Superceded October 25, 2022

This Data Privacy Addendum (“DPA”) relates to the processing by Ping Identity Corporation (“Ping Identity”) of Personal Data (as defined below) provided by the company or entity that is party (“Customer”) to the applicable subscription or license agreement and ordering documentation between Customer and Ping Identity (collectively, the “Agreement”) governing Customer’s use of Ping Identity’s software and/or hosted service products. This DPA is incorporated into and forms part of, and is subject to the terms and conditions of, the Agreement. If an Affiliate of Customer has executed an Order Form with Ping Identity but is not the original signatory to the Agreement, this DPA is an addendum to and forms part of such Order Form. As used in this DPA, any capitalized terms not otherwise defined herein shall have the meanings as set forth in the Agreement.
 

1.     Definitions

“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

“Data Protection Laws and Regulations” means any and all data protection and privacy laws throughout the world to the extent they apply to the subject matter of this Agreement, which may include: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”); (ii) California Consumer Privacy Act of 2018 (the “CCPA”) (iii) the UK GDPR; and (iv) any other similar data protection laws in any other applicable territory, each as amended, replaced, or superseded.

“Data Subject” means the individual to which the Personal Data relates.

“Personal Data” means any information relating to an identified or identifiable natural person or that is otherwise defined as "personal data" "personal information" (or any analogous concept) under applicable Data Protection Laws and Regulations that is: (i) Processed by Ping Identity’s products that are provided as a hosted, software-as-a-service application; (ii) provided to Ping Identity by Customer in the form of a log file generated by Ping Identity products that are provided as downloadable software in connection with support activities; or (iii) obtained by Ping Identity personnel in the performance of professional services ((i) through (iii) hereunder collectively referred to as “Services”).

“Processing (or Process or Processed)” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Processor” means the entity which Processes Personal Data on behalf of the Controller.

“SCCs (2010)” means the standard contractual clauses incorporated herein by reference pursuant to the European Commission’s decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.

“SCCs (2021)” means the agreement incorporated herein by reference pursuant to the European Commission’s decision of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

“Standard Contractual Clauses” means, collectively, the SCCs (2010) and SCCs (2021).

“Subprocessor” means any Processor engaged by Ping Identity to Process Personal Data.

“UK GDPR” means the GDPR as it applies in UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018.

2.     Processing of Personal Data

2.1 Provision of Service. Ping Identity provides a Service to Customer as specified in the Agreement. In connection with this Service, the parties anticipate that Ping Identity may Process Personal Data relating to Data Subjects on behalf of the Customer.

2.2 The parties’ roles. The parties agree that with regards to the Processing of Personal Data, Customer is the Controller, Ping Identity is the Processor and Ping Identity may engage Subprocessors pursuant to the requirements of this DPA.

2.3 Customer’s Instructions. Ping Identity will only Process Personal Data for the performance of the Services pursuant to the Agreement  and in accordance with Customer’s documented instructions as reasonably contemplated by the Agreement. This DPA, the Agreement, and Customer’s use of the Service’s features and functionality, are Customer’s complete set of instructions to Ping Identity in relation to the processing of Personal Data.

2.4 Scope of Processing. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Exhibits 1 and 2 to this DPA.

2.5 Nature of Customer Data. Customer represents and warrants that it will not transmit or expose to Ping Identity any (i) protected health information (as that term is used in the Health Insurance Portability and Accountability Act of 1996 (HIPAA)); (ii) cardholder data (as regulated by the Payment Card Industry Security Standards Council); or (iii) sensitive Personal Data (as that term is used in the GPDR and UK GDPR)  as a part of using the Products, in connection with Support Services, or otherwise under this Agreement.

2.6 CCPA. To the extent that the CCPA is applicable to the Parties, the Parties agree to the following: (i) Ping Identity is a Service Provider (as defined in the CCPA) for purposes of the Agreement and this DPA; (ii) Ping Identity shall not retain, use, or disclose Personal Data for any purpose other than for the specific purposes of performing the Services and as set forth in the Agreement or as otherwise permitted by the CCPA; (iii) Ping Identity shall not sell (as defined in the CCPA) Personal Data provided by Customer or processed on Customer’s behalf; (iv) Customer is responsible for verifying a consumer request with respect to Personal Data processed by Ping Identity before requesting applicable information from Ping Identity; and (v) ​​Customer specifically acknowledges that its use of the Services will not violate the rights of any Data Subject that has opted-out from sales or other disclosures of Personal Data, to the extent applicable under the CCPA.

3.     Responsibilities

3.1 Ping Identity’s responsibility. Ping Identity shall cooperate and provide Customer with assistance that Customer deems reasonably necessary to comply with applicable Data Protection Laws and Regulations in regards to Ping Identity’s Processing of Personal Data. Customer acknowledges that Ping Identity is not responsible for determining the requirements of Data Protection Laws and Regulations applicable to Customer’s business.

3.2 Transfers of Personal Data Outside the EU, UK, and Switzerland. The Standard Contractual Clauses will apply as follows:

(a)    Subject to Exhibit 1, the SCCs (2021) shall apply to the extent: (i) Customer is subject to the Data Protection Laws and Regulations in the European Union or European Economic Area; (ii) Personal Data is transferred, either directly or via onward transfer, from the European Union, European Economic Area to any country not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the Data Protection Laws and Regulations); and (iii) an alternative legal mechanism of ensuring an adequate level of protection for Personal Data is not available with respect to such transfer(s) as set forth herein.

(b)   Subject to Exhibit 2, the SCCs (2010) shall apply to the extent: (i) Customer is subject to the Data Protection Laws and Regulations in  Switzerland or the United Kingdom; (ii) Personal Data is transferred, either directly or via onward transfer, from Switzerland or the United Kingdom to any country not recognized by the GDPR (for transfers from Switzerland) or UK GDPR (for transfers from the United Kingdom) as providing an adequate level of protection for personal data (as described in the Data Protection Laws and Regulations); and (iii) an alternative legal mechanism of ensuring an adequate level of protection for Personal Data is not available with respect to such transfer(s) as set forth herein.

(c)    The Standard Contractual Clauses will not apply to Personal Data that is not transferred, either directly or via onward transfer, outside the European Union, European Economic Area, Switzerland, and the United Kingdom, as applicable. For the purpose of the Standard Contractual Clauses, Customer and its Affiliates shall be deemed “data exporters.”

3.3 Modifications. If the Standard Contractual Clauses apply as set forth in Section 3.2 of this DPA and if such Standard Contractual Clauses are later deemed inadequate or are disapplied or replaced by a court, government, or regulatory authority during the term of the Agreement, then the parties will negotiate in good faith  to implement an alternative legal mechanism of ensuring an adequate level of protection for Personal Data under applicable Data Protection Laws and Regulations. Notwithstanding anything to the contrary herein, in the event that Ping Identity provides Customer with thirty (30) days’ notice (which notice may be provided through support channels, Ping Identity’s website, Ping Identity’s status notifications that may be subscribed to at https://www.pingidentity.com/data-supplement, or such other reasonable means) that Ping Identity has elected to rely on an alternative adequacy mechanism for the transfer of any Personal Data in connection with the Services, the parties shall use such alternative adequacy mechanism, provided such alternative mechanism is approved by the applicable data processing authorities or otherwise permitted by Data Protection Laws and Regulations. ​​In the event that a change in Data Protection Laws and Regulations occurs during the term of this Agreement such that the Services do not enable compliance with such change, and as a result of such change Ping Identity is unable to alter the Services without undue burden (in Ping Identity’s reasonable discretion), then Customer may, as its exclusive remedy,  elect to terminate the Agreement and all outstanding subscriptions to Ping Identity’s Products without penalty, and receive a refund of any prepaid, unused Fees.

3.4 Customer’s responsibility. Customer shall be responsible for ensuring that it has, and will continue to have, the right to transfer, or provide access to, Personal Data to Ping Identity for Processing. Customer’s instructions for the Processing of Personal Data by Ping Identity shall at all times comply with applicable Data Protection Laws and Regulations and Customer shall ensure that Ping Identity’s Processing of Personal Data in accordance with Customer’s instructions will not cause Ping Identity to violate any applicable Data Protection Laws and Regulations. In the event Customer becomes aware that provided instructions are in conflict with applicable Data Protection Laws and Regulations, Customer will promptly notify Ping Identity. Customer recognizes that Ping Identity does not have a means to verify (i) the residency of each Data Subject, (ii) the aspects of Personal Data that are provided to Ping Identity by Customer in connection with each request by Customer to Process such Personal Data, nor (iii) the location of third parties that Customer chooses to exchange Personal Data with as part of the intended functionality of the Service (such as in a single-sign on transaction).  Customer shall be responsible for ensuring that all such Personal Data may be Processed by Ping Identity’s Services in compliance with Data Protection Laws and Regulations, and Ping Identity will provide all reasonably necessary information to Customer to allow Customer to make such determination upon Customer’s written request.  If any authorizations or consents of Data Subjects are required for the Processing of Personal Data by Ping Identity, Customer shall be required to obtain any such consents directly from the Data Subjects.

3.5 Ping Identity’s duty of cooperation. If applicable Data Protection Laws and Regulations require Customer to conduct an assessment of the privacy impacts of any Processing of Personal Data carried out by Ping Identity (“Data Protection Impact Assessment”), Ping Identity will reasonably cooperate with Customer’s conduct of the assessment to the extent applicable to Ping Identity’s responsibilities under this DPA and the Agreement. If applicable Data Protection Laws and Regulations require Customer to notify, seek guidance from, or consult with any governmental authority or representative body, concerning Ping Identity’s Processing of Personal Data, Ping Identity will reasonably cooperate with Customer in connection with such advisory request or consultation to the extent applicable to Ping Identity’s responsibilities under this DPA and the Agreement, and as allowed by Data Protection Laws and Regulations.

3.6 Data Protection Officer. Ping Identity’s data protection officer may be contacted via dpo_privacy@pingidentity.com.

4.     Storage and access to Personal Data

4.1 Data residency. With respect to Ping Identity’s hosted service, Customer may select the data center(s) in which Personal Data shall be stored. Personal Data received through the Services may be disclosed to, transferred to, and/or allowed to be accessed by or otherwise Processed by Ping Identity’s personnel or the Subprocessors. Personal Data may be transferred to personnel of Ping Identity located in the countries set forth at https://www.pingidentity.com/data-supplement in the course of performing the Services. Ping Identity will notify Customer if the foregoing countries changes (which notice may be provided through support channels, Ping Identity’s website, Ping Identity’s status notifications that may be subscribed to at https://www.pingidentity.com/data-supplement, or such other reasonable means).  In the event that the foregoing countries to which Personal Data may be transferred is changed, the parties agree to cooperate in good faith in meeting any additional regulatory or legal requirements necessary to allow such transfers. Notwithstanding the foregoing, with the exception of Personal Data processed through the hosted service, certain Personal Data may be stored by Ping Identity or its Subprocessors in the U.S. for operational purposes.

4.2 Ping Identity’s access to Personal Data. Ping Identity shall ensure that access to Personal Data is restricted to only those personnel who have a need to know to enable Ping Identity to perform its obligations under the Agreement and this DPA. Ping Identity’s personnel engaged in the Processing of Personal Data shall be informed of the confidential nature of the Personal Data, have received appropriate training regarding their responsibilities, and be bound in writing by obligations of confidentiality sufficient to protect Personal Data in accordance with the terms of this DPA.

4.3 Access by authorities. To the extent legally permitted, Ping Identity will promptly, and no later than five (5) business days following receipt, notify Customer of (i) any request for access to any Personal Data from any regulatory body or government official, and (ii) any warrant, subpoena, or similar request to Ping Identity regarding any Personal Data.  Ping Identity will comply with any legal hold from Customer regarding Personal Data and will provide reasonable support so that Customer can comply with third party requests as required by Data Protection Laws and Regulations if Customer cannot otherwise reasonably obtain such information. Ping Identity will reasonably cooperate with Customer if Customer or its regulators properly request access to Personal Data for any reason in accordance with the Agreement, this DPA, or applicable Data Protection Laws and Regulations.

5.     Subprocessors

5.1 Ping Identity’s use of Subprocessors. By executing this DPA, Customer has given its general written consent and authorization for Ping Identity to engage Subprocessors in connection with the Services. The current list of Subprocessors is set forth at https://www.pingidentity.com/sub-processors (which link may be updated by Ping Identity from time to time in accordance with Section 5.3 of this DPA).  Ping Identity may not transfer Personal Data to any other Subprocessor without providing prior written notice to Customer (which notice may be provided through by Customer subscribing to receive updates to https://www.pingidentity.com/sub-processors or such other reasonable means); provided, that Customer will have ten (10) business days to reasonably object that such change causes Customer to be in violation of Data Protection Laws and Regulations. In the event that Customer has not provided an objection to such changes within ten (10) business days, Customer will be deemed to have waived its right to object and to have consented to the use of the new or alternative Subprocessor. Notwithstanding the foregoing, where a sudden replacement or supplement of a Subprocessor is required by Ping Identity to continue providing the Services (such as if a third party abruptly discontinues services to Ping Identity), Ping Identity may, in lieu of advance notice, inform Customer of the new Subprocessor as soon as practicable and using the same notice procedures as set forth above, following which Customer may raise reasonable objections as set forth above. In the event that Customer reasonably objects to such change, Ping Identity shall, in its sole discretion, use commercially reasonable efforts to (1) offer an alternative to provide the Service to Customer; (2) take the corrective steps requested by Customer in its objection and proceed to use the new Subprocessor; or (3) cancel its plans to use the Subprocessor. If Ping Identity is unable or unwilling to achieve either (1) through (3) in its sole discretion and the objection has not been resolved to the mutual satisfaction of the parties within thirty (30) days after Ping Identity’s receipt of the objection, Customer may, as its sole and exclusive remedy, terminate its applicable subscriptions from Ping Identity with respect only to those aspects of the Service which cannot be provided by Ping Identity without the use of the new Subprocessor.  In such event, Ping Identity shall refund Customer any unused, prepaid Fees for the applicable Service covering the remainder of the subscription term after the date of termination.

5.2 Onward Transfer of Personal Data. Any transfer by Ping Identity of Personal Data to a Subprocessor will be governed by a written contract providing that the Subprocessor will process Personal Data in accordance with Ping Identity’s instructions as required by Data Protection Laws and Regulations. Ping Identity conducts an annual review and assessment of its Subprocessors to ensure such Subprocessors have in place proper organizational and technical safeguards to ensure the protection of Personal Data.

5.3 Liability for Subprocessors. Ping Identity shall be liable for the performance of its Subprocessors to the same extent Ping Identity would be liable if Processing Personal Data itself.

6.     Data Subject’s rights

6.1 Requests and complaints. To the extent legally permitted, Ping Identity shall promptly notify Customer in writing if Ping Identity receives any request from a Data Subject with respect to Personal Data being Processed. Ping Identity shall not directly respond to any such request, unless authorized and directed to do so by Customer or required by applicable Data Protection Laws and Regulations. Ping Identity shall reasonably cooperate with Customer and may charge Customer a reasonable fee for such cooperation with respect to any action taken relating to such request.

7.     Security measures

7.1 Ping Identity’s obligations. Ping Identity shall provide appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects. Ping Identity shall, at a minimum, maintain the security of the Service and the Personal Data in accordance with Ping Identity’s Security Exhibit, accessible via  www.pingidentity.com/security-exhibit.

7.2 Determination of security requirements. Customer acknowledges that the Service includes certain features and functionalities that Customer may elect to use that impact the security of Personal Data, such as, but not limited to, encryption of voice recordings and availability of multi-factor authentication on Customer’s Ping Identity account. Customer is responsible for reviewing the information Ping Identity makes available regarding its data security, including its audit reports, and making an independent determination as to whether Ping Identity’s Service meets Customer’s requirements and legal obligations, including its obligations under this DPA. Customer is further responsible for properly configuring Ping Identity’s products to maintain appropriate security in light of the nature of the data processed by such products.

8.     Security Incident response and notification

8.1 Discovery and investigation of a breach. Ping Identity will notify Customer without undue delay upon becoming aware of an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data Processed by Ping Identity (a “Personal Data Incident”). Ping Identity shall make reasonable efforts to identify the cause of a Personal Data Incident and take those steps as Ping Identity deems necessary and reasonable in order to remediate the cause of such Personal Data Incident, to the extent that the remediation is within Ping Identity’s reasonable control. The obligations set forth herein shall not apply to incidents that are caused directly or indirectly by either the Customer or Users.

8.2 Notification format and contents. Ping Identity shall direct its notice by email to the address provided by Customer in Ping Identity’s customer portal. Such notice shall include, if known by Ping Identity: (i) a description of the Personal Data Incident, (ii) the categories and approximate numbers of impacted individuals, (iii) possible consequences of the Personal Data Incident, (iv) corrective actions taken or to be taken by Ping Identity, if any, (v) internal point(s) of contact that Customer may engage for managing or responding to Customer about the Personal Data Incident, and (vi) Ping Identity’s Data Protection Officer’s contact information.

9.     Retention, return and deletion of Personal Data

9.1 Return and deletion of Personal Data upon termination. When Personal Data is no longer necessary for the purposes set forth in this DPA or at an earlier time as Customer requests in writing,  Ping Identity will (i) provide to Customer, in the format and on the media as mutually agreed between the parties, a copy of all or, if specified by Customer, any part of the Personal Data; and/or (ii) delete all, or if specified by the Customer, any part of the Personal Data in Ping Identity’s possession, except for backups and monitoring data which will be deleted per Ping Identity’s data retention policy. Any Personal Data that is not immediately deleted, will continue to be protected as set forth in this DPA.

9.2 Customer’s copy of Personal Data. During the term of the Agreement, Ping Identity will provide Customer with the capability to obtain a copy of its Personal Data by way of an API and/or console. Upon termination or expiry of the Agreement, and upon request, Ping Identity will provide a reasonable opportunity for Customer to obtain a copy of its Personal Data and delete the same. This requirement shall not apply to the extent that Ping Identity retains some or all of the Personal Data it has archived on back-up systems, which Ping Identity shall securely isolate and protect from any further processing except to the extent required by Data Protection Laws and Regulations.  

10.   Limitation of liability. Each party’s liability arising out of or related to this DPA, including its exhibits and attachments, whether in contract, tort or under any other theory of liability, is subject to any limitation of liability as set forth in the Agreement and any reference to such limitation of liability of a party means the aggregate liability of the party under the Agreement and this DPA, including its exhibits and attachments, together.

11.   Security audits

11.1      Audit reports.  Ping Identity uses external auditors to verify the adequacy of its security measures with respect to its processing of Personal Data. Such audits are conducted at least annually, are performed at Ping Identity’s expense by independent third-party audit professionals at Ping Identity’s selection, and result in a confidential audit report. A list of Ping Identity’s certifications and/or standards for audit as of the date of this DPA can be found at https://www.pingidentity.com/security-exhibit. Upon Customer’s written request at reasonable intervals, and subject to reasonable confidentiality controls, Ping Identity shall promptly provide Customer with information related to Ping Identity’s information security safeguards and practices, which may include  one or more of the following as Customer may request: (i) responses to a reasonable information security-related questionnaire no more than once annually; (ii) copies of relevant third party audits, reviews, tests, or certifications of Ping Identity’s systems or processes, including an annual SOC 2 report; (iii) a summary of Ping Identity’s operational practices related to data protection and security; and (iv) making Ping Identity personnel reasonably available for security-related discussions with Customer. For the avoidance of doubt, nothing in this Agreement shall be construed as permitting Customer access to Ping Identity’s production or non-production systems, source code, or access to anything that may expose confidential information of other customers of Ping Identity. In the event that the SCCs (2021) or SCCs (2010) are applicable, additional audit rights will be as set forth in Exhibits 1 or 2, respectively.

12.   Miscellaneous

12.1 Order of precedence. Except as specifically set forth in this DPA, the terms and provisions of the underlying Agreement shall remain unmodified and in full force and effect. In the event of a conflict between the terms and conditions of the Standard Contractual Clauses, Exhibits 1 and 2, the Agreement, and this DPA, the conflict shall be resolved in the following order of precedence: (i) Standard Contractual Clauses, (ii) Exhibits 1 and 2, (iii) this DPA, and (iv) the Agreement.

12.2 Duration of this DPA. This DPA shall remain in effect until, and automatically expire upon, deletion of all Personal Data by Ping Identity as described in this DPA.

12.3 Amendments. If an amendment to this DPA is required in order to comply with applicable Data Protection Laws and Regulations, both parties will work together in good faith to promptly execute a mutually agreeable amendment to this DPA reflecting the requirements set out by the applicable Data Protection Laws and Regulations.

Exhibit 1

SCCs (2021) ADDENDUM

This SCCs (2021) Addendum (“SCCs (2021) Addendum”) applies if the SCCs (2021) apply as set forth in the DPA.

1. Processing Generally.
 

a.    Modules. Customer and Ping Identity acknowledge and agree that only Module 2 (Transfer Controller to Processor) of the SCCs (2021) applies to the Processing described in the DPA.
 

b.   Instructions. Customer’s complete and final documented instructions for the Processing of Personal Data are as set forth in Section 2.3 of the DPA. Any additional or alternate instructions must be agreed upon in a writing executed by authorized representatives of each party.  For the purposes of Clause 8.1(a) of the SCCs (2021), the following are deemed the exclusive instructions by the Customer to Process Personal Data: (i) Processing in accordance with this SCCs (2021) Addendum and the Agreement; and (ii) Customer’s use of the Service’s features and functionality.
 

c.    Copies. In the event that Customer provides a copy of the SCCs (2021) to a Data Subjects pursuant to Clause 8.3 of the SCCs (2021), Customer shall redact all business secrets and Confidential Information of Ping Identity, including all measures described in Annex II thereto. Ping Identity acknowledges and agrees that Customer may need to provide a meaningful summary of such redacted information to the Data Subject.
 

d.    Deletion. The parties acknowledge and agree that any deletion or return of Personal Data that is described in Clause 8.5 of the SCCs (2021) (and certification of the same) shall be conducted as set forth in Section 9.1 of the DPA and  shall be provided by Ping Identity only upon Customer’s request.

2. Onward Transfers. The parties acknowledge and agree that Customer’s documented instructions for disclosure of Personal Data to a third party as described in Clause 8.8 of the SCCs (2021) shall be carried out in accordance with Sections 4 and 5 of the DPA.

3. Security Audits. The parties agree that they will use reasonable efforts to satisfy any audit requests or requirements described in Clauses 8.9(c)-(e) of the SCCs (2021) through the processes outlined in Section 11.1 of the DPA. In the event that such processes are unable to satisfy the requirements of Customer, then in addition to any audit rights of Customer set forth in the Agreement, upon written request, Ping Identity will provide to Customer all information reasonably required by Customer from time to time to assess Ping Identity’s compliance with the SCCs (2021). Ping Identity shall be permitted to redact information that is reasonably deemed sensitive for external exposure.  Upon reasonable advance written request of not less than thirty (30) days and at reasonable intervals not to exceed once every twelve months, Ping Identity will allow for and contribute to reasonable audits and inspections conducted by Customer (or Customer’s independent third-party auditor, provided they enter into Ping Identity’s reasonable non-disclosure agreement), including on-site inspections of Ping Identity’s business premises for the purpose of assessing Ping Identity’s compliance with the SCCs (2021).  Customer shall reimburse Ping Identity for any time expended by Ping Identity in fulfilling any such audits or information requests set forth in this section (other than as set forth in Section 11.1 of the DPA, which shall be at no additional cost to Customer) at Ping Identity’s then-current professional services rates, which shall be made available to Customer upon request. Before the commencement of any such audit, Customer and Ping Identity shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Ping Identity. Customer understands that due to the third-party hosting and multi-tenant nature of the Services, Ping Identity cannot grant access to the premises, facilities, or records of any Subprocessor or Ping Identity’s production or non-production systems, source code, or anything that could expose confidential information of other customers of Ping Identity.

4. Subprocessors. The parties agree to utilize Option 2 set forth in Clause 9(a) of the SCCs (2021). Furthermore, the parties agree that any changes to Subprocessors as described in Clause 9(a) of the SCCs (2021) shall be carried out in accordance with Section 5 of the DPA. The parties agree that the copies of the Subprocessor agreements that may be provided by Ping Identity to Customer pursuant to Clause 9(c) of the SCCs (2021) may have all commercial information, or clauses unrelated to the SCCs (2021) or their equivalent, removed by Ping Identity beforehand; and, that such copies will be provided by Ping Identity in a manner to be determined in its discretion, and only upon written request by Customer.

5. Liability. The parties acknowledge and agree that Section 10 of the DPA expressly applies to Clause 12 of the SCCs (2021).

6. Termination. The parties agree that in the event Customer terminates the Agreement and/or an Order Form as described in Clause 16 of the SCCs (2021),  Customer shall remain liable for all fees set forth on any outstanding Order Form(s), regardless of whether such fees have been invoiced or are yet payable at the time of such termination.

7. Governing Law. The parties agree to utilize Option 1 set forth in Clause 17 of the SCCs (2021). The Parties agree to the law of Ireland. Furthermore, the parties agree to utilize the courts of Ireland for purposes of Clause 18 of the SCCs (2021).

8. Conflict. Except as specifically set forth in this Exhibit 1, the terms and provisions of the underlying Agreement shall remain unmodified and in full force and effect. In the event of a conflict between the terms and conditions of the SCCs (2021), the Agreement, this SCCs (2021) Addendum, and any other previously executed data protection or data privacy agreement (“DPA”), the conflict shall be resolved in the following order of precedence: (i) SCCs (2021), (ii) this Exhibit 1, (iii) the DPA, and (iv) the Agreement.

9. Annex I. The parties acknowledge and agree that Annex I attached hereto shall apply for purposes of the Annex I referenced in the SCCs (2021).

10. Annex II. The parties acknowledge and agree that Annex II attached hereto shall apply for purposes of the Annex II referenced in the SCCs (2021).

Annex I

A.   LIST OF PARTIES
 

Data exporter(s): Customer (as defined in the Agreement)

Data importer(s): Ping Identity (as defined in the Agreement)

B.   DESCRIPTION OF TRANSFER
 

Categories of data subjects whose personal data is transferred

Data exporter may submit Personal Data to the Services, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to, Personal Data relating to the following categories of data subjects:

• Prospects, customers, business partners and vendors of data exporter (who are natural persons)
• Employees or contact persons of data exporters’s prospects, customers, business partners and vendors
• Employees, agents, advisors, freelancers of data exporter (who are natural persons)
• Data exporter’s Users authorized by data exporter to use the Services

Categories of personal data transferred

Data exporter may submit Personal Data to the Services consistent with the Agreement, the extent of which is determined and controlled by the Data Exporter, and which may include, but is not limited to the following categories of Personal Data:

• First and last name, title, position, employer, contact information (company, email, phone, physical business address), ID and device data, connection data, localisation data

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Not applicable.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

The Personal Data is transferred on a continued basis.

Nature of the processing

The nature of the Processing is the performance of the Services pursuant to the Agreement.

Purpose(s) of the data transfer and further processing

The purposes of the Processing is the performance of the Services pursuant to the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Personal Data will be retained by the data importer in accordance with its data retention policy and no longer than necessary for the purposes set forth in the Agreement, or until such earlier time as the data exporter requests in writing.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

The subject matter, nature and duration of the processing are the performance of the Services pursuant to the Agreement.

C.   COMPETENT SUPERVISORY AUTHORITY

The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.

Annex II
 

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Data Importer shall provide appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects. Ping Identity shall, at a minimum, maintain the security of the Service and the Personal Data in accordance with the security exhibit, as updated from time to time, available at https://www.pingidentity.com/security-exhibit. 

Exhibit 2

SCCs (2010) ADDENDUM

This SCCs (2010) Addendum (“SCCs (2010) Addendum”) applies if the SCCs (2010) apply as set forth in the DPA. 

1. Processing Generally.
 

a.    Modules. Customer and Ping Identity acknowledge and agree that only Module 2 (Transfer Controller to Processor) of the SCCs (2021) applies to the Processing described in the DPA.

b.   Instructions. Customer’s complete and final documented instructions for the Processing of Personal Data are as set forth in Section 2.3 of the DPA. Any additional or alternate instructions must be agreed upon in a writing executed by authorized representatives of each party.  For the purposes of Clause 8.1(a) of the SCCs (2021), the following are deemed the exclusive instructions by the Customer to Process Personal Data: (i) Processing in accordance with this SCCs (2021) Addendum and the Agreement; and (ii) Customer’s use of the Service’s features and functionality.

c.    Copies. In the event that Customer provides a copy of the SCCs (2021) to a Data Subjects pursuant to Clause 8.3 of the SCCs (2021), Customer shall redact all business secrets and Confidential Information of Ping Identity, including all measures described in Annex II thereto. Ping Identity acknowledges and agrees that Customer may need to provide a meaningful summary of such redacted information to the Data Subject.

d.    Deletion. The parties acknowledge and agree that any deletion or return of Personal Data that is described in Clause 8.5 of the SCCs (2021) (and certification of the same) shall be conducted as set forth in Section 9.1 of the DPA and  shall be provided by Ping Identity only upon Customer’s request.

2. Subprocessors. The parties agree that Customer’s consent to the Subprocessors described in Clause 5(h) and Clause 11 of the SCCs (2010) shall be carried out in accordance with Section 5 of the DPA. The parties agree that the copies of the Subprocessor agreements that must be provided by Ping Identity to Customer pursuant to Clause 5(j) of the SCCs (2010) may have all commercial information, or clauses unrelated to the SCCs (2010) or their equivalent, removed by Ping Identity beforehand; and, that such copies will be provided by Ping Identity, in a manner to be determined in its discretion, only upon written request by Customer.

3. Security Incident Response and Notification. The parties agree that the notification described in Clause 5(d)(ii) of the SCCs (2010) shall be carried out in accordance with Section 8 of the DPA.

4. Security Audits. The parties agree that the audits described in Clause 5(f) and Clause 12(2) of the SCCs (2010) shall be carried out in accordance with Section 11 of the DPA.

5. Termination. The parties agree that in the event Customer terminates the Agreement and/or this SCCs (2010) Addendum as described in Clause 5(a) and Clause 5(b) of the SCCs (2010), Customer shall remain liable for all fees set forth on any outstanding Order Form(s), regardless of whether such fees have been invoiced or are yet payable at the time of such termination.

6. Conflict. Except as specifically set forth in this Exhibit 2, the terms and provisions of the underlying Agreement shall remain unmodified and in full force and effect. In the event of a conflict between the terms and conditions of the SCCs (2010), the Agreement, this SCCs (2010) Addendum, and any other previously executed data protection or data privacy agreement (“DPA”), the conflict shall be resolved in the following order of precedence: (i) SCCs (2010), (ii) this Exhibit 1, (iii) the DPA, and (iv) the Agreement.