Data Processing Addendum

THIS DATA PROCESSING ADDENDUM (“DPA”) is made between Tinybird Inc. with offices at 41 East 11th Street, 11th Floor . New York, NY 10003, USA (“Tinybird”), and the Customer identified in the Order Form. This DPA is incorporated into and made subject to the Tinybird Analytics License Agreement between Tinybird and Customer, or to any other written agreement between Tinybird and Customer (such as Tinybird’s Free, Developer and Developer Pro Terms of Service), that governs Customer’s use of the Services (as defined below) (the “Agreement”).

BACKGROUND

1. Tinybird provides a data analytics platform-as-a-service solution (“Services”) to the Customer under the Agreement. In connection with the Services, Tinybird processes certain personal data in respect of which Customer or any Customer Affiliate (as defined below), or customers of Customer or its Affiliates, may be a data controller under the Data Protection Laws (as defined below).
2. Customer and Tinybird have agreed to enter into this DPA in order to establish their respective responsibilities under the Data Protection Laws.
3. All capitalized terms used in this DPA but not otherwise defined have the meaning ascribed to them in the Agreement.

1. Definitions

1.1   For purposes of this DPA, the following initially capitalized words have the following meanings:

1. “Adequate Country” means a country or territory that is recognized under applicable Data Protection Laws from time to time as providing adequate protection for personal data.
2. “Affiliate” means any person, partnership, joint venture, corporation or other form of venture or enterprise, domestic or foreign, including subsidiaries, which directly or indirectly Control, are Controlled by, or are under common Control with a party. “Control” means the possession, directly or indirectly, of the power to direct or cause the direction of the management and operating policies of the entity in respect of which the determination is being made, through the ownership of more than fifty percent (50%) of its voting or equity securities, contract, voting trust or otherwise.
3. “Tinybird Platform” means the computer software applications, tools, application programming interfaces (APIs), and connectors provided by Tinybird as its data analytics platform as a service offering, together with the programs, networks and equipment that Tinybird uses to make such platform available to its customers.
4. “Authorized Affiliate” means any of Customer’s Affiliate(s) which (a) is subject to the data protection laws and regulations of the European Union, the European Economic Area, their member states, Switzerland, and/or the United Kingdom, and (b) is permitted to use the Services pursuant to the Agreement between Customer and Tinybird, but has not signed its own Sales Order with Tinybird and is not a “Customer” as defined under this DPA
5. “Customer” means the entity that executed the Agreement, together with its Affiliates (for so long as they remain Affiliates) that have signed Sales Orders with Tinybird.
6. “Customer Data” means any data that Customer or its Users input into the Tinybird Platform for Processing as part of the Services, including any Personal Data forming part of such data.
7. “Data Protection Laws” means all laws and regulations in any relevant jurisdiction applicable to the DPA, the Agreement, or the processing of Personal Data, including laws and regulations of the European Union, the European Economic Area, their member states, Switzerland, and/or the United Kingdom and California, including (where applicable) (i) the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”), (ii) the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), (iii) the Swiss Federal Act on Data Protection, ; (iv) the UK Data Protection Act 2018; and (v) the Privacy and Electronic Communications (EC Directive) Regulations 2003; in each case, as updated, amended or replaced from time to time.
8. “GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”) and the EU GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”) (together, collectively, the “GDPR”).
9. “Personal Data” means Customer Data consisting of any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws).
10. “Standard Contractual Clauses” or (“SCCs”) means the standard contractual clauses annexed to the European Commission‘s Implementing Decision 2021/914 of 4 June on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs“).
11. “processing”, “data controller”, “data subject”, “supervisory authority” and “data processor” have the meanings ascribed to them in the GDPR.

2. Status of the parties

2.1    The type of Personal Data processed pursuant to this DPA and the subject matter, duration, nature and purpose of the processing, and the categories of data subjects, are as described in Annex A.

2.2.    In respect of the parties’ rights and obligations under this DPA regarding the Personal Data, the parties acknowledge and agree that Customer is the Data Controller and Tinybird is the Data Processor. Tinybird agrees that it will process all Personal Data in accordance with its obligations pursuant to this DPA.

2.3    As between the parties, Customer is solely responsible for obtaining, and has obtained or will obtain, all necessary consents, licenses and approvals for the processing, or otherwise has a valid legal basis under Data Protection Laws for the Processing of Personal Data (the “Customer Legal Basis Assurance”). Without limiting the Customer Legal Basis Assurance, each of Customer and Tinybird warrant in relation to Personal Data that it will comply with (and will ensure that any of its personnel comply with), the Data Protection Laws applicable to it.

3. Tinybird obligations

3.1    Instructions. Tinybird will only process the Personal Data in order to provide the Services and will act only in accordance with the Agreement and Customer’s written instructions. The Agreement, this DPA, and Customer’s use of the Tinybird Platform’s features and functionality, are Customer’s written instructions to Tinybird in relation to the processing of Personal Data.

3.2    Contrary Laws. If the Data Protection Laws require Tinybird to process Personal Data other than pursuant to Customer’s instructions, Tinybird will notify Customer prior to processing (unless prohibited from so doing by applicable law).

3.3    Infringing Instructions. Tinybird will immediately inform Customer if, in Tinybird’s opinion, any instructions provided by Customer under Clause 3.1 infringe the GDPR or other applicable Data Protection Laws.

3.4    Appropriate Technical and Organizational Measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, Tinybird will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data in Tinybird’s possession or under its control. Such measures include security measures equal to or better than those specified in Annex B below. Customer has reviewed Tinybird’s security program and acknowledges that it is designed to ensure a level of security appropriate to the risk. Customer further acknowledges that it is responsible for its configuration of the Tinybird Platform and for using features and functionality of the Services to ensure a level of security appropriate to the risks presented by the processing.

3.5    Access by Tinybird Personnel. Tinybird will ensure that its personnel have access to Personal Data only as necessary to perform the Services in accordance with the Agreement and this DPA, and that any persons whom it authorises to have access to the Personal Data are under written obligations of confidentiality.

3.6    Personal Data Breaches. Taking into account the nature of the processing and the information available to Tinybird:

1. Tinybird will, without undue delay after becoming aware, notify Customer of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in Tinybird’s possession or under its control (including when transmitted, stored or otherwise processed by Tinybird) (a “Personal Data Breach”);
2. Tinybird will promptly provide Customer with reasonable cooperation and assistance in respect of the Personal Data Breach and information in Tinybird’s possession concerning the Personal Data Breach, including, to the extent then-known to Tinybird, the following:

• the nature of the Personal Data Breach;
• the categories and approximate number of data subjects concerned;
• the categories and approximate number of Personal Data records concerned;
• the likely consequences of the Personal Data Breach;
• a summary of the unauthorised recipients of the Personal Data; and
• the measures taken or proposed to be taken by Tinybird to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects;

3.7    Deletion or Return of Personal Data. Tinybird will return Personal Data to Customer by permitting Customer to export Personal Data from the Tinybird Platform at any time during provision of the Services, using the Tinybird Platform’s then existing features and functionality. Customer may delete Customer Data on its “Tenants” at any time. (“Tenant” means a logical isolation unit, or dedicated share of a particular Tinybird Platform instance; the dedicated share may be configured to reflect the needs of the specific Customer business unit using the share.) Tinybird will delete Customer’s Tenants (and any data remaining on such Tenants) within 30 days of termination or expiration of the Subscription Term, and other Personal Data retained by Tinybird (if any). Tinybird is not obligated to delete copies of Personal Data retained in automated backup copies generated by Tinybird, which Tinybird will retain for up to, and delete within, 14 months from their creation. Such backup copies will remain subject to this DPA and the Agreement until they are destroyed.

3.8    Assistance. Taking into account the nature of processing and the information available to Tinybird, Tinybird will assist Customer when reasonably requested in relation to Customer’s obligations under Data Protection Laws with respect to:

1. data protection impact assessments (as such term is defined in the GDPR);
2. notifications to the supervisory authority under Data Protection Laws and/or communications to data subjects by Customer in response to any Personal Data Breach; and
3. prior consultations with supervisory authorities.

3.9    Data Subject Requests. Taking into account the nature of the processing, Tinybird will assist Customer by appropriate technical and organizational measures, insofar as this is possible, to respond to data subjects’ requests to exercise their rights under Chapter III of the GDPR or other applicable Data Protection Laws. Tinybird will promptly notify Customer of requests received by Tinybird, unless otherwise required by applicable law. Customer may make changes to Personal Data processed with the Tinybird Platform using the features and functionality of the Tinybird Platform. Tinybird will not make changes to such data except as agreed in writing with Customer. If and to the extent that Customer is unable to respond to a data subject request by using features and functionality of the Tinybird Platform and a response to the data subject is required by Data Protection Laws, Tinybird will, upon written request by Customer, reasonably assist Customer in responding to the request.

3.10    Records of Processing Activities. Tinybird will maintain records of its processing activities as required by Article 30.2 of the GDPR, and make such records available to the applicable supervisory authority upon request.

4. Sub-processing

4.1    Disclosure and Transfer of Personal Data. Tinybird will not disclose or transfer Personal Data to any third party without the prior written permission of Customer, except (i) as specifically stated in the Agreement or this DPA, or (ii) where such disclosure or transfer is required by any applicable law, regulation, or public authority.

4.2    Consent to Sub-Processors. Customer consents to Tinybird’s use of sub-processors to provide aspects of the Services, and to Tinybird’s disclosure and provision of Personal Data to those sub-processors. Tinybird publishes a list of its then-current sub-processors at https://tinybird.co/tinybird-subprocessors.pdf (“Sub-Processor List”). Tinybird will require its sub-processors to comply with terms that are substantially no less protective of Personal Data than those imposed on Tinybird in this Agreement (to the extent applicable to the services provided by the sub-processor). Tinybird will be liable for any breach of its obligations under this Agreement that is caused by an act, error or omission of a sub-processor.

4.3    Authorization of New Sub-Processors. Tinybird may authorize new sub-processors, provided that:

1. Tinybird provides at least 30 days prior written notice to Customer of the authorization of any new sub-processor to process Personal Data in connection with its provision of Services (including details of the processing and location) and Tinybird will update the list of all sub-processors engaged to process Personal Data under this DPA published at https://tinybird.co/tinybird-subprocessors.pdf and make such updated version available to Customer prior to such authorization of the sub- processor;
2. Tinybird requires each sub-processor to comply with terms which are substantially no less protective of Personal Data than those imposed on Tinybird in this DPA, to the extent reasonably applicable to the services such sub-processor provides; and
3. Tinybird remains liable for any breach of its obligations under this DPA that is caused by an act, error or omission of the sub-processor.

4.4    Objections to New Sub-Processors. If Customer objects to the authorization of any future sub-processor on reasonable data protection grounds within 30 days of notification of the proposed authorization, and if Tinybird is unable to provide an alternative or workaround to avoid processing of Personal Data by the objected to sub-processor within a reasonable period of time, not to exceed 30 days from receipt of the objection (the “Correction Period”), then, at any time within expiration of the Correction Period, Customer may elect to terminate the processing of Personal Data under affected Sales Orders to the Agreement without penalty, by written notice to Tinybird to that effect. If Customer terminates any such Sales Order in accordance with the foregoing, then Tinybird will refund to Customer a pro-rata amount of any affected Services fees prepaid to Tinybird and applicable to the unutilized portion of the Subscription Term for terminated Services.

5. Audit and records

5.1    Provision of Information. Tinybird will make available to Customer such information in Tinybird’s possession or control as Customer may reasonably request with a view to demonstrating Tinybird’s compliance with the obligations of data processors under the Data Protection Laws in relation to its processing of Personal Data.

5.2   Audit Right. Customer may exercise its right of audit under the Data Protection Laws, through Tinybird providing:

1. an audit report or certification not older than 12 months by an independent external auditor; and
2. additional information in Tinybird’s possession or control to an EU supervisory authority when it requests or requires additional information in relation to the data processing activities carried out by Tinybird under this DPA.

6. Data transfers

This Section 6 applies to any processing by Tinybird or its sub-processors of any Personal Data subject to the GDPR.

6.1    To the extent any processing by Tinybird of Personal Data takes place in any country outside the European Economic Area (“EEA”) (other than exclusively in an Adequate Country), the parties agree that the Standard Contractual Clauses will apply in respect of that processing; Tinybird will comply with the obligations of the ‘data importer’ in the Standard Contractual Clauses and Customer will comply with the obligations of ‘data exporter’. In this respect, Customer and Tinybird agree that the Standard Contractual Clauses are incorporated into and made subject to this DPA by this reference.

6.2    Customer acknowledges that the provision of the Services under the Agreement may require the processing of Personal Data by sub-processors in countries outside the EEA from time to time.

6.3.    If, in the performance of this DPA, Tinybird transfers any Personal Data to a sub-processor (including any Tinybird Affiliate that acts as a sub-processor) where such sub-processor will process Personal Data outside the EEA (other than exclusively in an Adequate Country), then Tinybird will in advance of any such transfer ensure that a mechanism to achieve adequacy in respect of that processing is in place, such as:

1. the requirement for Tinybird to execute or procure that the third party execute Standard Contractual Clauses; or
2. any other specifically approved safeguard for data transfers (as recognised under the Data Protection Laws) and/or a European Commission finding of adequacy.

6.4    The following terms will apply to the Standard Contractual Clauses:

1. Module Two will apply;
2. in Clause 7, the optional docking clause will apply;
3. in Clause 9, option 2 (general authorisation to appoint subprocessors) will apply, and the time period for prior notice of Sub-Processor changes shall be as set out in Clause 4.3 (a) of this DPA;
4. in Clause 11 (alternative dispute resolution mechanism), the optional language will not apply;
5. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Spanish law;
6. in Clause 18(b), disputes shall be resolved before the courts of Spain;
7. Annex I of the EU SCCs shall be deemed completed with the information set out in Annex A to this DPA;
8. Subject to Clause 3.4 of this DPA, Annex II of the EU SCCs shall be deemed completed with the information set out in Annex B to this DPA;

7. Authorized Affiliates

7.1    By executing the Agreement, Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate DPA between Tinybird and each such Authorized Affiliate, subject to the provisions of the Agreement and this Section 7 and Section 8. Each Authorized Affiliate agrees to be bound by the obligations of Customer under this DPA and, to the extent applicable, the Agreement. For the avoidance of doubt, an Authorized Affiliate is not and does not become a party to the Agreement and is only a party to the DPA.

7.2    The Customer that is the contracting party to the Agreement will remain responsible for coordinating all communication with Tinybird under this DPA and will be entitled to make and will receive any communication in relation to this DPA on behalf of its Authorized Affiliates.

7.3    Where an Authorized Affiliate becomes a party to the DPA with Tinybird it will, to the extent required under applicable Data Protection Laws, be entitled to exercise the rights and seek remedies under this DPA, subject to the following:

1. Except where applicable Data Protection Laws require the Authorized Affiliate to exercise a right or seek any remedy under this DPA against Tinybird directly by itself, the parties agree that (i) solely the Customer that is the contracting party to the Agreement will exercise any such right or seek any such remedy on behalf of the Authorized Affiliate, and (ii) the Customer that is the contracting party to the Agreement will exercise any such rights under this DPA not separately for each Authorized Affiliate individually but in a combined manner for itself and all of its Authorized Affiliates together (as set forth, for example, in Section 7.3(b) below).
2. The Customer that is the contracting party to the Agreement will, when carrying out any audit of the procedures relevant to the protection of Personal Data, take all reasonable measures to limit any impact on Tinybird and its sub-processors by combining, to the extent reasonably possible, several audit requests of itself and all of its Authorized Affiliates in one single audit.

8. Limitation of Liability

8.1    Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates and Tinybird, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitations and Exclusions of Liability’ (or its equivalent) section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together. For the avoidance of doubt, Tinybird’s and its Affiliates’ total liability for all claims from Customer and all of its Authorized Affiliates arising out of or related to the Agreement and all DPAs will apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement, including by Customer and all Authorized Affiliates, and, in particular, will not be understood to apply individually and severally to Customer and/or to any Authorized Affiliate that is a contractual party to any such DPA.

9. General

9.1    This DPA is without prejudice to the rights and obligations of the parties under the Agreement which will continue to have full force and effect. In the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA will prevail insofar as the subject matter concerns the processing of Personal Data. In the event of any conflict between the terms of this DPA and the Standard Contractual Clauses then, only insofar as the Standard Contractual Clauses apply, the Standard Contractual Clauses will prevail.

9.2    Customer and Tinybird each agree that the dispute resolution provisions of the Agreement (including governing law and venue) apply to this DPA.

Annex A - Description of Processing

LIST OF PARTIES

Data exporter(s): Customer Entity as described in the Agreement (‘Customer’)

Name: Customer

Address: The Address is as set out in the Agreement

Contact person’s name, position and contact details: The Contact Details are as set out in the Agreement

Activities relevant to the data transferred under these Clauses: As set out in the master agreement between the parties.

Role (controller/processor): Controller

Data importer(s): 

Name: Tinybird Inc.

Address: Tramontana 28, 1D, 28223, Pozuelo de Alarcón, Madrid

Contact person’s name, position and contact details: CTO, Raúl Ochoa, support@tinybird.co

Activities relevant to the data transferred under these Clauses: As set out in the master agreement between the parties.

Role (controller/processor): Processor

DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Data subjects are end users, or individuals purporting to be end users, of the Customer Applications, or other data subjects with respect to whom Customer elects to collect their personal data, and Customer’s and Customer Affiliate members’, and its and their service providers, employees, consultants, agents and representatives authorized by Customer to use the Services

Categories of personal data transferred

Email addresses or unique identification methods depending on the authentication method selected by Customer, and any other personal data that the Customer uploads to the Tinybird platform with the purpose of querying or analysing it;

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

None

The frequency of the transfer (eg. whether the data is transferred on a one-off or continuous basis).

Continuous

Nature of the processing

The processing will comprise the following: Tinybird provides a data analytics platform, which Customer may use to develop and integrate data products and applications. The Tinybird Platform is not an application in itself; the Customer will need to write its own code to enable interoperability between the Tinybird Platform and Customer applications, and to determine how to use the Tinybird Platform within the Customer’s architecture. Tinybird is responsible only for the Tinybird Platform. Tinybird is not responsible for the Customer’s networks, systems or applications (collectively, “Customer Systems”), the means by which the Customer chooses to integrate the Tinybird Platform into the Customer Systems, or the security and data protection measures that the Customer applies to the Customer Systems. The Tinybird Platform acts as a backend for data querying via Customer defined queries and APIs that then need to be integrated into Customer applications. Tinybird has minimal control over the nature and scope of the personal data that Customer chooses to process using the Tinybird Platform, minimal insight into the identity of the Customer’s users, and no role in the means by which Customer obtains personal data of Customer’s users or Customer’s decision-making as to the purpose for which the personal data is processed.

Purpose(s) of the data transfer and further processing

The purpose of the data processing is the provision of the Tinybird Services to the Customer and the performance of the Tinybird’s obligations under the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

The duration of the data processing under this DPA is until the termination or expiration of the Underlying Agreements in accordance with its terms.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

The subject matter, nature and duration of the Processing of Personal Data by (Sub) Processors, if applicable, shall be as outlined above.

COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

Spanish Data Protection Authority

Annex B - Security Measures

The Data Importer currently abides by the security standards in this Annex B. The Data Importer may update or modify these security standards from time to time provided such updates and modifications will not result in a degradation of the overall security of the Services during the term of the applicable Services Agreement.

Hosting Infrastructure

Infrastructure. The Data Importer hosts its services in geographically distributed, secure data centers operated by Google Cloud (GCP), Amazon Web Services (AWS) or Microsoft Azure.

Redundancy. The services are replicated across multiple data centers within a geographic region to eliminate single points of failure using an active/passive configuration in order to minimize the impact of environmental risks.

Monitoring. The services are protected by automated monitoring which is designed to detect a variety of failure conditions and which will, when appropriate, trigger failover mechanisms.

Backups. Backups are performed on a regular basis and stored in a secondary site within the same geographic region.

Business Continuity. The Data Importer replicates its service and data over multiple data centers within a geographic region (when made available by Data Importers infrastructure as a service providers) to protect against loss of service or data. The Data Importer conducts periodic tests of failover and data backup procedures to ensure readiness for business continuity and disaster recovery.

Networks & Transmission. 

Network Data Transmission. Interactions between users, administrators and Data Importer modules are done using the Secure Socket Layer (SSL) or Transport Layer Security (TLS) standard cryptographic protocols. 

Network Security. The Data Importer employs multiple layers of DOS protection, Intrusion Detection, Rate Limiting and other network security services from both its hosting providers and third party providers. 

Encryption Technologies. The Data Importer makes HTTPS encryption (also referred to as SSL or TLS connection) available.

Access Controls. 

Access Procedures. Only authorized employees are allowed access to these restricted components and all access is approved by an employee’s manager and service owner. Only a small number of individuals are approved to access the restricted components. 

Access Mechanisms. Access to the Data Importer’s production service and build infrastructure occurs only over a secured channel and requires two-factor authentication.

Data Protection 

In Transit. Interactions between users, administrators and Tinybird modules are done using the Secure Socket Layer (SSL) or Transport Layer Security (TLS) standard cryptographic protocols. 

At Rest. The Data Importer uses cryptographic hashing and encryption mechanisms to protect sensitive information such as cryptographic keys and application secrets. 

Redundancy. The Data Importer stores data in a multi-tenant environment within the Data Importer’s hosted infrastructure. The data and service are replicated across multiple hosted data centers within the same geographic region. 

Data Isolation. The Data Importer logically isolates the Data Exporter’s data, and the Data Exporter has a large degree of control over the specific data stored in the Service. Data Deletion. The Data Importer provides to the Data Exporter a mechanism that can be used to delete the Data Exporter’s data.

Software Code Review. The Data Importer employs a code review process to improve the security of the code used to provide the Services. All changes to the service are reviewed and approved by a senior engineer other than the author of the change. 

Automated testing. Each software build is subjected to a comprehensive suite of automated tests. Security Scan. The Data Importer employs a third party to scan the Service for security vulnerabilities on a periodic basis.

Staff Conduct and Security. 

Staff Conduct. The Data Importer personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, usage, compliance and professional standards. 

Background Checks. The Data Importer conducts reasonably appropriate background checks as legally permissible and in accordance with applicable local labor law and statutory regulations.

Subprocessor Security. Prior to onboarding sub-processors that will handle any data provided by a Data Exporter, the Data Importer conducts an assessment of the security and privacy practices of the sub-processor to help ensure that the sub-processor provides a level of security and data protection controls appropriate to their access to data and the scope of the services they are engaged to provide.