Effective February 5, 2024

Ping Identity Corporation (“Ping Identity”) agrees that it will comply with the following provisions with respect to all “Personal Information” collected, used, transmitted or maintained for [insert Customer name] (“Customer”). This Data Processing Addendum (“DPA”) stipulates privacy, confidentiality, and security requirements and demonstrates compliance with applicable privacy, security and data protection laws.

This DPA is incorporated into and forms part of, and is subject to the terms and conditions of, the Agreement (as defined below). If an Affiliate of Customer has executed an ordering document with Ping Identity but is not the original signatory to the Agreement, this DPA is an addendum to and forms part of such ordering documentation. Any capitalized terms used in this DPA and not otherwise defined herein shall have the meanings ascribed to such terms in the Agreement.

1.     Definitions

(a)    “Agreement” means the subscription or license agreement between Customer and Ping Identity pursuant to which Ping Identity Processes any Personal Information for or on behalf of Customer. “Agreement” encompasses all order forms, statements of work, and/or online terms and conditions between Customer and Ping Identity.

(b)   “AI Technology” means any products, services or features that utilize machine learning software, algorithms, hardware or other artificial intelligence tools that generate content or make predictions, recommendations, or decisions.

(c)   “CA Privacy Law” means (collectively) the California Consumer Privacy Act, the California Privacy Rights Act, all implementing regulations, as and when effective, and any other applicable California state privacy laws.

(d)   “Data Subject Request” means any request by an individual (or by another person acting on behalf of an individual) to exercise a right under any Privacy Law or any complaint or inquiry about the Processing of the individual’s Personal Information.

(e)   “Deidentified” means a data set where (i) all Direct Identifiers have been removed, (ii) individuals cannot reasonably be identified using indirect identifiers in the dataset or using other information available to Ping Identity, and (iii) the data are protected by administrative and technical controls that are reasonably designed to ensure that the data are not re-identified or otherwise used in an identifiable manner.  For purposes of this definition, a “Direct Identifier” is any single data element that could reveal a person’s identity, such as a person’s name, username or online identifier, email address, physical address or location,  telephone number, device identifier, birthdate or transaction date, identification numbers (such as a government-issued ID number or account number) payment card number, IP address, biometric identifier, photograph or any other image that allows individual identification.

(f)   “EEA Personal Data” means that subset of Personal Information consisting of “personal data” (as defined in GDPR) pertaining to residents of the European Economic Area (EEA) and (for convenience) Switzerland and the United Kingdom.

(g)   “GDPR” means Regulation (EU) 2016/679 (the General Data Protection Regulation), including as it applies in UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018, and all applicable regulations, as and when effective.

(h)     “Internal Business Purposes” means processing of Personal Information by Ping Identity to (i) make back-ups as part of disaster recovery and business continuity programs; (ii) comply with its own legal or regulatory obligations; (iii) build and improve the quality of the Services, inducing debugging to identify and repair errors that impair intended functionality, provided that Ping Identity does not use Personal Information to provide services to other companies or to create profiles of individuals (other than for Customer or as needed to mitigate fraud and malicious activity); (iv) confirm usage quantities; and (v) prevent, detect or respond to security incidents or malicious, deceptive, fraudulent, or illegal activity.

(i)   “Personal Information” means all data (regardless of format) that (i) identifies or can be used to identify, contact, locate or target a natural person, (ii) pertains in any way to an identified natural person, or (iii) falls within any definition of “personal information” or “personal data” under any applicable Privacy Law, and that is processed by Ping Identity in connection with providing the Services to Customer.

(j)   “Personal Information Breach” means a “personal data breach” (as defined in the GDPR or other applicable Privacy Laws), any unauthorized use or disclosure of the Personal Information, or other event that compromises the security, confidentiality, or integrity of Personal Information.

(k)   “Privacy Laws” means all applicable laws that regulate the Processing of Personal Information. In particular, the Privacy Laws include (as applicable) the CA Privacy Laws, the GDPR, and other applicable U.S. Federal, state and international laws and regulations that specify privacy, data protection, security or security breach notification obligations or that otherwise regulate the Processing of the Personal Information or the provision of the services by Ping Identity.

(l)   “Processing” means any operation or set of operations which is performed upon Personal Information, whether or not by automatic means, such as collection, compilation, use, deidentification, disclosure, duplication, organization, storage, alteration, Transfer, transmission, combination, redaction, erasure, or destruction.

(m)   “Restricted Transfer” means any Transfer where the applicable Privacy Law requires the parties to demonstrate adequate protection using a standard contractual instrument or other prescribed means. Restricted Transfers do not include Transfers to recipients in countries whose data protection regimes have been declared adequate by relevant data protection authorities or which are otherwise not restricted.

(n)   “Services” means all services Ping Identity provides to or performs for Customer that entail Processing of Personal Information. “Services” encompasses the processing services as well as any products, websites, applications, devices or technologies used in connection with the provision of the Services.

(o)   “Standard Contractual Clauses” means (as applicable) (i) the contract terms set forth in the Annex to the European Commission’s decision C(2021) 3972 of 4 June 2021 containing Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, or (ii) other contract terms published by relevant regulatory authorities to authorize data Transfers.

(p)   “Subprocessor” means any entity (including an Affiliate of Ping Identity) acting under the instructions of Ping Identity that processes unencrypted Personal Information on behalf of Ping Identity.

(q)   “Transfer” means to disclose or otherwise make the Personal Information available to another entity (including to any Ping Identity Affiliate or Subprocessor), either by physical movement of the Personal Information or by enabling remote access to the Personal Information.

2.     General Obligations.

(a)   Each party must use reasonable efforts to stay informed of the legal and regulatory requirements for its applicable responsibilities under this DPA. Ping Identity will comply with those obligations applicable to it as a “data processor” or “service provider,” and Customer will comply with those obligations applicable to it as a “data controller” or “business” (each as defined in the applicable Privacy Laws). Customer shall be responsible for ensuring that it has, and will continue to have, the right to transfer, or provide access to, Personal Data to Ping Identity for Processing as set forth herein. If any authorizations or consents of data subjects are required for such Processing of Personal Data by Ping Identity, Customer shall obtain such consents directly from the data subjects.

(b)   Ping Identity will only Process or Transfer Personal Information as needed to provide Services, as needed for its Internal Business Purposes, or in accordance with Customer’s documented instructions. This DPA, the Agreement, and Customer’s use of the Service’s features and functionality are Customer’s complete set of instructions to Ping Identity in relation to the processing of Personal Information. Ping Identity will promptly notify Customer if, in its opinion, the instructions given by Customer for Processing violate any Privacy Law; provided, however, that Ping Identity has no independent obligation to verify that the Processing complies with any specific Privacy Law, as it is entitled to rely on Customer’s instructions. 

(c)   The Appendix below contains a general description of the Processing activities. Additional information about the Processing activities may be found in the Fact Sheets relevant to the Services that are posted in the Ping Identity Trust Center:  https://www.pingidentity.com/en/legal/privacy-data-processing.html. Ping Identity may update the Appendix at any time upon thirty (30) days prior written notice as needed to inform Customer of any changes, including any changes to the privacy and security contacts or Subprocessors.

(d)   Unless otherwise prohibited by the Agreement or any applicable Privacy Law, Ping Identity may also further Process Personal Information as needed to Deidentify it and aggregate it with other customer or third-party data to create datasets for other appropriate internal operational purposes such as research, product development and analytics.  To the extent these sets contain any unique record identifiers, indirect identifiers or otherwise continue to be regulated by the Privacy Laws, Ping Identity will comply with provisions of applicable Privacy Law and continue to handle the data in accordance with this DPA.

(e)   Ping Identity will promptly inform Customer in writing: (i) if it cannot comply with any material term of this DPA (if this occurs, Ping Identity will use reasonable efforts to remedy the non-compliance, and Customer will be entitled to suspend Ping Identity’s Processing of Personal Information); (ii) of any Data Subject Request received by it; (iii) of any other requests with respect to Personal Information received, including (without limitations) of any request for access to any Personal Information received by Ping Identity from any entity, including (without limitation) from any data protection agency, law enforcement agency or pursuant to any civil subpoena, unless it is explicitly prohibited by law from notifying Customer of the request. Ping Identity understands that it is not authorized with to respond to these requests without Customer’s approval unless the response is legally required under a subpoena or similar legal document issued by a government agency that compels disclosure by Ping Identity.

(f)   Ping Identity will reasonably cooperate with Customer and with its Affiliates and representatives in responding to Data Subject Requests and regulatory inquiries as needed for Customer to demonstrate compliance with the Privacy Laws applicable to it and to respect individuals’ rights under such Privacy Laws.  Ping Identity will reasonably assist Customer with any data protection impact assessments, transfer risk assessments or prior consultations with regulators as needed to comply with the Privacy Laws.

3.      Specific Compliance Requirements. To the extent applicable:

(a)   Ping Identity certifies that it will not (i) sell the Personal Information or share the Personal Information with third parties for online targeting, (ii) retain, use or disclose the Personal Information other than as specified in the Agreement, as needed to perform the Services and for its Internal Business Purposes, (iii) retain, use or disclose the Personal Information outside of its direct business relationship with Customer.

(b)   If the Personal Information includes any Personal Information subject to the CA Privacy Laws, Ping Identity will comply with all applicable sections of the CA Privacy Laws, including by providing the same level of privacy protection as required by Customer. All contract terms for service providers/contractors required by the Regulations implementing the CA Privacy Laws are hereby incorporated herein as if they were reproduced in this section. More information about Ping Identity’s commitment to CA Privacy Law compliance can be found in the Trust Center: https://www.pingidentity.com/en/legal/ccpa-faqs.html

(c)   If the Personal Information includes EEA Personal Data, Ping Identity and Customer will ensure adequate protection for the EEA Personal Data. For any Restricted Transfers of EEA Personal Data, the parties will document adequate protection for the EEA Personal Data using an approved data transfer mechanism in accordance with Section 5 below. More information about Ping Identity’s commitment to GDPR compliance can be found in the Trust Center: https://www.pingidentity.com/en/legal/gdpr-compliance-faq.html

(d)   If the Personal Information includes “protected health information” (PHI) as defined in the Privacy, Security and Breach Notification Rules issued under the Health Insurance Portability and Accountability Act ("HIPAA"), the parties agree that the Processing of all such PHI is subject to the existing Business Associate Agreement between Customer and Ping Identity.

(e)   If the Personal Information includes “consumer health data” as defined in an applicable Privacy Law or other sensitive Personal Information or special categories of data, the parties shall comply with the specific requirements for the Processing of these data elements.  Ping Identity shall restrict access to these data elements to those personnel whose access is needed to provide the Services, and it shall only process these data elements in accordance with Customer’s specific binding instructions.  Ping Identity shall reasonably assist Customer as needed for Customer to comply with its obligations under applicable Privacy Laws that regulate these data elements.

(f)   Certain Ping Identity products and services incorporate AI Technology to improve usability, security, and fraud detection.  Ping Identity uses reasonable and appropriate controls to manage its use of the AI Technology and validate that the outputs are free of inappropriate bias, given the purposes for which they are used.

4.     Data Transfers and Subprocessors.

(a)   Ping Identity will only Transfer Personal information as authorized by Customer and permitted by applicable Privacy Laws.  With respect to Ping Identity’s hosted service, Customer may select the data center(s) location from those locations offered by Ping Identity in which Personal Information shall be physically stored. Customer understands and agrees that by instructing Ping Identity to use a Subprocessor (such as a data center), the Parties are bound by the Subprocessor’s terms and conditions in addition to this DPA.

(b)   Customer authorizes Ping Identity to make routine Transfers of Personal Information in the normal course of business to itself in other countries and to its Affiliates using intercompany contracts containing Standard Contractual Clauses or another approved mechanism.  Ping Identity has certified to the EU-US Data Privacy Framework, the Swiss-US Data Privacy Framework, and the UK Extension of the EU-US Data Privacy Frameworks.  These certifications provide the primary authorization for Restricted Transfers of EEA Personal Data to Ping Identity in the United States.  See:  https://www.dataprivacyframework.gov/s/   

(c)   Customer authorizes Ping Identity to Transfer Personal Information to the Subprocessors listed in the Ping Identity Data Supplement (https://www.pingidentity.com/en/legal/data-supplement.html) as may be amended by Ping Identity from time to time and Customer may subscribe to receive updates from such website). In each case, Ping Identity: (i) has conducted adequate due diligence to verify that the Subprocessor is capable of providing the level of protection for Personal Information as is required by the this DPA; (ii) will ensure that all Restricted Transfers of Personal Information to the Subprocessors are authorized using an approved mechanism; (iii) has entered into a written contract with the Subprocessor that includes privacy and security terms no less stringent than are imposed on Ping Identity hereunder; and (iv) remains primarily liable to Customer for the acts, errors and omissions of the Subprocessor, as if they were Ping Identity's own acts, errors and omissions. Customer may at any time object to a Subprocessor for good cause by sending an email to legalnotice@pingidentity.com, and Ping Identity will not allow Subprocessor to Process any Personal Information until such objection is resolved. If the objection has not been resolved to the mutual satisfaction of the parties within thirty (30) days after Ping Identity’s receipt of the objection, Customer may, as its sole and exclusive remedy, terminate its applicable subscriptions from Ping Identity with respect only to those aspects of the Service which cannot be provided by Ping Identity without the use of the new Subprocessor.  In such event, Ping Identity shall refund Customer any unused, prepaid Fees for the applicable Service covering the remainder of the subscription term after the date of termination.

(d)   Should any supervisory authority or court determine that any Transfer mechanism used herein is no longer an appropriate basis for Restricted Transfers, Ping Identity and Customer will promptly take all steps reasonably necessary to demonstrate adequate protection for the impacted information, using another approved mechanism. Ping Identity understands and agrees that Customer may terminate the Transfers as needed to comply with the applicable Privacy Laws.

(e)   Should other jurisdictions require specific contractual terms to enable Restricted Transfers, the parties will use good faith efforts to negotiate these instruments as needed to comply with the applicable Privacy Laws.  If permitted by law, the parties agree that the terms of the new instruments will be automatically incorporated by reference into this DPA upon either party’s circulation of an amendment containing the required transfer terms. The receiving party will have thirty (30) days to object to the amendment by giving the other party written notice, in which case Customer may terminate the Transfers as needed to comply with law.

5.     Security and Personal Data Breaches.

(a)   Ping Identity has implemented and documented appropriate administrative, technical and physical measures to protect Personal Information against accidental or unlawful destruction, alteration, unauthorized disclosure or access as described in more detail in the Ping Identity Security Exhibit: https://www.pingidentity.com/security-exhibit (the “Security Exhibit”).

(b)   Ping Identity may disclose Personal Information to its employees and contingent workers as reasonably needed to provide the Services. Prior to allowing any employee or contingent worker to Process any Personal Information, Ping Identity shall (i) conduct an appropriate background investigation of the individual as permitted by law (and receive an acceptable response), (ii) require the individual to execute an enforceable confidentiality agreement (unless they are subject to a statutory or professional obligation of confidentiality), and (iii) provide the individual with appropriate privacy and security training. Ping Identity will also reasonably monitor its employees and contingent workers for compliance with the privacy and security program requirements.

(c)  Ping Identity will promptly investigate any security incident which is reasonably suspected to have resulted in the unauthorized access to, use or disclosure of the Personal Information. Ping Identity will notify Customer without undue delay upon determining that a Personal Information Breach impacts Personal Information. This notification will be made via email to the address specified by Customer in the Appendix. Ping Identity will provide Customer with all information in its possession about the Security Breach reasonably needed by Customer to assess its incident response obligations.

(d)  When the Ping Identity ceases to perform Services for Customer (and at any other time, upon request), Ping Identity will either (i) return the Personal Information or (ii) purge, delete and destroy the Personal Information. If Ping Identity is required by applicable law to retain any Personal Information, it shall (i) ensure the continued confidentiality and security of the Personal Information, (ii) securely delete or destroy the Personal Information when the legal retention period has expired, and (iii) not actively Process the Personal Information other than as needed for to comply with law.

6.     Audit.

(a)   Ping Identity and Customer will first use all reasonable efforts to satisfy Customer audit needs through (i) responses to a reasonable information security-related questionnaire; (ii) copies of Ping Identity’s most recently completed SOC-2 Type II audit report, its public ISO 27001 certificate and non-public Statement of Applicability; (iii) a summary of Ping Identity’s operational practices related to data protection and security; (iv) a summary of Ping Identity’s operational practices related to data protection and security; (v) summary of the most recent annual penetration test; and (vi) making Ping Identity’s personnel reasonably available for security-related discussions.

(b)   Where required by law, Ping Identity will submit its corporate headquarters for a reasonable audit upon at least 30 days prior written notice, not more than once per year, during Ping Identity’s reasonable business hours, which shall be carried out by Customer (or by a qualified independent auditor) in a mutually agreeable manner. In the event a Customer audit takes more than one business day, Customer shall reimburse Ping Identity for any time expended by Ping Identity in fulfilling any such request at Ping Identity’s then-current professional services rates, which shall be made available to Customer upon request. Any independent auditors utilized shall be required to enter into a confidentiality agreement with Ping Identity. For the avoidance of doubt, Customer understands that due to the third-party hosting and multi-tenant nature of the Services, Ping Identity cannot grant access to the premises, facilities, or records of any Subprocessor or Ping Identity’s production or non-production systems, source code, or anything that could expose sensitive information of Ping Identity or the confidential information of other customers of Ping Identity.

(c)   Ping Identity shall also cooperate with any audits conducted by any regulatory agency that has authority over Customer as needed to comply with applicable law.

7.    Miscellaneous.

(a)   In the event of a conflict between the terms and conditions of the Agreement and this DPA, this DPA shall control.

(b)   If an amendment to this DPA is required in order to comply with any applicable Privacy Law, the parties will work together in good faith to promptly execute a mutually agreeable amendment to this DPA reflecting the requirements of such Privacy Law.

(c)   Each party’s liability arising out of or related to this DPA, whether contract, tort or under any other theory of liability, is subject to any limitation of liability as set forth in the Agreement and any reference to such limitation of liability of a party means the aggregate liability of the party and its Affiliates under the Agreement and this DPA, including its exhibits and attachments, together. 

(d)   This DPA shall remain in effect until, and automatically expire upon, deletion of all Personal Information by Ping Identity as described in this DPA.

Appendix to the Data Processing Addendum

This Appendix also serves as the Appendix to the Standard Contractual Clauses, if those are used to authorize cross-border data transfers as indicated below.

ANNEX I

A. LIST OF PARTIES

Customer name and address as specified in the Agreement or above in this DPA.

Customer Contact for Breach Notification: Customer's administrator set forth in Ping Identity's system

Customer acts as the data exporter/controller.

and

Ping Identity Corporation

1001 17th Street, Suite 100

Denver, CO 80202

Ping Identity acts as the data importer/processor, for itself and its Affiliates, as applicable.

Ping Identity Privacy Office: privacy@pingidentity.com

B. DESCRIPTION OF THE PROCESSING AND TRANSFER

Ping Identity provides enterprise identity and access management (IAM) products and related security solutions. Ping Identity’s products enable customers to provide secure access to their networks and systems to their employees and customers. Ping Identity’s products range from basic single sign-on solutions to fully orchestrated risk-based, adaptive authentication workflows that support different IAM use cases, such as fraud detection, identity proofing, and authorization.

Categories of data subjects whose personal data are processed and/or transferred

Customer’s employees, users, and other persons whose information is processed by Ping Identity in the course of providing the IAM services to the Customer.

Categories of personal data are processed and/or transferred

• Contact information (such as name, address, email address)

• Professional details (such as employer, title, position)

• IAM data and technical information (such as access privileges and customer access criteria, access log information)

• Online and technical data (IP address, device ID and related data, connection data)

• For the PingOne Fraud Service: Behavioral characteristics (such as keystroke dynamics) which are used to detect bots and not used for individual identification.

• For the PingOne DaVinci Service: The orchestration platform allows customers to process and store additional categories of data; these are determined by the customer and are not required by Ping Identity. 

Sensitive data processed and/or transferred (if applicable)

Ping Identity’s IAM products do not require sensitive data, but some products provide customers and end users with the capability to process biometric data for authentication and multi-factor authentication.

• For the PingID Service: The Service itself does not process biometric data but does allow users to authenticate using the biometric capabilities of their devices (such as TouchID).  

• For the PingOne Verify Service: If implemented by customer, biometric data (facial recognition) is processed for authentication. The user uploads a photo to enable this functionality. 

• For the PingOne DaVinci Service: The orchestration platform allows customers to process and store additional categories of data, which may include special categories of data; these are determined by the customer and are not required by Ping Identity.   

Nature of the processing

Personal data is processed for identity and access management in connection with the services set forth on the applicable Order Form.  Ping Identity may further Process Personal Information for the following closely-related purposes: (i) detecting security incidents, and protecting against malicious, deceptive, fraudulent, or illegal activity; (ii) debugging to identify and repair errors that impair intended functionality of the Products and other activities needed to maintain the quality and/or safety of the products; and (iii) internal operational activities such as responding to data subject requests, making back-ups as part of disaster recovery/business continuity programs, confirming usage quantities, and processing required for legal or regulatory compliance.  

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Personal Data will be retained by the data importer in accordance with its data retention policy and no longer than necessary for the purposes set forth in the Agreement.

Physical location of the personal data

For hosted solutions, customer will select the data center(s) from those locations offered by Ping Identity

Purpose(s) of the data transfer and further processing.

To enable Ping Identity to provide the IAM products and services per the Agreement.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous

C. COMPETENT SUPERVISORY AUTHORITY FOR RESTRICTED TRANSFERS

ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Ping Identity’s information security program is described here: https://www.pingidentity.com/security-exhibit.

ANNEX III – LIST OF SUBPROCESSORS

Customer has authorized Ping Identity’s use of the subprocessors listed here:

https://www.pingidentity.com/en/legal/data-supplement.html