Data Processing Addendum
by and between Customer (the Controller) and Yandex (the Processor).
The Controller and the Processor are the parties (theParties) of Yandex.Cloud Customer Agreement concluded either by accepting by the Controller of agreement terms available at: https://yandex.com/legal/cloud_customer_agreement or by signing of a written version of Yandex.Cloud Customer Agreement by both Parties, specifying that the Processor will provide certain services (the Services) to the Controller (the Agreement). This Data Processing Addendum (the Addendum) is part of the Agreement. Except as modified herein, the terms of the Agreement will remain as agreed in case of contradictions between the terms of this Addendum with the terms of the Agreement, the terms of this Addendum prevails.
1. Scope and Definitions
(a) This Addendum reflects the Parties’ agreement with respect to the terms governing the processing and security of Controller Data under the Agreement. This Addendum will, as from the date the Parties enter into the Agreement (the Effective Date), be effective and replace any previously applicable data processing amendment or other terms previously applicable between the Parties to privacy, data processing and/or data security in respect of Controller Data under the Agreement.
(b) This Addendum enters into force at the entry into force of the Agreement.
(c) In this Addendum, the following terms shall have the following meanings:
(i) Applicable Data Protection Law shall mean any and all applicable data protection and privacy laws.
(ii) Controller Data means personal data submitted, stored, sent or received through or in relation with the Services by the Controller, excluding the personal data of the Controller itself and personal data received from the Processor in order to perform the Agreement.
(iii) Customer (Controller) means the customer party that entered into the Agreement and Yandex (Processor) means Yandex Services AG.
(iv) Subprocessor means any third parties authorized under this Addendum to receive or have access to Controller Data in order to provide parts of the Services.
(v) Term means the period from the Effective Date until the end of the provision of Services.
(d) „Controller“, „processor“, „data subject“, „personal data“, „processing“ (and „process“), „special categories of personal data“, and “data breach” shall have the meanings given in Applicable Data Protection Law.
2. Processing of Controller Data
(a) Processor and controller responsibilities: The Parties agree that the Processor is a processor of Controller Data; the Controller is a controller or processor, as applicable, of the Controller Data; and each Party will comply with the obligations applicable to it under the Applicable Data Protection Legislation. If the Controller is a processor, the Controller warrants to the Processor that the Controller’s instructions and actions with respect to Controller Data, including its appointment of Processor as another processor, have been authorized by the relevant controller.
(b) Appointment as a processor: By entering into this Addendum, the Controller instructs the Processor to process Controller Data to provide the Services; as further documented in the form of the Agreement including this Addendum; and as further documented in any other written instructions given by the Controller and acknowledged by the Processor as constituting instructions for purposes of this Addendum (provided that if there are agreed change management procedures under the Agreement, these will apply to such instructions).
(c) Subject matter of the processing: The Parties agree that the subject matter and details of the processing are as follows:
(i) Subject matter: The Processor’s provision of the Services to the Controller;
(ii) Duration of the processing and of this Addendum: The Term plus the period from expiry of the Term until deletion of all Controller Data by the Processor in accordance with this Addendum;
(iii) Nature and purpose of the processing: The Processor will process Controller Data submitted, stored, sent or received by the Controller for the purposes of providing the Services to Controller in accordance with the Addendum.
(iv) Categories of data: Personal data submitted, stored, sent or received by the Controller via the Services.
(v) Data subjects: Controller’s employees, contractors, end-users, individuals whose data processed by Controller at the Controller’s discretion, and any other person who transmits data through the Services.
(d) Controller’s Instructions: The Processor will comply with the instructions described in Section 2(a) unless applicable law requires other processing of Controller Data by the Processor, in which case the Processor will inform the Controller (unless that law prohibits the Processor from doing so).
(a) Consent to Subprocessor engagement: The Controller generally authorizes the engagement of any third parties as Subprocessors.
(b) Information about Subprocessors: Information about Subprocessors is available at https://storage.yandexcloud.net/yc-compliance/subprocessors.pdf (as may be updated by the Processor from time to time in accordance with this Addendum).
(c) Requirements for Subprocessor engagement. When engaging any Subprocessor, the Processor will ensure through a written instrument (i) that the Subprocessor only accesses and uses Controller Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the Agreement (including this Addendum); and (ii) if the EU General Data Protection Regulation (Regulation 2016/679) (GDPR) applies to the processing of Controller Data, the data protection obligations set out in Article 28(3) of the GDPR, as described in this Addendum, are imposed on the Subprocessor. The Processor will remain fully liable for all obligations subcontracted to and all acts and omissions in relation with Controller Data of the Subprocessor.
(d) Objection to Subprocessor changes: When any new Subprocessor (other than an affiliate of the Processor) is engaged during the Term, the Processor will, at least  days before such new Subprocessor processes any Controller Data, inform the Controller of the engagement. The Controller may object to such new Subprocessor, provided such objection is based on reasonable grounds relating to data protection, by terminating the Agreement immediately upon written notice to the Processor, on condition that such notice is provided within  days of being informed of the new Subprocessor.
4. Data Deletion
(a) Deletion during the Term: The Processor will enable the Controller to delete Controller Data during the Term in a manner consistent with the functionality of the Services. If the Controller uses the Services to delete any Controller Data during the Term and the Controller Data cannot be recovered by the Controller, this use will constitute an instruction to the Processor to delete the relevant Controller Data in accordance with applicable law. The Processor will comply with this instruction as soon as reasonably practicable unless applicable law allows storage.
(b) On expiry of the Term the Controller instructs the Processor to return or delete all Controller Data in its possession or control from the Processor’s systems in accordance with applicable law. The Processor will comply with this instruction as soon as reasonably practicable, unless applicable law or Agreement allows storage.
5. Data Security
(a) The Processor’s security measures: The Processor will implement and maintain technical and organizational measures to protect Controller Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described at https://cloud.yandex.com/docs/overview/security (the Security Measures). The Processor may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.
(b) Staff: The Processor will take appropriate steps to ensure compliance with the Security Measures by its employees, contractors and Subprocessors to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Controller Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(c) Data Breaches:
(i) If it becomes aware of a confirmed Data Breach, the Processor will inform the Controller via e-mail (to the e-mail address the Controller provided to the Processor according to the Agreement) within 48 hours and will provide reasonable information and cooperation to the Controller to support Controller to his fulfilment of his data breach reporting obligations it may have under Applicable Data Protection Law. The Processor shall further take such reasonably necessary measures and actions to mitigate the effects of the Data Breach and shall keep the Controller informed of all material developments in connection with the Data Breach, all at Controller’s costs.
(ii) Notification under this Section will not be construed as an acknowledgement by the Processor of any fault or liability with respect to the Data Breach. The Controller is solely responsible for complying with incident notification laws applicable to the Controller and fulfilling any third party notification obligations related to any Data Breach(s).
(d) Controller’s security responsibilities: Without prejudice to the Processor’s obligations under Section 5(a)-(c), the Controller acknowledges and agrees that the Security Measures provide a level of security appropriate to the risk in respect of the Controller Data. The Controller is solely responsible (i) for its use of the Services, including making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Controller Data and backing up its Controller Data; and (ii) for evaluating for itself whether the Services and the Processor’s commitments under this Section 5 meet the Controller’s needs.
6. Cooperation and assistance
(a) Data Subject Rights: During the Term the Processor will, in a manner consistent with the functionality of the Services, enable the Controller to access, rectify and restrict processing of Controller Data and to export Controller Data. If during the Term the Processor receives any request from a data subject in relation to Controller Data, the Processor will advise the data subject to submit his/her request to the Controller, and the Controller will be responsible for responding to any such request.
(b) Processor’s Processing Records: Where the Processor is required under Applicable Data Protection Law to collect and maintain records processing, the Controller will, where requested, provide the required information to the Processor and will ensure that all information provided is kept accurate and up-to-date.
(c) Cost: All cost and expenses incurred by the Processor in the performance of the obligations stated in this Section may be passed on to the Controller on a pass-through-basis.
(a) Audit right. The Processor will allow the Controller or an independent and suitably qualified auditor appointed by the Controller to conduct inspections to verify the Processor’s compliance with its obligations under this Addendum in accordance with Section 7(b). The Processor will reasonably contribute to such audits.
(b) Terms for audits. The following requirements apply to any audit: (i) the Controller must give a minimum thirty (30) days’ notice of intention to audit, (ii) the Controller may exercise the right to audit no more than once in any calendar year; (iii) commencement of the audit shall be subject to an agreement with the Processor of a scope of work for the audit at least ten (10) days in advance; (iv) the Processor may restrict access to certain parts of its facilities and certain records where such restriction is necessary for commercial confidentiality; (v) the audit shall not include penetration testing, vulnerability scanning, or other security tests; (vi) the right to audit includes the right to inspect but not copy or otherwise remove any records, other than those that relate specifically and exclusively to the Controller; (vii) any independent auditor will be required to sign such non-disclosure agreement as is reasonably required by the Processor prior to the audit; and (viii) the Controller shall compensate the Processor for its reasonable costs (including for the time of its personnel, other than your relationship manager) incurred in supporting any audit.
8. Data Transfers
(a) Data storage and processing: The Controller agrees that the Processor may, subject to Section 8(b), store and process Controller Data in any country in which the Processor or any of its Subprocessors maintains facilities.
(b) Transfers of Controller Data out of Switzerland or the EEA: If the storage and/or processing of Controller Data involves transfers of Controller Data out of Switzerland or the EEA the Processor will take such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law, including (as applicable) transferring Controller Data to a recipient that has executed standard contractual clauses adopted or approved by the Swiss Data Protection and Information Commissioner and/or European Commission, as applicable.
Each Party’s liability for any breach of this Addendum shall be subject to the limitations and exclusions of liability set out in the Principal Agreement, provided that neither Party limits or excludes any liability that cannot be limited or excluded under applicable law.
Web address: https://yandex.com/legal/cloud_dpa
Date of placement: October 08, 2021
Effective date: October 19, 2021
Previous version of the document: https://yandex.com/legal/cloud_dpa/01062021
Previous version of the document: https://yandex.com/legal/cloud_dpa/10022021
Previous version of the document: https://yandex.com/legal/cloud_dpa/06052020