OceanBase Data Processing Addendum

This OceanBase Data Processing Addendum (“DPA”) is incorporated into and forms an integral part of the OceanBase Cloud Services Agreement (“CSA”) entered into between the applicable OceanBase Contracting Entity (as defined in the CSA) (“OceanBase”, “we”, “us”, or “our”) and you or the entity you represent (“you” or “your”, or “Customer”).

In the event of any conflict or inconsistency between the terms and conditions of this DPA and any terms or conditions of the CSA, the terms and conditions of this DPA shall prevail to the extent of the conflict or inconsistency.

This DPA sets out data protection requirements regarding the processing of Customer Personal Data for the purpose of providing OceanBase Cloud Services.

1.     Definitions

1.1    “Customer Personal Data” means any Personal Data contained in the Customer Data that is processed by OceanBase in connection with its provision of the OceanBase Cloud Services to you or performance of its other obligations set out in the CSA.

1.2    “Controller” means the entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

1.3    “Data Subject” means a natural person who can be identified, whether directly or indirectly, including by reference to an identification number or to one or more identifiers specific to his physical, physiological, mental, economic, cultural or social identity.

1.4    “Processor” means an organisation which processes Personal Data on behalf of another organisation but does not include an employee of that other organisation.

1.5    All capitalized terms not defined in this DPA shall have the meaning set forth in the CSA.

2.    Scope and Roles

2.1    This DPA applies when Customer Personal Data is processed by OceanBase for the purpose of providing OceanBase Cloud Services to you. In this context, OceanBase shall be the Processor to you, and you may be either a Controller or Processor.

3.    Customer to Ensure Sufficient Consent

3.1    You shall ensure that you have, and will maintain in place, all consents, registrations and/or authorizations as may be required to enable OceanBase to receive and process the Customer Personal Data, which including but not limited to the transferring of Customer Personal Data to Singapore and (if appliable) from Singapore to Japan.

4.    OceanBase’s Processing of Customer Personal Data

4.1    OceanBase will comply with all Data Protection Laws as applicable to OceanBase and as applicable to Processors relating to its processing of any Customer Personal Data under this DPA.

4.2    OceanBase will only process the Customer Personal Data:

a)    in accordance with your documented instructions, which shall include processing Customer Personal Data as necessary to provide the OceanBase Cloud Services under the CSA; or

b)    as required to comply with any Data Protection Law to which OceanBase is subject, in which case OceanBase shall (to the extent permitted by applicable Law) inform you of that legal requirement before processing the Customer Personal Data.

4.3    In the event that OceanBase becomes aware that an instruction from you may, in OceanBase’s reasonable opinion, infringe Data Protection Laws, OceanBase shall promptly inform you, in which case you may withdraw and/or modify your instructions.

4.4    For clarity, OceanBase may not: (a) sell or share (as those terms are defined in applicable Data Protection Laws) Customer Personal Data; (b) retain, use, or disclose Customer Personal Data to any third party for the commercial benefit of OceanBase; (c) retain, use, or disclose Customer Personal Data outside of its direct business relationship with you or for a commercial purpose other than the business purposes specified in the CSA and this DPA or as otherwise permitted by applicable Law; or (d) combine Customer Personal Data with Personal Data that OceanBase receives from, or on behalf of, other persons, or collects from its own interaction with a Data Subject, except and solely to the extent expressly permitted by applicable Law.

4.5    OceanBase will implement appropriate technical and organisational measures in relation to the processing of Customer Personal Data:

a)    such that the processing will meet the requirements of Data Protection Laws and ensure the protection of the rights of Data Subjects; and

b)    so as to ensure a level of security that is appropriate to the risks presented by the processing of Customer Personal Data, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data transmitted, stored or otherwise processed, having regard to the nature of the Customer Personal Data and the state of technological development and the cost of implementing any measures.

4.6    OceanBase will ensure that all OceanBase personnel who are authorised to process the Customer Personal Data are informed of the confidential nature of the Customer Personal Data, are bound by confidentiality obligations and use restrictions in respect of the Customer Personal Data, and are suitably trained to ensure compliance with Data Protection Laws.

4.7    OceanBase will either delete or return the Customer Personal Data to you upon your written request, after the end of the provision of the OceanBase Cloud Services, or as necessary to comply with a request by a Data Subject to exercise his/her rights over Customer Personal Data, save that OceanBase shall be entitled to retain copies of the Customer Personal Data to the extent it is required to do so under applicable Law.

4.8    OceanBase will notify you as soon as reasonably practicable if OceanBase receives any complaint, notice or communication (whether from a Government Agency or Data Subject or otherwise) which relates directly or indirectly to the processing of Customer Personal Data, or the exercise of any rights of the Data Subject in respect of Customer Personal Data.

4.9    OceanBase will provide reasonable assistance, information and cooperation to you with respect to meeting your obligations under the Data Protection Laws, including in relation to:

a)    responding to requests by Data Subjects to exercise rights over Customer Personal Data;

b)    notification by you of Personal Data Breaches to Government Agencies or Data Subjects;

c)    carrying out data protection impact assessments in relation to the processing of such Customer Personal Data, if required; and

d)    consulting with a Government Agency regarding high risk processing.

5.    Personal Data Breach Notification

5.1    OceanBase will notify you in writing and without undue delay after becoming aware of a Personal Data Breach affecting the Customer Personal Data. OceanBase shall also, without undue delay and to the extent known to OceanBase, provide you with:

a)    a description of the nature of the Personal Data Breach, including categories of affected Customer Personal Data, approximate number of affected Data Subjects and the approximate number of affected Customer Personal Data records;

b)    the likely consequences of the Personal Data Breach, if any; and

c)    a description of measures taken or proposed to be taken with respect to the Personal Data Breach, including measures to mitigate its possible adverse effects.

5.2    In the event that OceanBase is not able to provide you with any of the information set out in Section 5.1 above, OceanBase will provide this information in phases as soon as the same is reasonably available.

6.    Details of Processing

6.1    Subject Matter of the Processing. OceanBase has agreed to provide the OceanBase Cloud Services under the CSA, possibly involving the processing of the Customer Personal Data.

6.2    Nature and Purpose of the Processing. The nature and purpose of the processing are to provide the OceanBase Cloud Services.

6.3    Types of Customer Personal Data Processed. OceanBase will possibly process the following types of Customer Personal Data determined and controlled by you during the course of the provision of the OceanBase Cloud Services, in each case in accordance with your documented instructions:

a)    Identification, biographical and contact data (such as name, birthday, education, address, phone number, email account, and other contact details);

b)    Financial data (such as payment information, transaction information, account details);

c)    Employment data (such as employer, employee, title, office information, responsibility);

d)    Special Categories of Customer Personal Data (if applicable): Subject to any applicable restrictions and/or conditions in the CSA, you may include “special categories of personal data” or similarly sensitive personal data (as described or defined in Data Protection Laws) in Customer Personal Data, the extent of which is determined and controlled by you in your sole discretion; and/or

e)    Any other types of Customer Personal Data that you or your End Users transfer or upload to the OceanBase Cloud Services.

6.4    Categories of Data Subjects. The categories of Data Subjects are determined and controlled by you and may include, but not limited to:

a)    Your business partners, customers, potential customers (who are natural persons);

b)    Your employees, workers, vendors, independent contractors (who are natural persons); and/or

c)    Employees and/or contact persons of your vendors, independent contractors, business partners, customers and/or potential customers.

6.5    Location of Data Processing. Customer Personal Data Processed will be stored on servers located in Singapore. When Customer choose to use our data transfer service, such Customer Personal Data Processed will be transferred to servers located in Japan from Singapore.

7.    Sub-Processing

7.1    You hereby provide a general authorization for OceanBase to appoint sub-Processors to process Customer Personal Data on your behalf, provided that OceanBase ensures that the terms on which it appoints such sub-Processors comply with applicable Data Protection Laws and are consistent with the obligations imposed on OceanBase in this DPA.

7.2    Unless otherwise required by Data Protection Laws (in which case Section 7.3 shall apply), Section 7.1 constitutes your general authorization for OceanBase’s engagement of onward sub-Processors under this DPA, the EU Standard Contractual Clauses, and UK Standard Contractual Clauses Addendum set forth in the Schedule.

7.3    To the extent required by Data Protection Laws, OceanBase shall give you reasonable prior notice before its appointment of sub-Processors. Such reasonable prior notice may include contacting you at the email address associated with your account and directing you to an updated list of sub-Processors made available on OceanBase’s website. If within ten (10) days of your receipt of such notice, you notify OceanBase in writing of any objections (on reasonable grounds associated with data protection considerations) to the proposed appointment:

a)    OceanBase may elect to make available a commercially reasonable change in the provision of the OceanBase Cloud Services which avoids the use of that proposed sub-Processor; or

b)    where no commercially reasonable change is made available by OceanBase, you may (i) terminate the CSA, in accordance with the terms of the CSA; or (iii) cease using the affected OceanBase Cloud Services.

In the absence of any written notification from you in relation to the proposed appointment, such appointment shall be deemed agreed by you.

8.    Data Transfer

8.1    For any transfer by you of Customer Personal Data from (i) the European Economic Area and Switzerland and/or (ii) the United Kingdom (collectively, “Restricted Counties”) to OceanBase in a country or region which does not ensure an adequate level of protection (within the meaning of and to the extent governed by the Data Protection Laws of the Restricted Countries) as required to perform the OceanBase Cloud Services, such transfer shall be governed by (i) the EU Standard Contractual Clauses and/or (ii) the UK Standard Contractual Clauses Addendum set forth in the Schedule.

8.2    OceanBase agrees to comply with the EU Standard Contractual Clauses and the UK Standard Contractual Clauses Addendum (as applicable) set forth in the Schedule. For these purposes, and notwithstanding that you may be an entity located outside of the Restricted Countries, OceanBase shall be the “data importer” and you shall be the “data exporter” under the EU Standard Contractual Clauses and UK Standard Contractual Clauses Addendum set forth in the Schedule.

8.3    The EU Standard Contractual Clauses and the UK Standard Contractual Clauses Addendum, and the Schedule are hereby incorporated by reference into this DPA and shall form an integral part thereof.

9.    Your Information Rights

9.1    OceanBase will comply with obligations applicable to OceanBase’s processing of Customer Personal Data under the Data Protection Laws. No more than on one (1) occasion in any calendar year, on prior written reasonable notice, OceanBase shall make available to you necessary information (including but not limited to its security policies) to demonstrate OceanBase’s compliance with its obligations under this DPA. To the extent that Customer’s audit requirements under applicable Law or EU Standard Contractual Clauses and the UK Standard Contractual Clauses Addendum (as applicable) cannot reasonably be satisfied through the foregoing provision of necessary information, OceanBase will allow for additional audits, including inspections, by you (or another auditor mandated by you), provided that (a) you demonstrate to the reasonable satisfaction of OceanBase that such additional audits are required by applicable Law; (b) the Parties will mutually agree upon the scope, timing, duration, and control and evidence requirements before the conducting of the audit; (c) if Customer mandates an auditor, such auditor must not operate businesses in competition with OceanBase and has entered into a non-disclosure agreement with OceanBase on terms acceptable to OceanBase; and (d) to the extent permitted by applicable Law, upon OceanBase’s request, Customer is responsible for bearing all costs and fees related to such audit, including all reasonable costs and fees for any and all time OceanBase expend for any such audit.

9.2    OceanBase will notify you in writing if OceanBase makes a determination that it can no longer meet its obligations under the Data Protection Laws. You have the right, upon providing notice to OceanBase, to take reasonable and appropriate steps to stop and remediate unauthorised processing of Customer Personal Data, including where OceanBase has notified you that it can no longer meet its obligations under the Data Protection Laws.

9.3    For the avoidance of doubt, the exercise of audit rights under the EU Standard Contractual Clauses and UK Standard Contractual Clauses Addendum set forth in the Schedule shall be as described in this Section 9.

10.    Duration

Notwithstanding the expiry or earlier termination of the CSA, this DPA, the EU Standard Contractual Clauses and the UK Standard Contractual Clauses Addendum (if applicable) set forth in the Schedule will remain in effect until the deletion or return of all Customer Personal Data as described herein.

Schedule to the OceanBase Data Processing Addendum

EU Standard Contractual Clauses and UK Standard Contractual Clauses Addendum

1.    Definitions

1.1    “EU Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to third countries approved pursuant to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 available at here.

1.2    “UK Standard Contractual Clauses Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, Version B1.0, in force from March 21, 2022, available at here.

1.3    The terms “Controller”, “Data Subject”, and “Processor” shall have the same meaning given to them or correlative terms under applicable Data Protection Laws. 

2.    EU Standard Contractual Clauses

For transfer of Customer Personal Data out of the European Economic Area or Switzerland subject to Section 8 of the DPA, the EU Standard Contractual Clauses are incorporated into this DPA by reference in the following manner:

2.1    Module Two (Controller to Processor) shall apply to the extent you are a Controller and Module Three (Processor to Processor) shall apply to the extent you are a Processor;

2.2    The optional Clause 7 is excluded;

2.3    For the Clause 9(a), Option 2 (General Written Authorisation) is selected, and the time period for prior notice of sub-Processor changes is set forth in Section 7 of the DPA;

2.4    For the Clause 11(a), the option paragraph is excluded;

2.5    For the Clause 17, Option 1 is selected, and the EU Standard Contractual Clauses shall be governed by the law of Ireland;

2.6    For the Clause 18, the dispute shall be resolved before the courts of Ireland;

2.7    For Part A of Annex I, the following shall apply:

a)      Data exporter: The entity identified as “you” in the CSA;

Contact information: the email address associated with your account;

Activities relevant to the data transferred under these Clauses: The data importer provides the OceanBase Cloud Services to the data exporter in accordance with the CSA.

Role: As outlined in Section 2 of the DPA; and

Signature & Date: The date when you click a box indicating acceptance to the CSA (e.g. I agree to the OceanBase Cloud Services Agreement, or similar button), or execute an order form that references the CSA, or use free services provided by OceanBase.

b)      Data importer: OceanBase (as defined in the CSA);

Address: as specified in the CSA:

Contact information: as provided under the “Notices” section of the CSA;

Activities relevant to the data transferred under these Clauses: The data importer provides the OceanBase Cloud Services to the data exporter in accordance with the CSA.

Role: As outlined in Section 2 of the DPA; and

Signature & Date: The date when you click a box indicating acceptance to the CSA (e.g. I agree to the OceanBase Cloud Services Agreement, or similar button), or execute an order form that references the CSA, or use free services provided by OceanBase.

2.8    For Part B of Annex I, the description of the transfer is as described in Section 6 of the DPA (Details of Processing). The frequency of transfer may be on a continuous basis;

2.9    For Part C of Annex I, the competent supervisory authority/ies shall be determined according to the General Data Protection Regulation and Clause 13 of the EU Standard Contractual Clauses;

2.10    For Annex II, Section 4.5(a) of the DPA states the technical and organizational security measures implemented by the data importer;

2.11    For Annex III, the Controller has authorised the use of the sub-Processor(s) listed here; and

2.12    Where the Transfer relates to Personal Data governed by the laws of Switzerland, the Parties agree that:

a)    All references in the 2021 SCCs to “EU,” “Union” or “Member State” will be interpreted as references to Switzerland and all references in the EU Standard Contractual Clauses to provisions in EU law will be interpreted as references to the relevant provisions of the laws of Switzerland;

b)    For the purpose of Clause 17 of the EU Standard Contractual Clauses, the EU Standard Contractual Clauses will be governed by the laws of Switzerland;

c)    For the purpose of Clause 18 of the EU Standard Contractual Clauses, any dispute arising from the EU Standard Contractual Clauses will be resolved by the courts of Switzerland; and

d)    For the purpose of Part C of Annex I of the EU Standard Contractual Clauses, the competent supervisory authority is the data protection authority of Switzerland.

3.    Mutual Understanding regarding EU Standard Contractual Clauses

3.1    Both you and OceanBase agree that each of the following forms an integral part of the EU Standard Contractual Clauses and set out the mutual understanding of their respective obligations under the EU Standard Contractual Clauses:

a)    For Clause 8.9 of the EU Standard Contractual Clauses, you acknowledge and agree to exercise your audit right under the respective clause according to Section 9 of the DPA;

b)    For Clause 9(c) of the EU Standard Contractual Clauses, you acknowledge and agree that OceanBase may be restricted from providing sub-processor agreement(s) due to confidentiality obligation; and

c)    For Clause 12 of the EU Standard Contractual Clauses, you acknowledge and agree that any liability and claims arising from the Standard Contractual Clauses shall be in accordance with and to the limitation set forth in the CSA.

4.    UK Standard Contractual Clauses Addendum

4.1    For transfer of Customer Personal Data out of the United Kingdom subject to Section 8 of the DPA, the UK Standard Contractual Clauses Addendum is incorporated into this DPA by reference in the following manner:

a)    The applicable version of the EU Standard Contractual Clauses appended to this DPA shall apply for the purposes of Table 2 of the UK Standard Contractual Clauses Addendum;

b)    The provisions of the UK Standard Contractual Clauses Addendum, including Part 2 ‘Mandatory Clauses’, shall apply in full and are hereby incorporated by reference to this DPA;

c)    Table 1 of the UK Standard Contractual Clauses Addendum, the names of the parties, their roles and their details shall be considered populated by the information set out in Annex I of the EU Standard Contractual Clauses;

d)    Tables 2 and 3 of the UK Standard Contractual Clauses Addendum shall be considered populated by the applicable version of the EU Standard Contractual Clauses as appended to this DPA, including the information set out in the Annexes of the EU Standard Contractual Clauses; and

e)    For the purposes of Table 4 of the UK Standard Contractual Clauses Addendum, neither Party may end the UK Standard Contractual Clauses Addendum.