Data Processing Agreement

This MinIO Data Processing Agreement (this "DPA"), effective as of the effective date of the Agreement ("Effective Date"), is entered into by and between MinIO, Inc., a Delaware corporation having offices at 275 Shoreline Dr, Ste 100, Redwood City, CA 94065 ("MinIO") and the counterparty identified in the Agreement ("Customer") (each herein referred to individually as a "Party," or collectively as the "Parties"). As used in this DPA, "Customer" includes both Customers and Vendors who have entered into an Agreement with MinIO. This DPA is incorporated by reference in the Agreement (defined below) and governs in connection with MinIO's processing of Customer Personal Data (as defined below). Capitalized terms not defined herein shall have the same meaning as in the Agreement.

This DPA may be periodically updated from time to time to reflect changes in applicable data protection laws, regulatory requirements, or best practices, and the current version will be posted at https://min.io/legal. Your continued use of the Products after a revised DPA has been posted constitutes Your acceptance of its terms.

In consideration of the covenants and conditions contained herein, the Parties hereby agree to the following:

‍

1. DEFINITIONS

• 1.1. "Agreement" means any agreement between MinIO and Customer under which Software or SUBNET is provided by MinIO to Customer, including but not limited to customer license and subscription agreements, OEM agreements, service agreements, OEM and MSP agreements, subscription agreements, order forms, statements of work, or master services agreements.
• 1.2. "Controller," "data subject," "personal data," "personal data breach," "process," "processing," "Processor," and "supervisory authority" shall have the meanings given in applicable Data Protection Legislation or, if not defined in applicable Data Protection Legislation, the GDPR (as defined below).
• 1.3. "Data Protection Legislation" means all applicable data protection laws and regulations, including laws and regulations of the European Union, the European Economic Area (EEA) and their member states, Switzerland and the United Kingdom, applicable to the processing of Personal Data under the Agreement, as amended or replaced from time to time, including without limitation, the General Data Protection Regulation (Regulation (EU) 2016/679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the "GDPR").
• 1.4. "Personal Data" means personal data that is submitted to the Software or SUBNET by Customer or via telemetry collection and processed by MinIO for the purposes of providing the Software or SUBNET to Customer or its end users. The types of Customer Personal Data, the specific uses, and retention periods of the Customer Personal Data are detailed in Exhibit A attached hereto.
• 1.5. “SUBNET” means MinIO’s subscription network service.
• 1.6. "Sub-processor" means, with respect to any processing performed by MinIO as a processor, a third party engaged by MinIO to process Customer Personal Data on its behalf.

‍

2. DATA PROCESSING

• 2.1. Overview. MinIO provides the Software solution to be deployed on the Customer’s premise. Customer’s use of the Software does not require MinIO to host Customer Personal Data. Upon Customer's download of the Software, MinIO may automatically collect limited technical data, including IP addresses. MinIO offers SUBNET which uses telemetry data to help identify and monitor Customer’s registered cluster health, resolve Customer support related issues, and collect and analyze Usage Data. If Customer chooses to register its clusters with SUBNET, MinIO will have access to additional Customer Personal Data as described in Exhibit A. Customer may choose not to register its clusters with SUBNET and may use the Software in an air-gapped environment, in which case MinIO will not have access to any Customer Personal Data unless Customer voluntarily provides such data to MinIO. For AIStor Free Tier Customers, MinIO’s collection and use of personal data is governed by MinIO’s Privacy Policy.
• 2.2. Roles of the Parties. Subject to Section 2.1, the Parties acknowledge and agree that with regard to the processing of Customer Personal Data for the provision of the Software or SUBNET, Customer is the Controller and MinIO is the Processor. In the event MinIO is the Controller, MinIO’s Privacy Policy shall apply. The Parties agree to comply with the applicable Data Protection Legislation.
• 2.3. Processing Instructions. Subject to Section 2.1, MinIO will process the Customer Personal Data only in accordance with any documented Customer instructions received by MinIO with respect to the processing of such Customer Personal Data. MinIO will process Customer Personal Data for the following purposes: (i) processing necessary for the provision of Software or SUBNET in accordance with this DPA and the underlying Agreement; (ii) any processing initiated by Customer or its’ end users  use of the Software and SUBNET; (iii) as otherwise necessary for MinIO to provide any support related services; and (iv) any processing to comply with the other reasonable written instructions provided by Customer to MinIO where such instructions are consistent with the terms of the Agreement, as required to comply with applicable Data Protection Legislation, or as otherwise mutually agreed by the Parties in writing. MinIO will promptly inform Customer if in its opinion compliance with any Customer instruction would infringe Data Protection Legislation.
• 2.4. Customer Responsibilities. Customer will, in its use of the Software and SUBNET, comply with the requirements of applicable Data Protection Legislation which includes instructions to MinIO in regard to the processing of Customer Personal Data. Customer will have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and for ensuring that the Customer Personal Data was lawfully acquired by Customer (including any authorizations or consents if required). Customer shall ensure that Customer is entitled to transfer the relevant Customer Personal Data to MinIO so that MinIO may lawfully use, process, and transfer the Customer Personal Data in accordance with Customer's instructions.
• 2.5. Cooperation. MinIO will assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to MinIO.
• 2.6. Deletion and Return of Customer Personal Data. MinIO will, at Customer's option, and subject to the terms of this Agreement, if within its control or possession, (i) delete or return all Customer Personal Data to Customer after the end of the Customer’s subscription to the Software, and (ii) delete existing copies of Customer Personal Data unless legally required to retain the Customer Personal Data. Notwithstanding the foregoing, MinIO will not store Customer Personal Data beyond the applicable retention period set forth in Exhibit A.
• ‍

‍

3. INTERNATIONAL TRANSFERS

• ‍3.1. International Transfers. Customer consents to if within its control or possession processing or transferring any Personal Data in or to a territory other than the territory in which the Personal Data was first collected. MinIO will take such measures as are necessary to ensure such processing or transfer is in compliance with applicable Data Protection Legislation and in accordance with any applicable transfer mechanism provisions set forth in Section 3.2 (Transfer Mechanism) below.‍
• 3.2. Transfer Mechanism. If applicable Data Protection Legislation places restrictions on the transfer of Personal Data across international borders, then MinIO will work with Customer to ensure that any international transfer is performed in accordance with applicable Data Protection Legislation and, if required, the Parties will execute such applicable legal mechanism ("Transfer Mechanism"). This includes relying on the following Transfer Mechanisms as part of this Agreement:‍
  
  • 1. EU Standard Contractual Clauses and UK Addendum. To the extent that Customer Personal Data is transferred outside of the EEA, Switzerland, or the United Kingdom those transfers will be subject to the applicable Standard Contractual Clauses as available at https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en which are hereby incorporated into this DPA by reference.‍
  • 2. Data Privacy Framework ("DPF"). If MinIO is certified to the EU-US DPF, the UK Extension to the EU-US DPF, and the Swiss-US DPF, such frameworks enable the transfer of personal information to the US from the EU, UK, and Switzerland on the basis of an adequacy decision from the European Commission.
• 3.3. Alternative Transfer Mechanism. MinIO will notify Customer if it determines that a change in applicable Data Protection Legislation will adversely affect or invalidate the warranties and obligations provided under an executed Transfer Mechanism or if an alternative Transfer Mechanism becomes available to use by the Parties. In such an event, MinIO will work with the Customer to find a mutually agreeable solution to ensure that Customer Personal Data is transferred in compliance with applicable Data Protection Legislation.

‍

4. CALIFORNIA PRIVACY RIGHTS

• 4.1. Applicability and Service Provider Status. This Section 4 applies solely to the extent MinIO actually receives Personal Information (as defined under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, collectively the "CCPA") of California residents in connection with Agreement. To the extent MinIO does not receive California resident Personal Information, the obligations in this Section 4 do not apply. Where this Section does apply, MinIO acts solely as a "service provider" as defined under the CCPA and not as a "business." MinIO processes California resident Personal Information only on Customer's behalf and solely for the Business Purposes set forth in Section 4.2 below. MinIO shall not sell or share (as those terms are defined under the CCPA) California resident Personal Information.
• 4.2. Permitted Business Purposes. MinIO may process California resident Personal Information received through Support Services or use of the Products solely for the following Business Purposes: (i) performing Support Services on behalf of Customer and providing the Products in accordance with the Agreement; (ii) detecting security incidents and protecting against malicious, deceptive, or illegal actions to the extent reasonably necessary to provide the Support Services; (iii) debugging and identifying errors that impair existing intended functionality of the Software or SUBNET; and (iv) complying with applicable law or legal process. MinIO shall not process California resident Personal Information for any purpose outside the foregoing Business Purposes without Customer's prior written consent.
• 4.3. Customer Responsibilities. Customer is solely responsible for all obligations arising from its role as a "business" under the CCPA, including: (i) providing all required notices to California residents regarding the collection, use, and disclosure of their Personal Information; (ii) obtaining all necessary consents for sharing Personal Information with MinIO as a service provider; and (iii) receiving, evaluating, and responding to all verifiable consumer requests. MinIO shall have no liability arising from Customer's failure to fulfill any of the foregoing obligations. MinIO has no direct relationship with California residents whose Personal Information Customer may provide to MinIO and does not collect Personal Information directly from consumers.
• 4.4. Cooperation and Costs. To the extent MinIO possesses California resident Personal Information in connection with this Agreement, MinIO will provide reasonable assistance to Customer in fulfilling verifiable consumer requests, including deletion or return of Personal Information as directed by Customer in accordance with Section 2.6 of this DPA. Customer shall bear any reasonable costs MinIO incurs in providing such assistance. If MinIO receives a verifiable consumer request directly from a California resident, MinIO shall promptly notify Customer and shall not respond to such request without Customer's prior written authorization, except as required by applicable law. To the extent MinIO engages subcontractors who access California resident Personal Information, MinIO shall ensure such subcontractors are bound by restrictions at least as protective as those set forth in this Section 4.

‍

5. SUB-PROCESSORS

• 5.1. Sub-processing. Customer provides a general authorization to MinIO to engage Sub-processors that are listed here (the "Sub-Processor List") to enable MinIO to fulfill its contractual obligations under the Agreement and to provide support services on MinIO's behalf, subject to compliance with the requirements in this Section. The Sub-processor List includes information on Sub-processors' location and services provided. The Sub-processor List may be updated by MinIO from time to time, in MinIO’s sole discretion and in accordance with Subsection 5.3 (Changes to Sub-Processor List).
• 5.2. Sub-processor Agreements. MinIO will: (i) enter into a written agreement with any Sub-processor that will process Customer Personal Data; (ii) ensure that each such written agreement contains terms that are no less protective of Customer Personal Data than those contained in this Agreement; and (iii) be liable for the acts and omissions of its Sub-processors to the same extent that MinIO would be liable if it were performing the services of each of those Sub-processors directly under the terms of this Agreement. 
• 5.3. Changes to Sub-processor List. MinIO will inform Customer of any intended addition or replacement of Sub-processors involved in processing Customer Personal Data. Such notification may be provided by reasonable means, including but not limited to posting an updated list of Sub-processors on MinIO’s website or through other communication channels designated by MinIO. Customer may object to the engagement of a new Sub-processor on reasonable grounds relating to the protection of Customer Personal Data within a reasonable period following such notification which shall not exceed thirty (30) days from the date of notification. In the event of an objection, MinIO shall have the right to address the objection through one of the following options: (i) MinIO will cancel its plans to use the Sub-processor with regard to processing Customer Personal Data or will offer an alternative to provide the Software, Support Services, or SUBNET without such Sub-processor; (ii) MinIO will take the corrective steps requested by Customer in its objection notice and proceed to use the Sub-processor; or (iii) MinIO may cease to provide, or Customer may agree not to use, whether temporarily or permanently, the particular aspect or feature of the Software, Support Services, or SUBNET that would involve the use of such Sub-processor. If none of the above options are commercially feasible, in MinIO’s reasonable judgment, and the objection(s) have not been resolved to the satisfaction of the Parties within a reasonable period after MinIO’s receipt of Customer’s objection notice, then either Party may terminate the Agreement, and in such case, Customer will be refunded any pre-paid fees for the applicable Software pro-rated for the unused portion of the subscription term.

‍

6. SECURITY MEASURES AND DATA ACCESS

• ‍6.1. Security Measures. MinIO will implement appropriate technical, administrative, physical, and organizational measures to adequately safeguard and protect the security and confidentiality of Customer Personal Data against accidental, unauthorized, or unlawful destruction, alteration, modification, processing, disclosure, loss, or access to the extent required by applicable Data Protection Legislation. MinIO will not materially decrease the overall security of the Software or SUBNET as it relates to Customer Personal Data during the term of the Agreement. MinIO will take appropriate steps to ensure compliance with the security measures by its employees, contractors, and Sub-processors to the extent applicable to their scope of performance.‍
• 6.2. Confidentiality and Limitation of Access. MinIO will ensure that persons authorized to process Customer Personal Data on behalf of MinIO have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Only MinIO persons authorized to process Customer Personal Data will have access to Customer Personal Data to the extent it is necessary.

‍

7. SECURITY INCIDENTS

MinIO shall notify Customer without undue delay if it becomes aware of any unauthorized or unlawful access to, or acquisition, alteration, use, disclosure, or destruction of, Customer Personal Data, including any "personal data breach" as defined in the GDPR (a "Security Incident"). In the event of a Security Incident MinIO will take (i) reasonable steps to identify the cause of the Security Incident; and (ii) take any actions necessary and reasonable to remediate the cause of such Security Incident. MinIO will also reasonably cooperate with Customer with respect to any investigations and with preparing potentially required notices, and provide any information reasonably requested by Customer in relation to the Security Incident.

‍

8. RIGHTS OF DATA SUBJECTS

Taking into account the nature of the processing, MinIO will reasonably assist Customer to enable their ability to respond to data subject rights requests provided under applicable Data Protection Legislation relating to the processing of Customer Personal Data, including providing reasonable assistance in implementing technical and organizational measures. MinIO shall, to the extent legally permitted, promptly notify Customer if MinIO receives such request. To the extent legally permitted, Customer shall be responsible for any reasonable costs that MinIO may incur in providing such assistance.

‍

9. DOCUMENTATION AND AUDIT RIGHT

• 9.1. Records of Processing. MinIO will maintain a record of all categories of processing activities carried out on behalf of Customer. MinIO will make available to Customer or relevant supervisory authority, where necessary, information reasonably necessary to demonstrate MinIO's compliance with its obligations under applicable Data Protection Legislation. Upon request, MinIO will provide to Customer its data protection compliance certifications or such other documentation reasonably evidencing the implementation of the technical and organizational data security measures in accordance with industry standards (“Certifications”). 
• 9.2. Audits. The Parties agree that the audits required under applicable Data Protection Legislation will be carried out in accordance with the following conditions:
• ‍
  • i. An audit of MinIO's data processing facilities may be performed no more than once per year during MinIO's normal business hours and in a manner that is minimally disruptive to MinIO’s business, unless (a) otherwise agreed to in writing by Customer and MinIO, (b) required by a regulator or under applicable Data Protection Legislation, or (c) there is a Security Incident concerning Personal Data;
  • ii. Customer will provide MinIO with at least thirty (30) days' prior written notice of an audit, which may be conducted by Customer, or an independent auditor appointed by Customer that is not a competitor of MinIO;
  • iii. The auditors will conduct audits subject to any appropriate and reasonable confidentiality restrictions requested by MinIO;
  • iv. The scope of an audit will be limited to MinIO systems, processes, and documentation relevant to the processing and protection of Personal Data;
  • v. Prior to the start of an audit, the Parties will agree to reasonable scope, time, duration, place, and conditions for the audit, and a reasonable reimbursement rate payable by Customer to MinIO for MinIO’s audit expenses;
  • vi. If available, MinIO will provide an auditor, upon request, with any third-party certifications pertinent to MinIO's compliance with its obligations under this Agreement; and
  • vii. Customer will promptly notify and provide MinIO with full details regarding any perceived non-compliance or security concerns discovered during the course of an audit.
  • viii. If an audit requested by Customer is addressed in the Certification(s) provided by MinIO in accordance with Section 9.1 above, Customer agrees to accept such Certification in lieu of conducting a physical audit of the controls that are covered by the relevant Certification. 

10. TERM AND TERMINATION

The term of this DPA shall start on the Effective Date and expire immediately upon termination or expiration of the underlying Agreement between the Parties and once all Customer Personal Data has been returned or deleted by MinIO.

‍