Data Processing Addendum
This Data Processing Addendum (“DPA”) is an agreement between Ably and Customer. This DPA incorporates, if applicable, the Standard Contractual Clauses and supplements the Ably Terms of Service (in which case "you" is the "Customer" and "we" refers to Ably Realtime Ltd. ("Ably)), or the Ably Master Solution Agreement, as applicable (“Agreement”). Capitalized terms not otherwise defined herein will have the meanings given to them in the Agreement.
Ably reserves the right at its discretion to propose modifications to this DPA periodically. Ably will notify Customer of such changes via an email sent to the email address Ably has on file for Customer or via other notification mechanisms. Customer's continued use of and access to the Ably Solution after notice of such modifications indicates Customer's acceptance of and agreement to the modified DPA.
Customer acknowledges that Ably is a conduit of Content transmitted through the use of the Ably Solution, some of which may, unbeknownst to Ably, contain Personal Data as defined below. Such Personal Data is held only for as long as needed to transmit it (except if and to the extent the Customer elects to store such data, as data controller). Ably does not, in the provision of the Ably Solution, otherwise use, modify, access, store, process or transmit Personal Data or even have knowledge of its existence.
Customer may be the controller of Personal Data, or the processor of Personal Data. When Customer is the controller and shares Personal Data with Ably, Ably will be the processor of the Personal Data. When Customer is the processor and shares Personal Data with Ably, Ably will be the sub-processor of the Personal Data.
This DPA applies only to the extent that Ably processes Personal Data for Customer as Customer’s processor or sub-processor.
“Data Protection Law”
means all applicable current data protection, privacy and electronic marketing legislation, including (i) the General Data Protection Regulation (EU 2016/679) (“EU GDPR”) and the UK GDPR, as that term is defined by section 3(10) (as supplemented by section 205(4)), of the UK Data Protection Act of 2018 (“UK GDPR”); and (ii) any national implementing laws (including laws implementing the Privacy and Electronic Communications Directive 2002/58/EC), and the UK Data Protection Act 2018; and (iii) any other applicable national, provincial, federal, state, and local legislation, including, without limitation, the California Consumer Privacy Act (“CCPA”), and any associated regulations and secondary legislation, as amended or updated from time to time, as applicable to either party.
“EU Standard Contractual Clauses”
means the annex found in the European Commission decision of 4 June 2021 on the standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj, specifically Module 2 and Module 3 (as applicable), and any modifications and replacements to them, or other standard contractual clauses adopted by the European Commission and entered into by the parties, from time to time.
means Personal Data that is uploaded to, generated by or transmitted via the Ably Solution under Customer’s Ably accounts for processing as described herein.
“Standard Contractual Clauses”
means the EU Standard Contractual Clauses and/or the UK Addendum, as applicable.
means any processor that is engaged by a party to assist in its processing of Personal Data for another party.
means the ICO’s UK Addendum to the EU Standard Contractual Clauses, as amended from time to time, and available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.
“controller”, “data subject”, “processor”, and “processing”
as defined in the UK GDPR or the EU GDPR, as applicable.
Both parties will comply with all applicable requirements of the Data Protection Law. This DPA is in addition to, and does not relieve, remove, or replace, a party’s obligations under the Data Protection Law.
This DPA applies to Personal Data processed by Ably for Customer, if any. In this context, Ably may act as processor to Customer, who may act either as controller or processor with respect to Personal Data.
Details of Personal Data processing (Annex 1 and Annex 2 to the EU Standard Contractual Clauses and/or Appendix Information for the UK Addendum, as applicable):
Data Exporter: the Customer.
Data Importer: Ably, a conduit of Content transmitted through the use of the Ably Solution, some of which may, unbeknownst to Ably, contain Personal Data.
Subject Matter: the subject matter of the data processing under this DPA is the data and content as described below.
Purpose: the provision of the Ably Solution initiated by Customer from time to time.
Nature of the Processing: provision of the Ably Solution as described in the Agreement and initiated by Customer from time to time.
Categories of Data Subjects: the data subjects may include Customer's (and its customers’) End Users, visitors, guests, users, employees and staff, as well as any other individuals identified or identifiable within Content shared by such persons or whose Personal Data is captured in Content.
Types of Personal Data: in addition to Personal Data incidentally captured in Content (“Captured Personal Data”), Ably collects and processes the following as a necessary step in providing the Ably Solution, all or some of which may or may not be personally identifying or identifiable information:
End User login credentials
client device descriptions/identifiers (via Ably push notification APIs (https://www.ably.com/documentation/realtime/push)
Special Categories of Data: the parties do not actively or knowingly collect or process, or anticipate the transfer of special categories of personal data, but such data may be included in Captured Personal Data.
Processing Operations: as described in this DPA, including Annex 1.
Duration of processing:
Captured Personal Data: held by Ably momentarily (typically 2 minutes or less but up to 24 hours as necessary to provide the Ably Solution) except to the extent Customer elects to store such Personal Data for a longer period as determined by Customer (as data controller) and via Customer’s instruction to Ably, or until Customer’s account is deleted.
IP addresses: up to 14 calendar days or until Customer’s account is deleted.
End User login credentials: up to 14 calendar days or until Customer’s account is deleted.
client device descriptions/identifiers: until Customer’s account is deleted. Customer agrees to delete such data as soon as it is no longer needed.
Competent Supervisory Authority: Data Protection Commissioner of Ireland (EU); Information Commissioner’s Office (UK; “ICO”).
Customer will ensure and warrants that it has all necessary and appropriate consents and notices, in any form required by Data Protection Law in place to enable lawful transfer of the Personal Data to Ably for the duration and purposes of the Agreement.
Customer will ensure and warrants that where Personal Data is transferred outside the European Economic Area (“EEA”) or outside the UK, as part of Customer’s use or deployment of the Ably Solution, adequate measures will be taken to ensure the Personal Data will be protected to an adequate level and the data subjects’ rights under the Data Protection Law will not be prejudiced by such a transfer. Subject to Ably’s obligation in section 10.5 below with respect to Ably sub-processors, and section 12 below with respect to the Standard Contractual Clauses if applicable, Customer acknowledges that Customer is solely responsible for ensuring that Personal Data is transferred out of the EEA or the UK in full compliance with the Data Protection Law.
Customer will ensure and warrants that Customer utilizes appropriate technical and organizational measures to ensure a level of security appropriate to such risks, including, as appropriate, the measures referred to in the Data Protection Law.
Customer confirms that it has assessed any security measures in place at the time of this Agreement, and that it will continue to do so on an ongoing basis to ensure its obligations under this DPA. Customer is solely responsible (as between the parties) if such measures fail to meet the standards required by Data Protection Law.
Customer undertakes and confirms that any information required to be provided to a Data Subject has been so provided or an applicable exemption is available and is being relied upon by Customer.
Customer and Ably agree that to the extent each party processes any personal data of the other party’s personnel in connection with entry into the Agreement or the management of their business relationship, such party processes such data as an independent controller.
Ably shall, in relation to any Personal Data processed in connection with the provision of the Ably Service:
10.1. process that Personal Data only on the written instructions of Customer and as set forth in the Agreement except to the extent Ably is required to process data by applicable law. Where Ably is relying on applicable law as the basis for processing Personal Data, Ably shall without undue delay notify Customer unless applicable law prohibits Ably from so notifying Customer;
10.2. not access or use, or disclose to any third party, any Personal Data, except, in each case, as necessary to maintain or provide the Ably Solution, or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order);
10.3. ensure that it has in place appropriate technical and organisational measures set forth in Annex 1 to this DPA designed to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;
10.4. ensure that all Ably personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential;
10.5. ensure that where Sub-processors are used outside the EEA or the UK such that Personal Data is transferred outside the EEA or the UK, and such transfer is not to a third country that the EU Commission considers to provide an adequate level of protection (in the case of transfers subject to EU GDPR) or that the UK Secretary of State considers to provide an adequate level of protection (in the case of transfers subject to UK GDPR), adequate measures will be taken to ensure the Personal Data will be protected to an adequate level (including without limitation use of the SCCs) and the Data Subjects’ rights under the Data Protection Law will not be prejudiced by such a transfer;
10.6. maintain records of processing activities carried out on behalf of Customer as required by Data Protection Law;
10.7. taking into account the nature of the processing, insofar as reasonable and practicable, assist the Customer in responding to any request from a Data Subject and in ensuring compliance with its obligations under Data Protection Law with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
10.8. notify Customer without undue delay on becoming aware of a Personal Data security incident. Ably is not obligated to report unsuccessful incidents or incidents that result in no unlawful or accidental destruction, loss, alteration, disclosure of, or unauthorised access to Personal Data or any of Ably’s equipment or facilities storing Personal Data. Such non-reportable incidents may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers), or similar incidents. Ably’s obligation to report or respond to a security incident under this section is not and will not be construed as an acknowledgement by Ably of any fault or liability of Ably with respect to the incident; and
10.9. make available to Customer all information reasonably necessary to demonstrate compliance with the obligations in this section 10; and
10.10. at the written direction of Customer, delete Personal Data on termination of the Agreement unless required by applicable law to store the Personal Data.
Customer will immediately notify Ably if any necessary appropriate consents and notices required to enable lawful transfer of Personal Data to Ably for the duration and purposes of this Agreement have been breached, terminated, withdrawn, or are otherwise no longer valid.
The parties agree that the EU Standard Contractual Clauses apply if Personal Data subject to the EU GDPR is transferred to Ably or its Sub-processors located in a third country outside of the EEA that the EU Commission does not consider to provide an adequate level of protection. The parties agree that the UK Addendum applies if Personal Data subject to the UK GDPR is transferred to Ably or its sub-processors located in a third country that is outside of the UK and that the UK Secretary of State does not consider to provide an adequate level of protection. As used in this section, the terms “Data Importer” and “Data Exporter” will have the meanings given to them in the Standard Contractual Clauses. The parties acknowledge that for the purposes of the Standard Contractual Clauses Ably is acting in the capacity of a Data Importer and Customer is the Data Exporter (notwithstanding that Customer may be located outside of the EEA or the UK or is acting as a processor on behalf of third-party controllers). Each party will comply with the applicable obligations of the Standard Contractual Clauses in their respective roles as Data Exporter and Data Importer. The data subjects, categories of data, and processing operations (as required to be disclosed in Appendix 1 of the Standard Contractual Clauses) are as set forth in this DPA. Annex 1 to this DPA details the technical and security measures Ably has implemented, as required to be disclosed in Appendix 2 of the Standard Contractual Clauses.
The parties further agree that the governing law of the Standard Contractual Clauses entered into by Ably and the Customer will be as follows: where the EU Standard Contractual Clauses apply and the Customer is established in the EEA, the laws of Ireland control; and where the UK Addendum applies, the laws of England and Wales control. If any inconsistency arises between this section 13 and any other provision for the governing law of the Standard Contractual Clauses entered into between Customer and Ably, this section 13 will take precedence.
In the event of any conflict between this DPA and the EU Standard Contractual Clauses, the EU Standard Contractual Clauses shall prevail. In the event of any conflict between this DPA and the UK Addendum, the UK Addendum shall prevail.
Customer acknowledges and agrees that it shall exercise its audit rights under this DPA (including where applicable, the Standard Contractual Clauses) and any audit rights granted by Data Protection Law, by instructing Ably to comply with the audit measures described in Annex 1 to this DPA.
Ably represents and warrants that it has not received any order, request, or other communication from a governmental body for the disclosure of Personal Data and it shall:
16.1. if it receives such order, request, or other communication, attempt to redirect the governmental body to request that data directly from Customer. As part of this effort, Ably may provide Customer’s basic contact information to the relevant body. If compelled to disclose Customer Data to a governmental body, then Ably will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Ably is legally prohibited from doing so;
16.2. publish a transparency report or provide information to Customer on request regarding: (a) the number of orders, requests, or other communications from governmental bodies for the disclosure of Personal Data and/or assistance in surveillance processes and the type of information requested, (b) its responses to the foregoing, and (c) its process for challenging such confidential and non-confidential orders, requests, and communications; and
16.3. notify Customer if its ability to maintain the confidentiality and security of Personal Data has been compromised for any reason including by orders, requests or communications described above, and cease processing, including receiving such Personal Data.
Customer agrees that Ably may use Sub-processors to fulfill its contractual obligations under this DPA or to provide certain services on its behalf, such as providing support services, and consents to the use of Sub-processors as described in this section. The Ably website (currently posted athttps://www.ably.com/legals/sub-processors/) lists Sub-processors that are currently engaged by Ably to deliver the Ably Service. (Such webpage constitutes Annex III/Appendix 3 to the Standard Contractual Clauses if and as applicable.) At least 10 business days before Ably engages any new Sub-processor to carry out processing activities on Personal Data on behalf of Customer, Ably will endeavor to update the applicable website and provide Customer notice of that update as per the means specified for notices in the Agreement. If Customer objects to a new Sub-processor, Customer must notify Ably in writing within ten days of Customer’s notice of the change (without prejudice to any termination rights Customer has under the Agreement), after which time Customer shall be deemed to have consented to the new sub-processor’s appointment in the absence of any such Customer notice. If Customer objects to a new Sub-processor, Ably may either, in its sole discretion: (a) propose an alternative Sub-processor or remain with the current Sub-processor; or (b) refrain from the use of such Sub-processor; or (c) terminate the Customer's subscription on thirty days written notice.
Ably may propose revisions to this DPA by replacing it with any applicable controller-to-processor standard clauses or similar terms forming part of an approved code of conduct or applicable certification scheme (which will apply when replaced by attachment to this Agreement). Customer and Ably will negotiate such changes in good faith as soon as reasonably practicable.
The parties agree that, if any new versions or revisions to the EU Standard Contractual Clauses are approved by the European Commission, or new versions or revision of the UK Addendum are approved and published by the ICO, such that the implementation of the Standard Contractual Clauses in this DPA no longer applies or is no longer appropriate, the parties shall work together to enter into new standard contractual clauses as appropriate.
Where the EU SCCs apply to transfers of Personal Data governed by this DPA, the following options shall be deemed to be selected and incorporated, each clause reference in this section being a reference to a clause in the EU SCCs: (a) Clause 7 shall not apply; (b) at Clause 9, option 2 shall apply for both Module 2 and Module 3; and (c) at Clause 11, the optional redress mechanism shall not apply.
California Consumer Privacy Act (CCPA) Notice: as a “Service Provider” (as that term is defined in the CCPA), Ably will process California Personal Data that is subject to the CCPA strictly for the purpose of providing to Customer the solutions and services described in the Agreement, or as otherwise permitted by the CCPA, and shall not retain, use, or disclose such data for any other purpose.
Where the UK Addendum applies to transfers of Personal Data governed by this DPA, the parties agree that:
22.1. the UK Addendum shall be populated by reference to this DPA and its Annex and that any changes in formatting (including for the avoidance of doubt with respect to Part 1: Tables) will not adversely affect the validity of the DPA or the compliance with Data Protection Law of any international transfers of Personal Data made thereunder;
22.2 any formatting changes do not reduce the standard of Appropriate Safeguards (as defined in the UK Addendum) provided;
22.3. without prejudice to any of the rights and remedies under the Agreement, pursuant to Section 19 of the UK Addendum, neither party shall be entitled to terminate the UK Addendum.
DPA ANNEX 1: TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES (Annex II/Appendix 2 to the Standard Contractual Clauses, and/or UK Addendum Appendix Information, if and as applicable)
a) Access Control
i) Preventing Unauthorized Product Access
Outsourced processing: Ably hosts its Service with AWS and/or applicable affiliates. Additionally, Ably maintains contractual relationships with vendors in order to provide the Service. Ably relies on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.
Physical and environmental security: Ably hosts its product infrastructure with multi-tenant, outsourced infrastructure provider Amazon Web Services Inc. The physical and environmental security controls are audited for SOC 2 Type II (https://aws.amazon.com/compliance/soc-faqs/) and ISO 27001 (https://aws.amazon.com/compliance/iso-27001-faqs/) compliance, among other certifications.
Authentication: Ably has implemented a uniform password policy for its customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public customer data.
Authorization: Customer data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of Ably’s products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
Application Programming Interface (API) access: Public product APIs may be accessed using an API key.
ii) Preventing Unauthorized Product Use
Ably implements industry standard access controls capabilities for the internal networks that support its products.
Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
Intrusion detection and prevention: Ably has implemented a Web Application Firewall (WAF) solution to protect internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available network services.
Static code analysis: Security reviews of code stored in Ably’s source code repositories is performed, checking for identifiable software flaws, and known vulnerabilities.
Penetration testing: Ably maintains relationships with industry recognized penetration testing service providers for regular penetration tests. The intent of the penetration tests is to identify and resolve foreseeable attack vectors and potential abuse scenarios.
iii) Limitations of Privilege & Authorization Requirements
Product access: A subset of Ably’s employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through “just in time” requests for access; all such requests are logged.
Staff: All employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.
b) Transmission Control
In-transit: Ably makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces. Ably’s HTTPS implementation uses industry standard algorithms and certificates.
At-rest: Ably stores user passwords following policies that follow industry standard practices for security, and ensure that all passwords are never stored in plain text formats.
c) Input Control
Detection: Ably designed its infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. Ably personnel, including security, operations, and support personnel, are responsive to known incidents.
Response and tracking: Ably maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, Ably will take appropriate steps to minimize product and Customer damage or unauthorized disclosure.
Communication: If Ably becomes aware of unlawful access to Personal Data stored within its systems under Ably’s control, Ably may: 1) as a member of the ICO, notify the ICO and follow ICO guidelines in regards to procedure; 2) notify the affected Customers and/or data subjects of the incident if required or permitted under applicable law; 3) provide a description of the steps Ably is taking to resolve the incident; and 4) provide status updates to the Customer contact, as Ably deems necessary. Notification(s) of incidents, if any, will be delivered to one or more of the Customer’s contacts in a form Ably selects, which may include via email or telephone.
d) Availability Control
Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.95% uptime. As Ably’s service is designed to be available across many regions simultaneously, the availability offered is much higher than the underlying infrastructure provider in any single region. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.
Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones.
Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.
Ably’s products are designed to ensure redundancy and continuity in spite of failures. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists Ably operations in maintaining and updating the product applications and backend without downtime.
Customer acknowledges that Ably is regularly audited by independent third party auditors and internal auditors respectively. Upon written request, Ably shall supply (on a confidential basis) a summary copy of its most current audit report(s) to Customer. In addition, Ably shall respond to all reasonable requests for information made by Customer to confirm Ably’s compliance with this DPA, by making additional information available regarding its information security program upon Customer’s written request, provided that Customer shall not exercise this right more than once per calendar year.
f) Back Doors
Ably has not purposefully created back doors, or changed its business processes, in a manner that facilitates systematic access to Captured Personal Data.