Nov 10, 2023

Aiven Data Processing Agreement

1. Background

This Data Processing Agreement (‘’DPA’’) is attached to the General Terms (available at Aiven General Online Terms and Conditions or Aiven Marketplace Terms and Conditions if Customer purchases through a marketplace) and forms an inseparable part of the Agreement entered into by Aiven and the Customer. This DPA shall set out the terms and conditions for the processing of Personal Data by Aiven on behalf of the Customer under the Agreement.

2. Scope and conflict of rules

To the extent the Customer inputs Personal Data into the Cloud Services and Aiven processes such Personal Data, the Parties acknowledge that the Customer acts as a Data Controller and Aiven is a Data Processor processing Personal Data on behalf of the Customer for the purpose of providing the Cloud Services. 

In the event of any discrepancy between this DPA and the Agreement, this DPA prevails.

3. Definitions

Unless otherwise defined in this DPA or in the Agreement, terms used in this DPA, such as "Data Controller", "Data Processor", "Data Subject" and "Personal Data" have the meanings as defined in the Data Protection Regulation. 

4. Processing of personal data

Processing of Personal Data under this DPA is for the purpose of providing the Cloud Services to the Customer. Processing of Personal Data in this context refers to storage, maintenance and other processing activities initiated by the Customer, depending on which Cloud Services the Customer has chosen to order from time to time. The categories of Data Subjects and the types of Personal Data processed are defined in the Appendix 1 (Details of processing).

Personal Data may be processed as long as the Cloud Services are provided under the Agreement and after that if required by applicable law or contractual obligations or rights of either Party.

5. Customer's instructions

The Aiven shall process Personal Data in accordance with the Customer's written instructions as established in this DPA. The Parties agree that this DPA is the Customer's complete written instruction to the Aiven in the Customer's role as the Data Controller. Additional instructions require prior written agreement between the Parties.

6. Aiven’s general obligations

Aiven shall, at the Customer's written request and the Customer's sole cost and expense, assist the Customer by providing such readily available information, or creating such information, as the Customer may reasonably require and which the Customer does not have, in complying with the requests of the Data Subjects or supervisory authority or any other law enforcement or regulatory authority.

Aiven shall inform the Customer, as soon as reasonably practicable, if it receives a request from a Data Subject seeking to exercise his or her rights under the Data Protection Regulation.

Aiven shall maintain records of processing activities under its responsibility to ensure Aiven's own compliance as a Data Processor with the Data Protection Regulation, and upon the Customer's written request Aiven shall make available to the Customer such records to the extent necessary to demonstrate compliance with Aiven’s obligations set out in this DPA and in the Data Protection Regulation.

7. Data security

Aiven shall implement and maintain appropriate technical and organizational measures to ensure an appropriate level of security of the Personal Data and to protect the Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure for the purposes of the Cloud Services. Aiven has committed to comply with the ISO27001 certification to ensure appropriate level of security of the Personal Data.

In the event of a Personal Data Breach, Aiven shall notify the Customer without undue delay after becoming aware of the Personal Data Breach and take reasonable steps to mitigate any damage resulting from such breach. The notification shall contain information Aiven is reasonably able to disclose to the Customer, including following information:

  1. a description of the nature of the Personal Data breach, including where possible the categories of Data Subjects and the Personal Data concerned;
  2. the name and contact details of contact point where more information can be obtained;
  3. a description of likely consequences of the Personal Data Breach; and
  4. a description of the measures taken or proposed to be taken to address the Personal Data Breach.

The information may be provided in phases if it is not possible to provide the information at the same time.

Aiven shall cooperate with and assist the Customer, at the Customer's written request and the Customer's sole cost and expense, in relation to the Personal Data Breach notifications made to supervisory authority as required under the Data Protection Regulation. Aiven shall document the Personal Data Breaches and have the documentation available to the Customer upon the Customer's written request.

8. Subprocessors

Aiven is entitled to use Subprocessors for the purposes of providing the Cloud Services under the Agreement. Aiven provides information on its Subprocessors at its Web Site. The Customer can choose a Subprocessor to provide the hosting for the Cloud Services from the options provided by Aiven. Aiven shall inform the Customer in writing of any intended changes of the hosting service provider Subprocessor at least fourteen (14) days in advance, giving the Customer sufficient time to be able to object to such change. The Customer hereby consents to Aiven's use of Subprocessors as described in this section.

Aiven shall use its commercially reasonable efforts to ensure that its Subprocessors are subject to similar data protection obligations, in particular in terms of providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the Data Protection Regulation, as set out in this DPA. Aiven remains responsible for its Subprocessors and their compliance with the obligations of this DPA.

9. Transfers of personal data

The Customer may choose where the Cloud Services will be hosted. If the Customer has selected a Subprocessor to provide the hosting within the European Economic Area (‘’EEA’’), Aiven shall store the Personal Data within the EEA and transfers outside the EEA are subject to the Customer's prior approval, instruction or request thereto. 

If the Customer selects a Subprocessor to provide the hosting services outside the EEA, the Customer accepts that Aiven; (i) performs the international data transfer of Personal Data in accordance with the Standard Contractual Clauses (processor-to-processor module) entered into by Aiven (as a data exporter) and the Subprocessor (as a data importer) or; (ii) agrees the Subprocessor to carry out the transfer in accordance with the Standard Contractual Clauses (processor-to-processor module) entered into by the Subprocessor group companies (Subprocessor’s EEA entity as a data exporter and third country entity as a data importer), as applicable, depending on the Subprocessor the Customer chooses. 

The Customer warrants to have used reasonable efforts to determine that the Subprocessor acting as data importer, and chosen by Customer, is able through the implementation of appropriate technical and organizational measures, to satisfy data importer’s obligations under the Standard Contractual Clauses for the transfer to be performed as agreed in this DPA. In the event of discrepancies between the Standard Contractual Clauses and this DPA, the Standard Contractual Clauses prevail. 

All transfers of Personal Data of citizens of the United Kingdom (“UK Transfers”) are transferred under the Standard Contractual Clauses as described under this section. In addition, UK Transfers are governed under the IDTA as implemented to the Standard Contractual Clauses by the chosen Subprocessor. For the purposes of this DPA, the “IDTA” means International data transfer addendum to the European Commission’s standard contractual clauses for international data transfers issued by the UK Information Commissioner’s Office under S119A(1) of the UK Data Protection Act 2018.

Notwithstanding the foregoing, the Standard Contractual Clauses will not apply if Aiven has adopted alternative safeguards in accordance with Data Protection Regulation for the lawful transfer of Personal Data outside the EEA.

10. Auditing

At the Customer's written request and the Customer's sole cost and expense, the Customer is entitled, once every twelve (12) months, to audit Aiven's compliance with its obligations under the Data Protection Regulation and this DPA.

The audit report and related information shall at all times be deemed as Aiven's confidential information.

11. Data confidentiality

Aiven will not access or use, have visibility or disclose to any third party, any data that the Customer has input into the Cloud Services, except, if specifically requested in writing by the Customer in order to provide customer-specific support services as requested and instructed by the Customer, or as specifically permitted under Section 7.2 of the General Terms.

If a governmental body sends Aiven a demand for the data input into the Cloud Services, Aiven will do its best efforts to redirect the governmental body to request that data directly from the Customer. If compelled to disclose Customer Data to a governmental body, then Aiven will only disclose the Personal Data strictly to the extent it is legally required to do so and shall give the Customer reasonable notice of the demand to allow the Customer to seek a protective order or other appropriate remedy unless Aiven is legally prohibited from doing so.

12. Term and termination

This DPA shall become effective in parallel with the Agreement and shall continue in force until the termination of the Agreement or as long as Aiven processes Personal Data on behalf of the Customer.

If not instructed otherwise in writing by the Customer and unless legally required to keep the Personal Data, Aiven shall delete and destroy the Personal Data processed hereunder the latest within ninety (90) days' of the termination of the Agreement or after the maximum data retention period permitted by the technology of the relevant Cloud Service. In case the Customer demands that the Personal Data are returned to the Customer or to a third party, the Customer will pay Aiven for any additional costs and expenses arising out of such return of the Personal Data.

Appendix 1 - Details of processing

This Appendix 1 forms part of this DPA describing the details of personal data to be processed by Aiven. 

The Customer has full control of what personal data will be processed by uploading such personal data into the Cloud Services. Aiven has no visibility to such personal data provided and uploaded by the Customer.

Data subjects

Categories of personal data

Special categories of personal data - No special categories of Personal Data are processed. 

Subject matter of the processing - Hosting, storing and maintenance for the data Customer has input to the Cloud Services.

For clarity, the Customer is the Data Controller of, and this DPA is only applied to, the Personal Data input to the Cloud Services by Customer.

Appendix 2 - Aiven’s technical and organizational safety measures

This Appendix 2 forms a part of this DPA describing Aiven’s technical and organizational safety measures.

Description of the technical and organizational security measures implemented by Aiven.

Aiven will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data processed on the Cloud Services as applicable to the specific Cloud Service purchased by the Customer. Aiven complies and is committed to comply with the ISO 27001 certificate to provide sufficient protection for the Personal Data processed under the DPA.