DPA TERMS

Kestra Technologies offers Cloud services in the form of access to a cloud-hosted orchestration platform, along with support services and associated software available worldwide. Kestra provides several different features and functionalities that can be customized by the Customer, or by the Controller (if applicable). The Parties intend to define the terms of the Processing of data and the responsibilities of each one regarding the Processing of data. If there is any conflict between this DPA and the Agreement regarding the Parties’ respective privacy and security obligations, the provisions of this DPA shall control.

DEFINITIONS.

Capitalized terms used in this DPA but not defined herein shall have the meaning given to them in the Agreement or Applicable Data Protection Law.

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. For purposes of this definition, “control” means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

“Agreement” means the agreement that regulates the terms of the provisions of Services by Kestra to the Customer for its own use or resell, including the Order Forms and this DPA, signed and executed by the Customer.

“Applicable Data Protection Law” means all data privacy or data protection laws and regulations applicable to the processing of Personal Data under the Agreement, which may include (i) the EU General Data Protection Regulation EU/2016/679, as supplemented by applicable EU Member State law and as incorporated into the EEA Agreement.

“Authorized Affiliate” means any of Customer’s Affiliate(s) which (a) is subject to Applicable Data Protection Law, and (b) is permitted to use the Services pursuant to the Agreement between Customer and Kestra but has not signed its own Order Form with Kestra and is not a “Customer” as defined under this DPA.

“Controller” has the meaning set forth under Applicable Data Protection Law.

“Customer” means the Customer that executed the Agreement together with Customer’s Affiliates (for so long as they remain Affiliates) which have signed Order Forms.

“Customer’s Personal Data” means Personal Data Processed by Kestra for the purposes of the Services provided under the Agreement.

“Data Processing and Transfer Description” means the information sets forth in Appendix A.

“Data Subject” means the identified or identifiable natural person to whom Personal Data relates.

“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

“Personal Data” shall have the same meaning as the term “personal data”, “personally identifiable information (PII)” or the equivalent term under Applicable Data Protection Law.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer’s Personal Data transmitted, stored or otherwise Processed.

“Processor” has the meaning set forth under Applicable Data Protection Law. Most of the time the Processor shall be Kestra.

“Restricted Transfers” means the transfer of Personal Data to a Third Country and includes transfers to Kestra and onward transfers from Kestra to Sub-processors.

“Sub-Processor” means either Kestra, if applicable, a Kestra Affiliate, or a Processor appointed by Kestra to assist in providing the Kestra Service.

“Standard Contractual Clauses,” or “SCCs,” means the clauses set forth in the European Commission’s decision 2021/914 of 4 June 2021 on Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.

“Supervisory Authority” means an independent public authority which is established by a Member State pursuant to Article 51 of the GDPR or, in respect of the UK, UK’s Information Commissioner Office as defined in Data Protection Legislation.

“Kestra Service” means the Cloud services and other activities to be supplied to or carried out by Kestra pursuant to the Agreement.

“Technical and Organizational Measures” means the information sets for under section 9.

“Third Country” means a country or territory outside the EEA, UK, Switzerland, or other countries that have not received an adequacy decision by the European Commission, where applicable, different from the respective region where the Customer has establishment.

“Third-Party Services” means certain services and applications, including Non-Kestra Applications and Add-ons (as defined in the Agreement), operated by various third parties available on the online marketplace.

1. RELATIONSHIP AND PROCESSING OF DATA BY THE PARTIES.
   1. Roles of the Parties. As further set forth in the remainder of this Section 2, Kestra shall process Personal Data only according to the documented instructions of Customer, and the Parties therefore acknowledge and agree that (i) where Customer is a Data Controller, Kestra is a Data Processor, and (ii) where Customer is a Data Processor, Kestra is a Sub- processor to Customer.
   2. Customer’s Processing of Personal Data. The Customer retains control of the Customer’s Personal Data and remains responsible for its compliance obligations under the Applicable Data Protection Law, including providing any required notices, information and obtaining any required consents, and for the processing instructions it gives to Kestra. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired and processed Personal Data. Customer specifically represents that its use of the Services will not violate the rights of any Data Subject.
   3. Kestra’s Processing of Personal Data. Kestra shall Process Personal Data on behalf of and only in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement and applicable Order Form(s); (ii) Processing initiated by Authorized Users in their use of the Services; and (iii) Processing to comply with the instructions in Section 2 below.
   4. Details of the Processing. The subject-matter of Processing of Personal Data by Kestra is the performance of the Services pursuant to the Agreement. The duration of the Processing, nature and purpose, types of Personal Data and categories of Data Subjects Processed under this DPA are specified in Data Processing and Transfer Description Appendix A.
   5. Duration or Processing. Subject to Section 13 and Data Processing and Transfer Description, Kestra may Process Personal Data during the Term of the Agreement unless otherwise agreed upon in writing.
2. INSTRUCTIONS.
   1. Processing Instructions. Kestra shall not Process Customer’s Personal Data other than in accordance with the Customer’s documented instructions unless the processing is required by applicable laws. The Agreement and the DPA will be considered as the only documented instructions relevant to the purposes of this DPA as of the date of signature of this DPA. Customizations and configurations performed by the Customer, or the Controller (if applicable), using the Services are considered Customer’s instructions. Any other instructions will be agreed upon separately; provided, however, that such instructions are (a) reasonable instructions; (b) approved and accepted by Kestra; and (c) consistent with the terms of the Agreement. Kestra agrees not to access or use Customer’s Personal Data, except as necessary to maintain, support, troubleshoot, improve or provide the Kestra Service, or as necessary to comply with the law or other binding governmental order.
   2. Customer Instructions. Customer shall ensure that its instructions comply with all laws, regulations and rules applicable to the Customer’s Personal Data.
3. THIRD-PARTY SERVICES.

Integration with Third Party Services. If Customer, or the Controller (if applicable), chooses to connect its Kestra account with a Third-Party Service: a) Third-Party Services providers are not deemed Kestra’s Sub-processors for the purposes of this DPA; and b) Customer grants Kestra and such third party permission to access and use its information from that service as permitted by that Third Party Service which might include Personal Data and to store its access credentials/tokens for that Third Party Service solely for the purpose of facilitating such connection.

1. COMPLIANCE WITH APPLICABLE LAWS.

Use of the Services by Customer. Customer must ensure that its use of the Services is compliant with applicable laws and undertakes, in particular, to:

• define the grounds of lawfulness to each processing and act accordingly, namely, obtaining and keeping proof of the necessary consents;
• give all the necessary information to the data subjects; and
• appoint a data protection officer if required by the GDPR or any relevant laws and, if not, have at least one person responsible for data protection matters available to be contacted by data subjects.

1. SUB-PROCESSORS.
   1. List of Sub-processors. Kestra shall maintain and make available to Customer an up-to-date list of its Sub-processors. The applicable list of the Sub processors at the date of the Agreement is defined under Appendix A. Customer acknowledges and hereby authorizes that (a) Kestra’s Affiliates may be appointed as Sub-processors; and (b) Kestra and Kestra’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. A list of Kestra current Authorized Sub-Processors (the “List of Sub-processors”) will be made available to Customer, either attached hereto, via email or through another means made available to Customer. The List of Sub-processors may be updated by Kestra from time to time. Kestra may provide and set a mechanism to subscribe to notifications of new Authorized Sub-Processors and Customer agrees to subscribe to such notifications where available. Customer acknowledges that sub-processors are essential to providing the Services and that objecting to the use of a sub-processor may prevent Kestra from offering certain Services to Customer.
   2. Notification of New Sub-processors. Kestra shall provide details of any new Sub-processor at least thirty (30) days prior to any such change with the details regarding the Sub-processors appointed. Customers shall have the right to object as set forth below. Such information will be sent to the signatories of this DPA, if Customer Contact is not provided.
   3. Objection Right for New Sub-processors. Customer may object to Kestra's appointment or replacement of a Sub-processor prior to its appointment or replacement, provided such objection is in writing, sent to the Kestra Contact, and based on reasonable grounds relating to data protection. In such event, the Parties shall discuss commercially reasonable alternative solutions in good faith. If the parties cannot reach a resolution, Kestra will either (i) not use, appoint, or replace the Sub-processor with respect to Customer or (ii) if clause (i) is not possible, Customer may terminate the applicable Order Form(s) with respect only to those Services which cannot be provided by Kestra without the use of the objected-to new Sub-processor by providing written notice to Kestra. Kestra will refund Customer any prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination under clause (ii) in the preceding sentence with respect to such terminated Services, without imposing a penalty for such termination on Customer. If Customer does not object to the appointment of a new sub-processor within thirty (30) days after being provided the details from Kestra, the appointment or replacement of the relevant sub-processor shall be deemed approved by the Customer.
   4. Liability for Sub-processors. Kestra shall be liable for the acts and omissions of its Sub-processors to the same extent Kestra would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.
2. RIGHTS OF DATA SUBJECTS.
   1. Data Subject Request. If Kestra receives a data subject request, Kestra will not respond directly to the data subject and will instead direct the data subject to directly contact the Customer.
   2. Kestra Request Assistance. To the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Kestra shall, upon Customer’s request, provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request to the extent Kestra is legally permitted to do so and the response to such Data Subject Request is required under Applicable Data Protection Law. To the extent legally permitted, Customer shall be responsible for any costs arising from Kestra’s provision of such assistance.
3. INTERNATIONAL DATA TRANSFERS.
   1. Acknowledgement: It is acknowledged that Kestra, itself or through authorized Subcontractors, in the course of its regular activities, may provide Services from countries and territories located outside the EEA. This Section sets out the provisions relating to how Personal Data processed under this DPA may be transferred from a country or territory within the EEA to a country or territory outside the EEA, or accessed from a country or territory outside the EEA, either directly or by onward transfer (each a “Transfer”) by Kestra, acting itself and/or through Authorized Processors, and the Customer hereby gives its specific written mandate, authorization and instructions to Kestra for the purpose of carrying out such Transfers when providing the Services from locations outside the EEA, as set out below.
   2. Transfer Agreement. For the purposes of Transfers of Personal Data under this DPA, the Customer and Kestra incorporate, to the extent applicable, the relevant Standard Contractual Clauses as if set out in full in this DPA (the “Data Transfer Agreement”) and pursuant to which the Client, for its own part and on behalf of each Controller, acts as “data exporter” and Kestra, itself and/or through any authorized Sub-Processor outside the EEA, acts as “data importer” (as those terms are defined in the Standard Contractual Clauses). The signing and dating of this DPA by the Parties shall be deemed to be the signing and dating of the Data Transfer Agreement (the Customer signing as data exporter and Kestra signing as data importer). The terms of the relevant Data Transfer Agreements, if any, shall prevail over any conflicting or inconsistent terms of this DPA to the extent of the conflict or inconsistency. on its own behalf and acting on behalf of each controller of the DPA established in the EEA.
4. CONFIDENTIALITY.
   1. Confidentiality. Kestra shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities, and have executed written confidentiality agreements. Kestra shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
   2. Limitation of Access. Kestra shall ensure that Kestra’s access to Personal Data is limited to those personnel performing Cloud Services in accordance with the Agreement.
5. SECURITY.
   1. Protection of Customer’s Personal Data. Taking into account the state of the art and the costs of implementation, Kestra shall maintain appropriate technical and organizational measures for the protection of security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer’s Personal Data), confidentiality and integrity of Customer’s Personal Data.

The Data Processor especially agrees to take all necessary precautions with respect to the nature of the Data and the risks encountered by its processing in order to preserve the security of the Data files and especially the prevention of any corruption, alteration, damage, accidental or unlawful destruction, loss, disclosure and/or access by any unauthorized third parties.

In particular, the Data Processor agrees to ensure total separation between the Data Controller’s Data and the Data Processor’s other clients via a reasonable and physical or logical separation.

The means implemented by the Data Processor for ensuring the security and confidentiality of the Data especially includes the following measures:

• the encryption of Personal Data
• the means of ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
• the means of restoring access and availability of Personal Data within the appropriate/defined time limits in the event of a physical or technological mishap
• a procedure for regularly testing, analyzing and evaluating the effectiveness of technical and organizational measures to ensure safe processing

The Data Processor agrees to maintain these measures throughout the entire Agreement period and to immediately inform the Data Controller of any failures that may impact the Data Controller’s Data.

In all cases, when any of the methods for ensuring the security and confidentiality of the Personal Data and files are changed, the Data Processor agrees to replace them with superior methods. No change shall lead to a lessening of the security level.

1. Notification of Personal Data Breach. Kestra shall, to the extent permitted by law, notify the Customer at the email address identified on the signature page without undue delay and within forty eight (48) hours after becoming aware of any Personal Data Breach. To the extent such Personal Data Breach is caused by a violation of the requirements of this DPA by Kestra, Kestra shall make reasonable efforts to identify and remediate the cause of such Personal Data Breach to the extent the remediation is within Kestra’s reasonable control. The obligations herein shall not apply to incidents that are demonstrated by Kestra to be caused by Customer or Customer’s Authorized Users.

Without prejudice, to the extent of Kestra knowledge and available information at the time of the notification and to any other information required under Data Protection Legislation, the security breach notification shall, at a minimum, include the following information:

• Date and time of the breach;
• Circumstances at the origin of the breach;
• Likely consequences of the breach: loss of confidentiality, loss of integrity and/or loss of availability;
• Nature and content of concerned personal data;
• Reliance on a third party in order to provide the service concerned by the breach;
• Categories and approximate number of data subjects affected by the data breach;
• Potential consequences and damages;
• Estimate of severity level: insignificant, limited, important, maximal;
• Where applicable, the name and contact details of the person from whom additional information may be requested (Data Protection Officer, Information System Security Manager…)

1. AUDITS.
   1. Third-Party Certifications and Audits. Kestra uses external auditors to verify the adequacy of its security measures with respect to its processing of Customer’s Personal Data. Such audits are conducted at least annually, performed at Kestra’s expense by independent third-party security professionals at Kestra’s selection, and result in the generation of a confidential audit report. A list of Kestra’s certifications and/or standards for audit as of the date of this DPA can be found at http://kestra.io/trust
   2. Audit Reports. Upon Customer’s written request and no more than once a year, Kestra will provide to Customer a copy of Kestra’s most recent audit report(s) generated as described in Section 11.1. Customer further agrees: (i) that any such audit reports meet Customer’s audit requirements, and (ii) to exercise any right it may have to conduct an inspection or audit (including under Standard Contractual Clauses, as applicable) by instruction to Kestra to carry out the audit described above in Section 11.1.
2. EUROPEAN ECONOMIC AREA SPECIFIC PROVISIONS.
   1. GDPR. Kestra will Process Personal Data in accordance with the GDPR requirements directly applicable to Kestra’s provision of its Services as a Processor.
   2. Data Protection Impact Assessment. Upon Customer’s request, Kestra shall provide reasonable assistance needed to fulfill Customer’s obligation under the GDPR to carry out a data protection impact assessment solely in relation to the processing of Customer’s Personal Data by Kestra , and taking into account the nature of the processing and information available to Kestra. Kestra shall provide reasonable assistance to Customer in the cooperation or prior consultations with Supervising Authorities or other competent data privacy authorities, which the Customer reasonably considers to be required by article 35 or 36 of the GDPR
3. DELETION OR RETURN OF CUSTOMER’S PERSONAL DATA.
   1. Retention. The time of retention of Personal Data shall be defined by the Customer or, as applicable, the Controller, and the contacts and other personal data recorded by the Customer can be deleted by the Customer at any time.
   2. Deletion. Following termination or expiry of the Agreement, Kestra will delete all Customer’s Personal Data as set out in the Agreement or promptly upon Customer’s request. This requirement shall not apply to the extent that Kestra is required by law to retain some or all of the Customer’s Personal Data.
   3. Return. Kestra may provides several tools to allow the Customer to export its data. In the event Customer opts not to use such tools and instead requests that Kestra return Customer’s Personal Data, Kestra will provide assistance to provide the return of such data, at Customer expense.
4. AUTHORIZED AFFILIATES.
   1. Contractual Relationship. The parties acknowledge and agree that, by executing the Agreement, Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate DPA between Kestra and each such Authorized Affiliate subject to the provisions of the Agreement and this Section 13. Each Authorized Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For the avoidance of doubt: a) an Authorized Affiliate is not and does not become a party to the Agreement and is only a party to the DPA; and b) any limitation of liability agreed between the parties shall be understood as an aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together and not be understood to apply individually and severally to Customer and/or to any Authorized Affiliate. All access to and use of the Services and Content by Authorized Affiliates must comply with the terms and conditions of the Agreement, and any violation of the terms and conditions of the Agreement by an Authorized Affiliate shall be deemed a violation by Customer.
   2. Communication. The Customer shall remain responsible for coordinating all communication with Kestra under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.
   3. Rights of Authorized Affiliates. Where an Authorized Affiliate becomes a party to the DPA with Kestra, it shall, to the extent required under Applicable Data Protection Law, be entitled to exercise the rights and seek remedies under this DPA, subject to the following:
      1. Except where Applicable Data Protection Law require the Authorized Affiliate to exercise a right or seek any remedy under this DPA against Kestra directly by itself, the parties agree that (i) solely the Customer that is the contracting party to the Agreement shall exercise any such right or seek any such remedy on behalf of the Authorized Affiliate, and (ii) the Customer that is the contracting party to the Agreement shall exercise any such rights under this DPA not separately for each Authorized Affiliate individually but in a combined manner for itself and all of its Authorized Affiliates together (as set forth, for example, in Section 13.3.2, below).
      2. The parties agree that the Customer who is the contracting party to the Agreement, shall, when carrying out an onsite audit of the procedures relevant to the protection of Personal Data, take all reasonable measures to limit any impact on Kestra and its Sub-Processors by combining, to the extent reasonably possible, several audit requests carried out on behalf of itself and all of its Authorized Affiliates in one single audit.
5. LEGAL EFFECT.

This DPA supersedes and replaces all prior and contemporaneous proposals, statements, sales materials or presentations and agreements, oral and written, with regard to the subject matter of this DPA, including any prior data processing addenda entered into between Kestra and Customer. If there is any conflict between this DPA and any agreements between the Parties, including the Agreement, the terms of this DPA shall control.

1. GOVERNING LAW AND JURISDICTION.
   1. Without prejudice to governing law and jurisdiction clauses of the Standard Contractual Clauses:
      1. the parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity, or termination or the consequences of its nullity; and
      2. this DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.

APPENDIX A

Data Processing and Transfer Description

Section 1. Categories of personal data processed

Kestra, as Data Processor, may process the following categories of personal data, depending on the Customer’s usage:

☒ Identification and/or contact details of a data subject

Examples: first name, surname, email address, IP address

☒ Connection data

Examples: username, password, activity logs, access logs, error logs, timestamps

☒ Metadata associated with execution of workflows

Examples: execution status, job identifiers, event timestamps, workflow run context potentially linked to identifiable users

☒ Other: Any data voluntarily introduced by the Customer in the execution of workflows, which may include personal data depending on the Customer’s use of Kestra.

Note: Kestra does not control or determine the nature of such data.

Section 2. Nature of the processing activities

☒ Reading / Consulting / Viewing / Accessing Personal Data

☒ Deleting Personal Data

☒ Hosting Personal Data (only if data is persisted by the Customer in task outputs or workflow executions)

☒ Logging and storing metadata related to Personal Data for a limited retention period defined by internal policy

Kestra does not alter, transform, or test with personal data on non-production environments.

Section 3. Purpose(s) of processing

The purposes of the processing are limited to enabling and supporting the Customer’s use of Kestra’s orchestration platform and associated Cloud Services, as governed by the Agreement.

Section 4. Data Subjects categories

☒ Customer’s users and administrators (e.g. platform engineers, developers, technical staff)

☒ Customer’s end users or clients, whose personal data may transit through Kestra workflows

☒ Other third parties involved in the Customer’s operational or data workflows (e.g. contractors, partners, vendors)

Kestra does not collect such data directly; all personal data is processed only on behalf of the Customer based on its usage of the Services.

Section 5. The processing duration is:

Kestra will retain and process Personal Data:

• For the duration of the Agreement; and
• Will delete all Customer’s Personal Data upon termination or expiration of the Agreement, unless otherwise instructed in writing by the Customer, or required by law.

Section 6. Authorized Sub Processors

The hosting Subsequent Processors vary depending on the Customer’s location.

The applicable list of the Sub Processors at the date of the Agreement is the following: