Data Processing Agreement

This MinIO Data Processing Agreement (this "Agreement"), effective as of the last date of signature below ("Effective Date"), is entered into by and between MinIO, Inc., a Delaware corporation having offices at 275 Shoreline Dr, Ste 100, Redwood City, CA 94065 ("MinIO") and the other  entity listed in the signature box below ("Customer") (each herein referred to individually as a "Party," or collectively as the "Parties"). This Agreement is incorporated by reference in the Agreement (defined below) and governs in connection with MinIO’s processing of Customer’s Personal Data (as defined below). In consideration of the covenants and conditions contained herein, the Parties hereby agree to the following:

‍

1. DEFINITIONS

• ‍1.1. "Agreement" means any agreement between MinIO and Customer under which Services are provided by MinIO to Customer, including but not limited to service agreements, subscription agreements, order forms, statements of work, or master services agreements.‍
• 1.2. "Controller," "data subject," "personal data," "personal data breach," "process," "processing," "Processor," and "supervisory authority" shall have the meanings given in applicable Data Protection Legislation or, if not defined in applicable Data Protection Legislation, the GDPR (as defined below).‍
• 1.3. "Data Protection Legislation" means all applicable data protection laws and regulations, including laws and regulations of the European Union, the European Economic Area (EEA) and their member states, Switzerland and the United Kingdom, applicable to the processing of Personal Data under the Agreement, as amended or replaced from time to time, including without limitation, the General Data Protection Regulation (Regulation (EU) 2016/679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the "GDPR").‍
• 1.4. "Personal Data" means personal data that is submitted to the Services by Customer and processed by MinIO for the purposes of providing the Services to Customer. The types of Personal Data, the specific uses, and retention periods of the Personal Data are detailed in Exhibit A attached hereto.‍
• 1.5. "Services" means the MinIO services and products ordered or subscribed to by Customer in an Agreement.‍
• 1.6. "Sub-processor" means any third party engaged by MinIO to process Personal Data on behalf of Customer in connection with the Services.

‍

2. DATA PROCESSING

• 2.1. Roles of the Parties. The Parties acknowledge and agree that with regard to the processing of Personal Data for the provision of the Services, Customer is the Controller and MinIO is the Processor. The Parties agree to comply with the applicable Data Protection Legislation.‍
• 2.2. Processing Instructions. MinIO will process the Personal Data only in accordance with any documented Customer instructions received by MinIO with respect to the processing of such Personal Data. MinIO will process Personal Data for the following purposes: (i) processing necessary for the provision of the Services in accordance with this Agreement and the underlying Agreement; (ii) any processing initiated by Customer's end users in their use of the Services; and (iii) any processing to comply with the other reasonable written instructions provided by Customer to MinIO where such instructions are consistent with the terms of the Agreement, as required to comply with applicable Data Protection Legislation, or as otherwise mutually agreed by the Parties in writing. MinIO will promptly inform Customer if in its opinion compliance with any Customer instruction would infringe Data Protection Legislation.‍
• 2.3. Customer Responsibilities. Customer will, in its use of the Services, comply with the requirements of applicable Data Protection Legislation which includes instructions to MinIO in regard to the processing of Personal Data. Customer will have sole responsibility for the accuracy, quality, and legality of Personal Data and for ensuring that the Personal Data was lawfully acquired by Customer (including any authorizations or consents if required). Customer shall ensure that Customer is entitled to transfer the relevant Personal Data to MinIO so that MinIO may lawfully use, process, and transfer the Personal Data in accordance with Customer's instructions.‍
• 2.4. Cooperation. MinIO will assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to MinIO.‍
• 2.5. Deletion and Return of Personal Data. MinIO will, at Customer's option, and subject to the terms of this Agreement, if within its control or possession, (i) delete or return all Personal Data to Customer after the end of the provision of the Services, and (ii) delete existing copies of Personal Data unless legally required to retain the Personal Data. Notwithstanding the foregoing, MinIO will not store Personal Data beyond the applicable retention period set forth in Exhibit A.

‍

3. INTERNATIONAL TRANSFERS

• ‍3.1. International Transfers. Customer consents to if within its control or possession processing or transferring any Personal Data in or to a territory other than the territory in which the Personal Data was first collected. MinIO will take such measures as are necessary to ensure such processing or transfer is in compliance with applicable Data Protection Legislation and in accordance with any applicable transfer mechanism provisions set forth in Section 3.2 (Transfer Mechanism) below.‍
• 3.2. Transfer Mechanism. If applicable Data Protection Legislation places restrictions on the transfer of Personal Data across international borders, then MinIO will work with Customer to ensure that any international transfer is performed in accordance with applicable Data Protection Legislation and, if required, the Parties will execute such applicable legal mechanism ("Transfer Mechanism"). This includes relying on the following Transfer Mechanisms as part of this Agreement:‍
  
  • 1. EU Standard Contractual Clauses and UK Addendum. To the extent that Personal Data is transferred outside of the EEA, Switzerland, or the United Kingdom those transfers will be subject to the applicable Standard Contractual Clauses as available at https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.‍
  • 2. Data Privacy Framework ("DPF"). If MinIO is certified to the EU-US DPF, the UK Extension to the EU-US DPF, and the Swiss-US DPF, such frameworks enable the transfer of personal information to the US from the EU, UK, and Switzerland on the basis of an adequacy decision from the European Commission.
• 3.3. Alternative Transfer Mechanism. MinIO will notify Customer if it determines that a change in applicable Data Protection Legislation will adversely affect or invalidate the warranties and obligations provided under an executed Transfer Mechanism or if an alternative Transfer Mechanism becomes available to use by the Parties. In such an event, MinIO will work with the Customer to find a mutually agreeable solution to ensure that Personal Data is transferred in compliance with applicable Data Protection Legislation.

‍

4. SUB-PROCESSORS

• 4.1. Sub-processing. Customer provides a general authorization to MinIO to engage Sub-processors that are listed in Exhibit A hereto (the "Sub-Processor List") to enable MinIO to fulfill its contractual obligations under the Agreement and to provide support services on MinIO's behalf, subject to compliance with the requirements in this Section. The Sub-processor List includes information on Sub-processors' location and services provided. The Sub-processor List may be updated by MinIO from time to time, in MinIO’s sole discretion and in accordance with Subsection 4.3 (Changes to Sub-Processor List).
• 4.2. Sub-processor Agreements. MinIO will: (i) enter into a written agreement with any Sub-processor that will process Personal Data; (ii) ensure that each such written agreement contains terms that are no less protective of Personal Data than those contained in this Agreement; and (iii) be liable for the acts and omissions of its Sub-processors to the same extent that MinIO would be liable if it were performing the services of each of those Sub-processors directly under the terms of this Agreement. Upon written request by Customer, copies of Sub-processor agreements may be provided to Customer. The Parties agree that copies of any Sub-processor agreements that are provided by MinIO to Customer may have all commercial information, business secrets, or other confidential information redacted by MinIO beforehand.
• 4.3. Changes to Sub-processor List. MinIO will inform Customer of any intended addition or replacement of Sub-processors involved in processing Personal Data. Such notification may be provided by reasonable means, including but not limited to posting an updated list of Sub-processors on MinIO’s website or through other communication channels designated by MinIO. Customer may object to the engagement of a new Sub-processor on reasonable grounds relating to the protection of Personal Data within a reasonable period following such notification. In the event of an objection, MinIO shall have the right to address the objection through one of the following options: (i) MinIO will cancel its plans to use the Sub-processor with regard to processing Personal Data or will offer an alternative to provide the Services without such Sub-processor; (ii) MinIO will take the corrective steps requested by Customer in its objection notice and proceed to use the Sub-processor; or (iii) MinIO may cease to provide, or Customer may agree not to use, whether temporarily or permanently, the particular aspect or feature of the Services that would involve the use of such Sub-processor. If none of the above options are commercially feasible, in MinIO’s reasonable judgment, and the objection(s) have not been resolved to the satisfaction of the Parties within a reasonable period after MinIO’s receipt of Customer’s objection notice, then either Party may terminate the Agreement, and in such case, Customer will be refunded any pre-paid fees for the applicable Services pro-rated for the unused portion of the subscription term.

‍

5. SECURITY MEASURES AND DATA ACCESS

• 5.1. Security Measures. MinIO will implement appropriate technical, administrative, physical, and organizational measures to adequately safeguard and protect the security and confidentiality of Personal Data against accidental, unauthorized, or unlawful destruction, alteration, modification, processing, disclosure, loss, or access to the extent required by applicable Data Protection Legislation. MinIO will not materially decrease the overall security of the Services as it relates to Personal Data during the term of the Agreement. MinIO will take appropriate steps to ensure compliance with the security measures by its employees, contractors, and Sub-processors to the extent applicable to their scope of performance.
• 5.2. Confidentiality and Limitation of Access. MinIO will ensure that persons authorized to process Personal Data on behalf of MinIO have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Only MinIO persons authorized to process Personal Data will have access to Personal Data to the extent it is necessary.

‍

6. SECURITY INCIDENTS

MinIO shall notify Customer without undue delay if it becomes aware of any unauthorized or unlawful access to, or acquisition, alteration, use, disclosure, or destruction of, Customer's Personal Data, including any "personal data breach" as defined in the GDPR (a "Security Incident"). In the event of a Security Incident MinIO will take (i) reasonable steps to identify the cause of the Security Incident; and (ii) take any actions necessary and reasonable to remediate the cause of such Security Incident. MinIO will also reasonably cooperate with Customer with respect to any investigations and with preparing potentially required notices, and provide any information reasonably requested by Customer in relation to the Security Incident.

‍

7. RIGHTS OF DATA SUBJECTS

Taking into account the nature of the processing, MinIO will reasonably assist Customer to enable their ability to respond to data subject rights requests provided under applicable Data Protection Legislation relating to the processing of Personal Data, including providing reasonable assistance in implementing technical and organizational measures. MinIO shall, to the extent legally permitted, promptly notify Customer if MinIO receives such request. To the extent legally permitted, Customer shall be responsible for any reasonable costs that MinIO may incur in providing such assistance.

‍

8. DOCUMENTATION AND AUDIT RIGHT

• 8.1. Records of Processing. MinIO will maintain a record of all categories of processing activities carried out on behalf of Customer. MinIO will make available to Customer or relevant supervisory authority, if requested, all information necessary to demonstrate MinIO's compliance with its obligations under applicable Data Protection Legislation.
• 8.2. Audits. The Parties agree that the audits required under applicable Data Protection Legislation will be carried out in accordance with the following conditions:
  
  • 1. An audit of MinIO's data processing facilities may be performed no more than once per year during MinIO's normal business hours, unless (a) otherwise agreed to in writing by Customer and MinIO, (b) required by a regulator or under applicable Data Protection Legislation, or (c) there is a Security Incident concerning Personal Data;
  • 2. Customer will provide MinIO with at least thirty (30) days' prior written notice of an audit, which may be conducted by Customer, or an independent auditor appointed by Customer that is not a competitor of MinIO;
  • 3. The auditors will conduct audits subject to any appropriate and reasonable confidentiality restrictions requested by MinIO;
  • 4. The scope of an audit will be limited to MinIO systems, processes, and documentation relevant to the processing and protection of Personal Data;
  • 5. Prior to the start of an audit, the Parties will agree to reasonable scope, time, duration, place, and conditions for the audit, and a reasonable reimbursement rate payable by Customer to MinIO for MinIO’s audit expenses;
  • 6. If available, MinIO will provide an auditor, upon request, with any third-party certifications pertinent to MinIO's compliance with its obligations under this Agreement; and
  • 7. Customer will promptly notify and provide MinIO with full details regarding any perceived non-compliance or security concerns discovered during the course of an audit.

‍

9. TERM AND TERMINATION

The term of this Agreement shall start on the Effective Date and expire immediately upon termination or expiration of the underlying Agreement between the Parties or as in accordance with this Section, whichever is earlier. Either Party may terminate this Agreement at any time for any reason upon written notice. Any sections that by their nature should survive, shall survive the expiration or termination of this Agreement. Notwithstanding the foregoing, each Party's obligations herein shall survive any termination or expiration of this Agreement for a period of two (2) years after such termination or expiration, provided any Personal Data that is deemed a trade secret under applicable law shall remain protected until such information is no longer deemed a trade secret under applicable law.

10. REMEDIES

The Parties agree that any violation or threatened violation of this Agreement may cause irreparable injury to the non-breaching Party, entitling the non-breaching Party to obtain injunctive relief in addition to all legal remedies without showing or proving any actual damage and without any bond being required to be posted.

11. MISCELLANEOUS

• 11.1. Assignment. Neither Party may assign this Agreement or any of its rights or obligations under this Agreement, whether by operation of law or otherwise, without the prior written consent of the other Party (not to be unreasonably withheld), except that either Party may assign this Agreement in its entirety, upon written notice but without the consent of the other Party, to (i) an Affiliate; or (ii) in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets not involving a direct competitor of the other party.  Any attempt by a Party to assign its rights or obligations under this Agreement in breach of this Section 14.1 shall be void and of no effect. Notwithstanding the foregoing, this Agreement shall bind and inure to the benefit of the Parties and their respective successors and permitted assigns.
• 11.2. Governing Law. This Agreement will be governed, interpreted, and construed in accordance with the laws of the State of California, without regard to conflict of law principles. Any disputes arising out of or related to this Agreement will be resolved exclusively in the state or federal courts located in Santa Clara County, California. Each Party hereby represents and warrants that the persons executing this Agreement on its behalf have express authority to do so, and, in so doing, to bind the Party thereto.
• 11.5. Entire Agreement. This Agreement contains the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior written and oral agreements between the Parties regarding such subject matter. If a court or other body of competent jurisdiction finds any provision of this Agreement, or portion thereof, to be invalid or unenforceable, such provision will be enforced to the maximum extent permissible so as to effect the intent of the Parties, and the remainder of this Agreement will continue in full force and effect. No provision of this Agreement may be waived except by a writing executed by the Party against whom the waiver is to be effective. A Party's failure to enforce any provision of this Agreement shall neither be construed as a waiver of the provision nor prevent the Party from enforcing any other provision of this Agreement. No provision of this Agreement may be amended or otherwise modified except by a writing signed by the Parties to this Agreement. The Parties may execute this Agreement in counterparts, each of which shall be deemed an original, but all of which together constitute one and the same agreement. This Agreement may be delivered by facsimile transmission, and facsimile copies of executed signature pages shall be binding as originals

‍