkly’s use of a new Subprocessor by notifying LaunchDarkly promptly in writing at subprocessors@launchdarkly.com (with its reasonable grounds for objection) within ten (10) business days after receipt of LaunchDarkly’s notice as described in Section 4(a). In the event Customer objects to a new Subprocessor on reasonable grounds, LaunchDarkly will use commercially reasonable efforts to make available to Customer a change in the Service or Customer’s configuration or use of the Service to avoid Processing of Personal Data by the objected-to new Subprocessor. If LaunchDarkly is unable to make available such change within a reasonable period of time, which will not exceed thirty (30) days, either Party may upon written notice terminate without penalty the applicable Order Form(s) or the Agreement. Customer will receive a prorated refund of any prepaid amounts for any remaining time under the applicable Order Form(s) or the Agreement.
5. Security
a. Security Measures. LaunchDarkly will use appropriate technical and organizational measures to protect Personal Data that it Processes, as described in the LaunchDarkly Security Program Addendum located at https://launchdarkly.com/policies/security-program-addendum/. Such measures will take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risk. LaunchDarkly will ensure that the persons LaunchDarkly authorizes to Process Personal Data are subject to written confidentiality agreements or a statutory obligation of confidentiality.
b. LaunchDarkly’s Security Assistance. Customer agrees that LaunchDarkly will (taking into account the nature of the Processing of Personal Data and the information available to LaunchDarkly) assist Customer in ensuring compliance with any of Customer’s obligations in respect of security of Personal Data, including if applicable Customer’s obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, by implementing and maintaining the security measures set forth in Annex II to the EU SCCs (Schedule A). LaunchDarkly may update the security it implements so long as overall security of Personal Data is not reduced.
6. Customer's Audit Rights
a. Audit Rights. If required by Data Privacy Laws applicable to Personal Data, LaunchDarkly will allow Customer or an independent auditor appointed by Customer to conduct audits (including inspections) to verify LaunchDarkly’s compliance with its obligations under this DPA in accordance with Section 6(c) (Additional Business Terms for Reviews and Audits). LaunchDarkly will contribute to such audits as described in Section 5(b) (LaunchDarkly’s Security Assistance) and this Section 6 (Customer’s Audit Rights).
b. Standard Contractual Clauses. If Customer has entered into EU SCCs or UK SCCs as described in Section 8 (International Transfers of Personal Data), LaunchDarkly will, without prejudice to any audit rights of a supervisory authority under such Applicable SCCs, allow Customer or an independent auditor appointed by Customer to conduct audits as described in the Applicable SCCs in accordance with Section 6(c) (Additional Business Terms for Reviews and Audits).
c. Additional Business Terms for Reviews and Audits
i. Customer may exercise its right to audit LaunchDarkly under Sections 6(a) and 6(b) where (1) there has been a Personal Data Breach within the previous six (6) months or there is reasonable suspicion of a Personal Data Breach within the previous six (6) months, or (2) Customer will pay all reasonable costs and expenses incurred by LaunchDarkly in making itself available for an audit. If a third party is to conduct the audit, the third party must be mutually agreed to by Customer and LaunchDarkly and must execute a written confidentiality agreement acceptable to LaunchDarkly before conducting the audit. Except for audits conducted pursuant to Section 6(c)(i)(1), Customer may invoke its audit right no more than once annually.
ii. To request an audit under Sections 6(a) or 6(b), Customer must submit a detailed audit plan to LaunchDarkly at privacy@launchdarkly.com at least thirty (30) days in advance of the proposed audit date, describing the proposed scope, duration, and start time of the audit. The scope may not exceed a review of LaunchDarkly’s compliance with the Applicable SCCs or its compliance with the Data Privacy Laws necessitating the audit, in each case with respect to the Personal Data. The audit must be conducted during regular business hours at the applicable facility, subject to LaunchDarkly policies, and may not interfere with LaunchDarkly business activities.
iii. Following receipt by LaunchDarkly of a request for an audit under Sections 6(a) or 6(b), LaunchDarkly and Customer will discuss and agree in advance on the reasonable start date, scope, and duration of any audit under Sections 6(a) or 6(b).
iv. Customer will be responsible for any fees it incurs, including any fees charged by any auditor appointed by Customer to execute any such audit.
v. Customer will provide LaunchDarkly any audit reports generated in connection with any audit under this section, unless prohibited by law. Customer may use the audit reports only to meet its regulatory audit requirements and to confirm compliance with the requirements of the Applicable SCCs or the Data Privacy Law necessitating the audit. The audit reports, and all information and records observed or otherwise collected in the course of the audit, are Confidential Information of LaunchDarkly under the terms of the Agreement.
vi. LaunchDarkly may object in writing to an auditor appointed by if the auditor is, in LaunchDarkly’s reasonable opinion, not suitably qualified or independent, a competitor of LaunchDarkly, or otherwise manifestly unsuitable. Any such objection by LaunchDarkly will require Customer to appoint another auditor or conduct the audit itself.
vii. Nothing in this DPA will require LaunchDarkly either to disclose to Customer or its auditor, or to allow Customer or its auditor to access: (a) any data of any other customer of LaunchDarkly; (b) LaunchDarkly’s internal accounting or financial information; (c) any trade secret of LaunchDarkly; (d) any information that, in LaunchDarkly’s reasonable opinion, could: (i) compromise the security of LaunchDarkly systems or premises; or (ii) cause LaunchDarkly to breach its obligations under applicable law or its security and/or privacy obligations to Customer or any third party; or (e) any information that Customer or its third party auditor seeks to access for any reason other than the good faith fulfilment of Customer’s obligations under the Applicable SCCs or the Data Privacy Law necessitating the audit.
d. No Modification of Applicable SCCs. Nothing in this Section 6 varies or modifies any rights or obligations of Customer or LaunchDarkly under any Applicable SCCs entered into as described in Section 8 (International Transfers of Personal Data).
7. Personal Data Breaches
a. Personal Data Breach Notification and Response. LaunchDarkly will comply with the Personal Data Breach-related obligations directly applicable to it under Data Privacy Laws. LaunchDarkly shall notify Customer of a confirmed Personal Data Breach of which LaunchDarkly becomes aware without undue delay and in any event no later than seventy-two (72) hours following such confirmation. To the extent available, this notification will include LaunchDarkly’s then-current assessment of the following:
i. the nature of the Personal Data Breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
ii. the likely consequences of the Personal Data Breach; and
iii. measures taken or proposed to be taken by LaunchDarkly to address the Personal Data Breach including, where applicable, measures to mitigate its possible adverse effects.
b. Additional Notifications. LaunchDarkly will provide timely and periodic updates to Customer as additional information regarding the Personal Data Breach becomes available. Customer acknowledges that any updates may be based on incomplete information.
c. No Assessment of Personal Data by LaunchDarkly. LaunchDarkly will not assess the contents of Personal Data in order to identify information subject to any specific legal requirements. Customer is solely responsible for complying with legal requirements for incident notification applicable to Customer and fulfilling any third-party notification obligations related to any Personal Data Breach.
d. No Acknowledgment of Fault by LaunchDarkly. LaunchDarkly’s notification of or response to a Personal Data Breach under this Section 7 will not be construed as an acknowledgement by LaunchDarkly of any fault or liability with respect to the Personal Data Breach.
e. Compliance with Law. Nothing in this DPA or in the Applicable SCCs will be construed to require LaunchDarkly to violate, or delay compliance with, any legal obligation it may have with respect to a Personal Data Breach or other security incidents generally.
8. International Transfers of Personal Data
a. Transfer Authorization. Customer authorizes LaunchDarkly and its Subprocessors to make international transfers of the Personal Data in accordance with this DPA so long as applicable Data Privacy Laws for such transfers are respected.
b. Transfers from the EEA. With respect to Personal Data transferred from the European Economic Area (“EEA”), the EU SCCs incorporated herein shall apply, form part of this DPA, and take precedence over the rest of this DPA as set forth in the EU SCCs. They will be deemed completed as follows:
i. Where Customer acts as a controller and LaunchDarkly acts as Customer’s processor with respect to the Personal Data subject to the EU SCCs, its Module 2 applies. Where Customer acts as a processor and LaunchDarkly acts as Customer’s subprocessor with respect to the Personal Data subject to the EU SCCs, its Module 3 applies.
ii. Clause 7 (the optional docking clause) is included.
iii. Under Clause 9 (Use of sub-processors), the Parties select Option 2 (General written authorization).
iv. Under Clause 11 (Redress), the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body does not apply.
v. Under Clause 17 (Governing law), the Parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The Parties select the law of Ireland.
vi. Under Clause 18 (Choice of forum and jurisdiction), the parties select the courts of Ireland.
vii. Annexes I-III of the EU SCCs are set forth in Schedule A of the DPA.
viii. By entering into this DPA, the Parties are deemed to be signing the EU SCCs and its applicable Annexes.
c. Transfers from Switzerland. With respect to Personal Data transferred from Switzerland for which Swiss law (and not the law in any EEA jurisdiction) governs the international nature of the transfer, references to the GDPR in Clause 4 of the EU SCCs are, to the extent legally required, amended to refer to the Swiss Federal Data Protection Act or its successor instead, and the concept of supervisory authority shall include the Swiss Federal Data Protection and Information Commissioner.
d. Transfers from the United Kingdom. With respect to Personal Data transferred from the United Kingdom for which United Kingdom law (and not the law in any EEA jurisdiction) governs the international nature of the transfer, the UK SCCs form part of this DPA and take precedence over the rest of this DPA as set forth in the UK SCCs, unless the United Kingdom issues updates to the UK SCCs that, upon notice from Customer, will control. Undefined capitalized terms used in this provision shall mean the definitions in the UK SCCs. For purposes of the UK SCCs, they shall be deemed completed as follows:
i. Table 1 of the UK SCCs: (1) the Parties’ details shall be the Parties and their affiliates to the extent any of them is involved in such transfer, including those set forth in Schedule A; (2) the Key Contact shall be the contacts set forth in Schedule A.
ii. Table 2 of the UK SCCs: The Approved EU SCCs referenced in Table 2 shall be the EU SCCs as executed by the Parties.
iii. Table 3 of the UK SCCs: Annex 1A, 1B, II, and III shall be set forth in Schedule A.
iv. Table 4 of the UK SCCs: Either Party may end this DPA as set out in Section 19 of the UK SCCs.
v. By entering into this DPA, the Parties are deemed to be signing the UK SCCs and its applicable Tables and Appendix Information.
e. Alternative Data Transfer Mechanism. If LaunchDarkly adopts an alternative data transfer mechanism (including any new version of or successor to the Applicable SCCs adopted pursuant to Data Privacy Laws) for the transfer of Personal Data that is not described in this DPA ("Alternative Transfer Mechanism"), the Alternative Transfer Mechanism will apply instead of any applicable transfer mechanism described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with Data Privacy Laws).
9. Additional Safeguards for Transfers
a. Additional Safeguards. To the extent that LaunchDarkly Processes Personal Data of Data Subjects located in or subject to the applicable Data Privacy Laws of the EEA, Switzerland, or the United Kingdom, LaunchDarkly agrees to the following safeguards in this Section 9 to protect such data to an equivalent level as applicable Data Privacy Laws.
b. Notification of Law Enforcement Requests. LaunchDarkly will inform Customer of any request for disclosure of Personal Data by a law enforcement, civil, administrative, national or public security or other competent authority outside Europe, including but not limited to pursuant to the U.S. Foreign Intelligence Surveillance Act (FISA) §702, Executive Order (E.O.) 12333, the Stored Communications Act (18 U.S.C. § 2703), the CLOUD Act (18 U.S.C. § 2523) (each a “Law Enforcement Request”), unless LaunchDarkly is otherwise prohibited under applicable law.
c. Challenging Demands. LaunchDarkly will use all reasonably available legal mechanisms to challenge any Law Enforcement Requests it receives as well as any non-disclosure provisions attached thereto.
d. Notification of Inability to Comply. LaunchDarkly will promptly notify Customer if LaunchDarkly can no longer comply with the Applicable SCCs or the clauses in this Section. LaunchDarkly shall not be required to provide Customer with specific information about why it can no longer comply, if providing such information is prohibited by applicable law. Such notice shall entitle Customer to terminate the Agreement (or, at Customer’s option, affected statements of work, Order Forms, and like documents thereunder) and receive a prompt pro-rata refund of any prepaid amounts thereunder. This is without prejudice to Customer’s other rights and remedies with respect to a breach of the Agreement.
10. Return and Deletion of Personal Data
a. Deletion Upon Termination. Upon termination of the Agreement and written verified request from Customer’s authorized representative (which for purposes of this section is either a billing owner or an administrator of Customer’s Account or a Customer personnel who has confirmed in writing that they are authorized to make decisions on behalf of the Customer), LaunchDarkly will delete Personal Data as specified in the Agreement, unless prohibited by applicable law.
SCHEDULE A Annex I
A. LIST OF PARTIES
Name:
Customer, a user of the LaunchDarkly Service
Address:
As listed in the Agreement
Contact person’s name, position and contact details:
As listed in the Agreement
Activities relevant to the data transferred under these Clauses:
As described in Section B below
Role (controller/processor):
Controller and/or Processor
Name:
Catamorphic Co. dba LaunchDarkly, provider of the Service (“LaunchDarkly”)
Address:
1999 Harrison St., Suite 1100, Oakland, CA 94612 USA
Contact person’s name, position and contact details:
privacy@launchdarkly.com
Activities relevant to the data transferred under these Clauses:
Data importer will process the data in order to provide the Service pursuant to the Agreement.
Role (controller/processor):
Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
- The categories of data subjects whose personal data is transferred are determined solely by the data exporter. In the normal course of the data importer's Service, the categories of data subject might include (but are not limited to): the data exporter’s personnel, customers, service providers, business partners, affiliates, and other end users.
Categories of personal data transferred
- The categories of personal data transferred are determined solely by the data exporter. In the normal course of the data importer's Service, the categories of personal data transferred might include (but are not limited to): name, email address, telephone, title, and feature flag configuration entered by the data exporter or its end users.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
- The data importer does not intentionally or knowingly process any special category data. However, the categories of personal data transferred are determined solely by the data exporter.
- Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
- The Personal Data shall be transferred continuously for as long as LaunchDarkly provides the Service pursuant to the Agreement.
Nature of the processing
- The nature of the processing consists of collecting, storing and transferring Personal Data to facilitate LaunchDarkly’s provision of the Service to Customer as further described in the Agreement.
Purpose(s) of the data transfer and further processing
- The purposes of the data transfer is so that LaunchDarkly can provide the Service to Customer as further described in the Agreement. There is no processing other than as set forth above.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
- The Personal Data shall be retained as directed by Customer as needed to provide the Services pursuant to the Agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
- Same as above
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13: Irish Data Protection Commission for Personal Data from the EEA; United Kingdom Information Commissioner’s Office for Personal Data from the United Kingdom
Annex II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
LaunchDarkly emphasizes the following principles in the design and implementation of its security program and practices: (a) physical and environmental security to protect the Service against unauthorized access, use, or modification; (b) maintaining availability for operation and use of the Service; (c) confidentiality to protect customer data; and (d) integrity to maintain the accuracy and consistency of data over its life cycle.
Description of LaunchDarkly’s current technical and organizational security measures can be found at https://launchdarkly.com/security/.
Specific measures:
Pseudonymization and encryption of personal data
Customer Data is encrypted in transit and encrypted at rest. The connection to app.launchdarkly.com is encrypted with at least 128-bit encryption and supports TLS 1.2 and above. Logins and sensitive data transfer are performed over encrypted protocols such as TLS.
Confidentiality, integrity, availability and resilience of processing systems and services
LaunchDarkly maintains an information security program, which includes: (a) having a formal risk management program; (b) conducting risk assessments of all systems and networks that process Customer Data on at least an annual basis; (c) maintaining a tiered remediation plan to ensure timely fixes to any discovered vulnerabilities, a written information security policy, and an incident response plan that explicitly addresses and provides guidance to its personnel in furtherance of the security, confidentiality, integrity, and availability of Customer Data; (d) monitoring for security incidents; (e) penetration testing performed by a qualified third party on an annual basis; and (f) having resources responsible for information security efforts.
Restoration and availability of personal data
LaunchDarkly takes daily snapshots of its databases and securely copies them to a separate data center for restoration purposes in the event of a regional AWS failure. Backups are encrypted and have the same protection in place as production. Additionally, Customer Data is in multiple AWS availability zones and regions for resiliency.
Testing, assessing, and evaluating security measures
On an annual basis, LaunchDarkly performs on its own and engages third-parties to perform a variety of testing to protect against unauthorized access to Customer Data and to assess the security, reliability, and integrity of the Service. To the extent LaunchDarkly determines, in its sole discretion, that any remediation is required based on the results of such testing, it will perform such remediation within a reasonable period of time taking into account the nature and severity of the identified issue. As of the Effective Date, LaunchDarkly undergoes a SOC 2 Type II audit on an annual basis with respect to the suitability of its controls to meet the criteria related to security and availability set forth in the 2016 edition of TSP section 100A, Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Principles and Criteria). LaunchDarkly maintains an ISO/IEC 27001:2013 certification to demonstrate our conformity with the defined requirements in the ISO/IEC 27001:2013 standard.
User identification and authorization
Access to manage LaunchDarkly’s AWS environment requires multi-factor authentication, management access to the Service is logged, and access to Customer Data is restricted to a limited set of approved LaunchDarkly employees. AWS networking features such as security groups are leveraged to restrict access to AWS instances and resources and are configured to restrict access using the principle of least privilege. Employees are trained on documented information security and privacy procedures. Every LaunchDarkly employee signs a data access policy that binds them to the terms of LaunchDarkly’s data confidentiality policies and access to LaunchDarkly systems is promptly revoked upon termination of employment.
Protection of data during transmission
Customer Data is encrypted in transit and encrypted at rest (and remains encrypted at rest). The connection to app.launchdarkly.com is encrypted with 128-bit encryption and supports TLS 1.2 and above. Logins and sensitive data transfer are performed over encrypted protocols such as TLS.
Protection of data during storage
Customer Data is stored cross-regionally with AWS. Data backups are encrypted. Customer data is encrypted at rest with AES 256 bit secret keys.
Physical security
LaunchDarkly uses Amazon Web Services (AWS) to provide management and hosting of production servers and databases in the United States. AWS employs a robust physical security program with multiple certifications, including SSAE 16 and ISO 27001 certification.
Logging
Access to LaunchDarkly critical systems is restricted, monitored, and logged. At a minimum, log entries include date, timestamp, action performed, and the user ID or device ID of the action performed. The level of additional detail to be recorded by each audit log will be proportional to the amount and sensitivity of the information stored and/or processed on that system. All logs are protected from change.
System configuration
To prevent and minimize the potential for threats to LaunchDarkly’s systems, baseline configurations are required prior to deployment of any user, network, or production equipment. Systems are centrally managed and configured to detect and alert on suspicious activity.
IT Security Governance and Management
IT Security Governance and Management structures and processes are designed to ensure compliance with data protection principles at their effective implementation. LaunchDarkly maintains a formal information security program with dedicated security personnel reporting to the Director of Security. The Security Team is responsible for implementing security controls and monitoring LaunchDarkly for suspicious activity. Policies and Procedures, including the LaunchDarkly Information Security Policy, are updated on an annual basis and reviewed and approved by Management. Senior management meets with the board of directors to review business objectives, projects, resource needs, and risk mitigation activities, including results from internal and external assessments.
Certifications and audits
As of the Effective Date, LaunchDarkly undergoes a SOC 2 Type II audit on an annual basis with respect to the suitability of its controls to meet the criteria related to security and availability set forth in the 2016 edition of TSP section 100A, Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Principles and Criteria). LaunchDarkly maintains conformity with the defined requirements in the ISO/IEC 27001:2013 standard.
Data quality
LaunchDarkly maintains web Server and application log details that include any changes to sensitive configuration settings and files. At minimum, log entries include date, timestamp, action performed, and the user ID or the device ID of the action performed. Logs are protected from change. Users who would like to exercise their rights under applicable law to update information which is out of date or incorrect may do so at any time by emailing privacy@launchdarkly.com. More information on data subject rights can be found at https://launchdarkly.com/policies/privacy/.
ANNEX III - SUBPROCESSORS
Customer has authorized the use of Subprocessors as set forth in Section 4 of the DPA.