Data Processing Addendum

by and between Partner and Yandex.

The partner agreeing to these terms ("Partner"), and Yandex Services AG ("Yandex", "processor"), a company incorporated under the laws of Switzerland, and located at Werftestrasse 4, 6005 Luzern, Switzerland have entered into an partnership agreement under which Yandex has agreed to provide Yandex.Cloud Platform Service ("Service") and related technical support to Partner as a reseller or supplier of Yandex.Cloud Platform on the terms of a partnership agreement (hereinafter - the Agreement).

This Data Processing Addendum (the Addendum) is part of the Agreement. Except as modified herein, the terms of the Agreement will remain as agreed in case of contradiction between the terms of this Addendum with the terms of the Agreement, the terms of this Addendum prevail.

1. Scope and Definitions

(a) This Addendum reflects the Parties' agreement with respect to the terms governing the processing and security of Partner Data under the Agreement. This Addendum will, as from the date the Parties enter into the Agreement (the Effective Date), be effective and replace any previously applicable data processing amendment or other terms previously applicable between the Parties to privacy, data processing and/or data security in respect of Partner’s Data under the Agreement.

(b) This Addendum enters into force at the entry into force of the Agreement.

(c) In this Addendum, the following terms shall have the following meanings:

(i) Applicable Data Protection Law shall mean any and all applicable data protection and privacy laws.

(ii) Partner Data means personal data submitted, stored, sent or received through or in relation with the Service by the Partner and the Customer, excluding the personal data of the Partner itself and personal data received from Yandex in order to perform the Agreement.

(iii) Customer means the customer party that entered into an agreement with a Partner regarding the use of Yandex.Cloud Platform

(iv) Subprocessor means any third parties authorized under this Addendum to receive or have access to Partner Data in order to provide parts of the Services.

(v) Term means the period from the Effective Date until the end of validity of Agreement.

(d) „Controller“, „processor“, „data subject“, „personal data“, „processing“ (and „process“), „special categories of personal data“, and “data breach” shall have the meanings given in Applicable Data Protection Law.

2. Processing of Controller Data

(a) Processor and controller responsibilities: The Parties agree that the Yandex is a subprocessor or processor of Partner Data, Partner is a processor or controller of Partner Data; the Customer is a controller or processor, as applicable, of the Customer personal data; and each Party will comply with the obligations applicable to it under the Applicable Data Protection Legislation.

If the Partner is a processor, Partner warrants to Yandex that the Partner’s instructions and actions with respect to that Partner Data, including its appointment of Yandex as another processor, have been authorized by the relevant controller.

The parties agreed that Partner’s instructions can be provided by the Customer. In such case Partner warrants to Yandex that Partner had authorized Customer for such actions.

(b) Appointment as a processor: By entering into this Addendum, the Partner instructs Yandex to process Partner Data only in accordance with applicable law: to provide the Service; as further documented in the form of the Agreement including this Addendum; and as further documented in any other written instructions given by the Partner and acknowledged by the Yandex as constituting instructions for purposes of this Addendum (provided that if there are agreed change management procedures under the Agreement, these will apply to such instructions).

(c) Subject matter of the processing: The Parties agree that the subject matter and details of the processing are as follows:

(i) Subject matter: The provision of the Service to the Partner and/or its Customer by Yandex;

(ii) Duration of the processing and of this Addendum: The Term plus the period from expiry of the Term until deletion of all Partner Data by Yandex in accordance with this Addendum;

(iii) Nature and purpose of the processing: Yandex will process Partner Data submitted, stored, sent or received by the Partner and/or by its Customers for the purposes of providing the Services to Partner and/or Customers in accordance with the Addendum.

(iv) Categories of data: Personal data submitted, stored, sent or received by the Partner and/or Customers via the Services, excluding personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

(v) Data subjects: Partners’ and/or Customers’ employees, contractors, end-users, individuals whose data processed by Partner or Customer at the Partner’s and/or Customers’ discretion, and any other person who transmits data through the Services.

(d) Partner’s Instructions: Yandex will comply with the instructions described in Section 2(a) unless applicable law requires other processing of Partner Data by Yandex, in which case Yandex will inform Partner (unless that law prohibits Yandex from doing so).

3. Subprocessors

(a) Consent to Subprocessor engagement: The Partner generally authorizes the engagement of any third parties as Subprocessors.

(b) Information about Subprocessors: Information about Subprocessors is available at https://storage.yandexcloud.net/yc-compliance/subprocessors.pdf (as may be updated by Yandex from time to time in accordance with this Addendum).

(c) Requirements for Subprocessor engagement. When engaging any Subprocessor, the Partner will ensure through a written instrument (i) that the Subprocessor only accesses and uses Partner Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the Agreement (including this Addendum); and (ii) if the EU General Data Protection Regulation (Regulation 2016/679) (GDPR) applies to the processing of Partner Data, the data protection obligations set out in Article 28(3) of the GDPR, as described in this Addendum, are imposed on the Subprocessor. Yandex will remain fully liable for all obligations subcontracted to and all acts and omissions in relation with Partner Data of the Subprocessor.

(d) Objection to Subprocessor changes: When any new Subprocessor (other than an affiliate of Yandex) is engaged during the Term, Yandex will, at least [30] days before such new Subprocessor processes any Partner Data, inform Partner of the engagement. Partner may object to such new Subprocessor, provided such objection is based on reasonable grounds relating to data protection, by terminating the Agreement immediately upon written notice to Yandex, on condition that such notice is provided within [20] days of being informed of the new Subprocessor.

4. Data Deletion

(a) Deletion during the Term: Yandex will enable Partner to delete Partner Data during the Term in a manner consistent with the functionality of the Services. If the Partner uses the Services to delete any Partner Data during the Term and Partner Data cannot be recovered by Partner, this use will constitute an instruction to Yandex to delete the relevant Partner Data in accordance with applicable law. Yandex will comply with this instruction as soon as reasonably practicable unless applicable law allows storage.

(b) On expiry of the Term Partner instructs Yandex to return or delete all Partner Data in its possession or control from the Yandex’s systems in accordance with applicable law. Yandex will comply with this instruction as soon as reasonably practicable, unless applicable law or Agreement allows storage.

5. Data Security

(a) Yandex security measures: Yandex will implement and maintain technical and organizational measures to protect Partner Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described at https://storage.yandexcloud.net/yc-compliance/security_terms.pdf (the Security Measures). Yandex may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.

(b) Staff: Yandex will take appropriate steps to ensure compliance with the Security Measures by its employees, contractors and Subprocessors to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Partner Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(c) Data Breaches:

(i) If it becomes aware of a confirmed Data Breach, Yandex will inform Partner via e-mail (to the e-mail address Partner provided to Yandex according to the Agreement) within 48 hours and will provide reasonable information and cooperation to Partner to support Partner to his fulfilment of his data breach reporting obligations it may have under Applicable Data Protection Law. Yandex shall further take such reasonably necessary measures and actions to mitigate the effects of the Data Breach and shall keep Partner informed of all material developments in connection with the Data Breach, all at Partner’s costs.

(ii) Notification under this Section will not be construed as an acknowledgement by Yandex of any fault or liability with respect to the Data Breach. Partner is solely responsible for complying with incident notification laws applicable to Partner and fulfilling any third party notification obligations related to any Data Breach(es).

(d) Partner’s security responsibilities: Without prejudice to Yandex’s obligations under Section 5(a)-(c), Partner acknowledges and agrees that the Security Measures provide a level of security appropriate to the risk in respect of Partner Data. Partner is solely responsible (i) for its use of the Services, including making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of Partner Data and backing up its Partner Data; and (ii) for evaluating for itself whether the Services and the Yandex’s commitments under this Section 5 meet the Partner’s needs.

6. Cooperation and assistance

(a) Data Subject Rights: During the Term Yandex will, in a manner consistent with the functionality of the Services, enable the Partner to access, rectify and restrict processing of Partner Data and to export Partner Data. If during the Term Yandex receives any request from a data subject in relation to Partner Data, Yandex will advise the data subject to submit his/her request to the Partner, and Partner will be responsible for responding to any such request.

(b) Yandex Processing Records: Where Yandex is required under Applicable Data Protection Law to collect and maintain records processing, Partner will, where requested, provide the required information to Yandex and will ensure that all information provided is kept accurate and up-to-date.

(c) Cost: All cost and expenses incurred by Yandex in the performance of the obligations stated in this Section may be passed on to Partner on a pass-through-basis.

7. Audits

(a) Audit right. Yandex will allow Partner or an independent and suitably qualified auditor appointed by Partner to conduct inspections to verify Yandex’s compliance with its obligations under this Addendum in accordance with Section 7(b). Yandex will reasonably contribute to such audits.

(b) Terms for audits. The following requirements apply to any audit: (i) the Partner must give a minimum thirty (30) days’ notice of intention to audit, (ii) the Partner may exercise the right to audit no more than once in any calendar year; (iii) commencement of the audit shall be subject to an agreement with Yandex of a scope of work for the audit at least ten (10) days in advance; (iv) Yandex may restrict access to certain parts of its facilities and certain records where such restriction is necessary for commercial confidentiality; (v) the audit shall not include penetration testing, vulnerability scanning, or other security tests; (vi) the right to audit includes the right to inspect but not copy or otherwise remove any records, other than those that relate specifically and exclusively to the Partner; (vii) any independent auditor will be required to sign such non-disclosure agreement as is reasonably required by Yandex prior to the audit; and (viii) the Partner shall compensate Yandex for its reasonable costs (including for the time of its personnel, other than your relationship manager) incurred in supporting any audit.

8. Data Transfers

(a) Data storage and processing: the Partner agrees that Yandex may, subject to Section 8(b), store and process the Partner Data in any country in which Yandex or any of its Subprocessors maintains facilities.

(b) Transfers of Partner Data out of Switzerland or the EEA: If the storage and/or processing of Partner Data involves transfers of Partner Data out of Switzerland or the EEA Yandex will take such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law, including (as applicable) transferring Partner Data to a recipient that has executed standard contractual clauses adopted or approved by the Swiss Data Protection and Information Commissioner and/or European Commission, as applicable.

(c) In case of transferring Partner Data to a recipient that has executed standard contractual clauses adopted or approved by the Swiss Data Protection and Information Commissioner and/or European Commission, the Partner engages Yandex to enter into the standard contractual clauses, which are available at https://storage.yandexcloud.net/yc-compliance/scc.pdf, on behalf of the Partner as long as there is no standard contractual clauses for personal data transferring from processor to processor.

9. Liability

Each Party’s liability for any breach of this Addendum shall be subject to the limitations and exclusions of liability set out in the Agreement, provided that neither Party limits or excludes any liability that cannot be limited or excluded under applicable law.

Date of placement: June 01, 2020