Radware Data Processing Agreement (Customer)

Definitions and Interpretation

1. Unless otherwise defined herein, capitalized terms and expressions used in this DAP shall have the following meaning:

   1. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control of a party. "Control," for purposes of this definition, means direct or indirect ownership or control of more than 50% of the share of the stock, equity or voting interests of a party.

   2. “Applicable Data Protection Laws" means, as the case may be, data protection laws addressing the safeguarding and lawful Processing of Personal Data that apply to the Services ordered by Customer, including, if Customer resides in an EU member country, GDPR and complementary data protection laws in EU member countries.

   3. "Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of Processing of Personal Data, and in the context of this DPA shall mean the Customer.

   4. “Controller to Processor SCCs” means the Standard Contractual Clauses in the Annex to the European Commission Decision dated February 5, 2010 (2010/87/EU), as may be amended or replaced from time to time by the European Commission.

   5. "Customer Personal Data" means Personal Data described in Schedule A and any other Personal Data provided to Processor by or on behalf of Customer or by Customer’s end users for Processing on behalf of the Customer pursuant to or in connection with the Principal Agreement.

   6. “Data Subject” means an identified or identifiable natural person to whom Personal Data relates;

   7. "DPA" means this Global Data Processing Agreement and all Schedules thereto.

   8. EEA" means the European Economic Area.

   9. "GDPR" means EU General Data Protection Regulation 2016/679.

   10. “Personal Data” means as the meaning ascribed to “personally identifiable information,” “personal information,” “personal data” or equivalent terms as such terms are defined under Applicable Data Protection Laws.

   11. "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored or otherwise Processed by the Service.

   12. "Processing" or “Process” means any operation or set of operations that is performed upon Personal Data in connection with the Services, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, as described in the Principal Agreement and in Schedule A.

   13. “Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of a Controller, and in the context of this DPA shall mean Radware.

   14. Radware” means Radware Ltd. or Radware Inc. depending on the Radware entity which is a party to the Principal Agreement.

   15. "Services" means the services provided by Radware to Customer pursuant to the Principal Agreement.

   16. “Subprocessor" means any third party appointed by Radware to process Customer Personal Data on behalf of the Customer in connection with this DPA.

   17. "Supervisory Authority" means an independent public authority which is established in a jurisdiction under Applicable Data Protection Laws with competence over matters pertaining to data protection.

Processing of Customer Personal Data

1. Processor shall:

   1. comply with Applicable Data Protection Laws in the Processing of Customer Personal Data; and

   2. not Process Customer Personal Data other than on the Customer’s documented instructions including as described in Schedule A and in the Principal Agreement.

2. The Customer instructs Processor to process Customer Personal Data in accordance with Applicable Data Protection Laws: (a) to the extent required in order to carry out the Services pursuant to the Principal Agreement; (b) as further specified in the Data Processing Profile of the applicable Service attached hereto as Schedule A; (c) as further specified through Customer’s use of the Service Portal and other functionalities of the Services; and (d) as further documented in any other written instructions given by Customer to Radware.

3. Customer acknowledges and agrees that:

   1. Customer is (or is acting with full authority on behalf of) the “Controller” of any Customer Personal Data. Customer will comply with all legal requirements applicable to a Controller of Personal Data in connection with the Services and the Customer Personal Data.

   2. Customer will (i) not disclose any Customer Personal Data or other Personal Data and information to Radware, nor shall Customer transmit or cause to be transmitted through the Service any Customer Personal Data or other Personal Data and information, if such disclosure or transmission would violate any applicable law including any Applicable Data Protection Laws, in particular Customer shall ensure it has all necessary appropriate consents and notices in place to enable lawful transfer of Personal Data to Radware for the duration and purposes of the Principal Agreement; (ii) not request Radware to use, disclose or otherwise Process Customer Personal Data or other Personal Data and information in any manner that would violate any Applicable Data Protection Laws ; (iii) disclose to Radware or transmit or cause to be transmitted through the Services only the minimum amount of Customer Personal Data reasonably necessary for Radware to perform the Services under the Principal Agreement; and (iv) where practicable and commercially reasonable, de-identify and/or encrypt any such Customer Personal Data before making it available to Radware or before transmitting or cause to be transmitted such Customer Personal Data through the Services.

Processor Personnel

Processor  shall  take  reasonable  steps  to  provide  the  reliability  of  any employee, agent or contractor of Processor who may have access to the Customer Personal Data, providing in each case that access is strictly limited  to those  individuals  who  need  to  know  and/or access  the relevant Customer Personal Data, as strictly necessary for the purposes of the  Principal  Agreement,  and  to  comply with  Applicable Data Protection Laws  in  the context of that individual's duties to the Processor,  providing that  all  such  individuals  are  subject  to confidentiality  undertakings  or professional or statutory obligations of confidentiality.

Security

1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor  shall  in  relation  to  the  Customer  Personal  Data implement appropriate technical and organizational measures designed to provide  a level of security appropriate to that risk in the provision of the Services, including, if applicable and as appropriate,  in consistent with the measures as referred to in Article 32(1) of the GDPR, and as set forth in Schedule B.

2. In assessing the appropriate level of security, Processor shall take account in particular the risks that are presented by Processing, in particular from a Personal Data Breach.

Subprocessing

1. Except as set forth is section 5.3 below, Processor shall not appoint (or disclose any Customer Personal Data to) any Subprocessor unless required or authorized by the Customer.

2. With respect to each Subprocessor, Radware will impose substantially similar data protection obligations as set out in this DPA on any approved Subprocessor prior to the Subprocessor Processing any Customer Personal Data. As between the Customer and Radware, Radware shall remain fully liable for all acts or omissions of any Subprocessor appointed by it pursuant to this section 5.2 and section 5.3 below.

3. The Customer acknowledges and agrees that Radware uses the Subprocessors set out in Schedule C and as described in Schedule A, for the purpose of Processing data in connection with the Services including for the purpose of Processing Customer Personal Data; provided that Radware reserves the right to update the list of Subprocessors in Schedule C by providing a notice in writing to Customer, and such updated list shall be deemed accepted by Customer unless Customer raises an objection in writing within thirty (30) days of receipt of such notice. The Customer acknowledges that where it raises an objection to the use of a Subprocessor its use of the Service under the Principal Agreement may be limited or impossible and Processor shall have no liability in respect of any such limitation or impossibility. Customer’s sole recourse if Customer objects to the appointment of a new Subprocessor will be to terminate the Principal Agreement with regard to the affected Service by providing Radware with written notice within thirty (30) days of receipt of the notice informing Customer of a change in the list of Subprocessors.

Data Subject Rights

1. Taking into account the nature of the Processing, Processor shall assist the Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer obligations,  as  reasonably   understood   by   Customer,   to  respond to requests to exercise Data Subject rights under Appliable Data Protection Laws.

2. Processor shall:

   1. Promptly notify Customer if it receives a request from a Data Subject under Applicable Data Protection Law in respect of Customer Personal Data; and

   2. Not respond to that request except on the documented instructions   of Customer or as required by Applicable Data Protection Law to which the Processor is subject, in which case Processor shall, to the extent permitted by Appliable Data Protection Laws, inform Customer of that legal requirement before the Processor responds to the request.

Personal Data Breach

1. Processor shall notify Customer without undue delay within 72 hours upon Processor becoming aware of a Personal Data Breach, thereby providing Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under Applicable Data Protection Laws.

2. Processor shall reasonably co-operate with the Customer and take reasonable commercial steps as are reasonably directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

Data Protection Impact Assessment and Prior Consultation

Processor shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required by Applicable Data Protection Laws (including article 35 or 36 of the GDPR to the extent applicable), in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, the Processor. To the extent that any such impact assessment and/or prior consultation requires assistance beyond Radware providing the applicable Radware processing record(s) and documentation, Radware reserves the right to charge Customer for such engagement at Radware’s then current daily rates.

Deletion or return of Customer Personal Data

1. Subject to this section 9, Processor shall, as soon as reasonably feasible after the date of cessation of any Services involving the Processing of Customer Personal Data (the "Cessation Date"), but, in any event, in accordance with Applicable Data Protection Laws, delete and procure the deletion of all copies of those Customer Personal Data.

2. Upon Customer’s request, Processor shall provide written confirmation to Customer that it has fully complied with this section 9 within ten (10) business days of the Cessation Date.

Information and Audit Rights

1. The Processor maintains ISO/IEC 27001, ISO/IEC 27017 and ISO/IEC 27018 certifications, which are issued by an independent third-party auditor. The Processor will continue to undergo regular ISO/IEC 27001:2013, ISO/IEC 27017 and ISO/IEC 27018 audits necessary for maintaining such certifications for the Services during the term of the Principal Agreement. Moreover, an annual Service Organization Control 2 (SOC 2) Type II Report is being prepared for Radware’s cloud Services and in addition Radware relies on the SOC 2 Type II audits undergone by some of its Subprocessors. Subject to the Processor’s confidentiality obligations and no more than once a year, the Processor will provide the Customer with a copy of the most recent SOC 2 Type II Report(s) and/or excerpt of any of Processor’s available SOC 2 Type II Report and such Reports of its Subprocessors upon written request by the Customer.

   The Customer agrees that the Processor’s obligations set forth in this section 10.1 fully satisfy the information and audit rights under Applicable Data Protection Laws, including under Article 28.3(h) of the GDPR as well as under Clause 5(f) and Clause 12 (2) of the Controller to Processor SCCs.

2. The audit rights of the Customer under section 10.1 above are without derogating from any audit rights provided under the Principal Agreement (if any).

Data Transfer

1. Customer allows the transfer of Customer Personal Data outside the country from which it is originally collected provided that such transfer is required in connection with the provision of Services under the Principal Agreement and such transfers take place in accordance with Applicable Data Protection Laws.

2. Where GDPR applies, Customer agrees and consents to Processor‘s transferring or authorizing the transfer of Customer Personal Data to countries outside the EU and/or the European Economic Area (EEA) for the purpose of the provision of the Services; provided however, that in the event of any transfer of Customer Personal Data Processed under this DPA from a country within the European Economic Area to a country outside the European Economic Area which does not ensure an adequate level of data protection within the meaning of Applicable Data Protection Laws or which transfer is not otherwise governed by a framework approved by the European Commission to which Processor or any of its Affiliates is officially certified, the Parties shall ensure that the Personal Data is adequately protected. To achieve this, unless agreed otherwise, the Parties agree that the EU approved Controller to Processor SCCs shall come into effect and be deemed executed upon execution of this DPA and shall apply pursuant to the order of precedence described in section 12.1 below. In the event the Controller to Processor SCCs apply, Appendix 1 thereto shall be deemed to be prepopulated with the relevant Schedule A of this DPA, Appendix 2 thereto shall be deemed to be prepopulated with Schedule B of this DPA and the Data Exporter and Data Importer thereunder shall be the Controller and Processor, respectively.

General Terms

1. This DPA is without prejudice to the rights and obligations of the parties under the Principal Agreement which shall continue to have full force and effect. Any claims brought under this DPA shall be subject to the terms of the Principal Agreement including, without limitation, choice of jurisdiction, governing law and any liability limitations or exclusions. In the event of any conflict between the terms of this DPA and the terms of the Principal Agreement and/or any other agreements between the parties, including (except where explicitly agreed otherwise in writing and signed on behalf of the parties) agreements entered into or purported to be entered into after the date signing or acceptance of this DPA, the terms of this DPA shall prevail but only so far as the subject matter concerns the processing of Personal Data.

   In the event of any conflict or inconsistency between this DPA or the Principal Agreement and the Controller to Processor SCCs, the Controller to Processor SCCs shall prevail.

2. Radware’s liability under or in connection with this DPA is subject to the limitations on liability contained in the Principal Agreement.

3. In the event the Principal Agreement does not include limitations of liability, the following limitations of liability will apply between the parties in connection with this DPA including with regards to the Controller to Processor SCCs:

4. Neither party shall be liable to the other party or to any third party, for any special, indirect, incidental or consequential, exemplary or reliance damages, losses or expenses (including without limitation, loss of profits, loss of information, loss or corruption of data, loss or interruption of business) arising from or in any way connected with the parties’ obligations under this DPA, however caused, and whether based on contract, tort (including negligence), equity or other theory of liability whatsoever, even if such party has been advised of the possibility of such damages or losses or expenses. Without derogating from the foregoing, except for liability for payments for the Services, in no event shall a party’s total aggregate liability to the other party exceed the amounts actually paid to Supplier for the Service that is the subject matter of the claim during the twelve (12) month period preceding the damaging event. This section will survive the termination/expiration any sale/purchase document between Radware and Customer. Notwithstanding the foregoing, none of the exclusions and limitations in this section shall apply in respect of (i) liability in negligence causing personal injury or death; (ii) liability for fraudulent misrepresentation; or (iii) any other liability which cannot by law be excluded or limited (as appropriate).

5. In the event the Principal Agreement does not include a provision addressing governing law and jurisdiction, the following will apply between the parties in connection with this DPA:

6. This DPA will be governed and construed in accordance with the substantive laws of, and exclusive venue will be located in: (i) Israel if Customer is located in Israel; (ii) England and Wales if Customer is located in EMEA; (iii) Singapore if Purchaser is located in APAC; and (iv) the state of New York for all other Customer locations.

7. The applicable law provisions of this DPA are without prejudice to clauses 7 (Mediation and Jurisdiction) and 9 (Governing Law) of the Controller to Processor SCCs where applicable to transfers of Personal Data from the European Union to a third country.

8. To the extent that Processing relates to Personal Data originating from a jurisdiction or Processed in a jurisdiction which has any mandatory requirements in addition to those that are set out in this DPA, Customer will inform Radware of such additional mandatory requirements and both parties may agree to any additional measures required to provide compliance with such applicable additional mandatory requirements and any such additional measures agreed to by the parties will be documented as an Annex to this DPA or in an Order under the Principal Agreement. Due to the fact that Radware has no control over the type, character, properties, content, and/or origin of Customer Personal Data Processed hereunder, notwithstanding anything to the contrary herein, Radware shall not be in breach of this DPA or the Principal Agreement or liable to Customer to the extent Customer Personal Data subject to jurisdictional requirements mandating security, processing or other measures not set forth in, or contrary to the terms of, this DPA is provided by Customer without first informing Radware and amending this DPA or entering into an Order addressing the same.

9. If any variation is required to this DPA as a result of a change in Applicable Data Protection Laws, including any variation which is required to the Controller to Processor SCCs, then either party may provide written notice to the other party of that change in law. The parties will discuss and negotiate in good faith any necessary variations to this DPA, including the Controller to Processor SCCs, to address such changes.

10. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall either be: (i) amended as necessary to ensure its validity and enforceability while preserving the parties’ intentions as closely as possible, or, if this is not possible; (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

11. To the maximum extent legally permitted, there are no third-party beneficiaries under this DPA.