Data Processing Agreement
Last updated: March 31, 2023
This is a reference copy of the ngrok Data Processing Agreement. For a full copy including the attached schedules and the Standard Contractual Clauses, please click here.
This Data Processing Agreement is between (1) the customer agreeing to the ngrok Terms of Service currently located at https://ngrok.com/tos, or another written agreement executed by the Parties that references this Data Processing Agreement (the “Terms”) (such customer hereinafter “Customer“ or “Company”) and (2) ngrok Inc., as the provider of the Services under the Terms (hereinafter “ngrok’ or “Service Provider“). Customer and ngrok together are also referred to as the “Parties” and each is also referred to as a “Party“. The DPA applies to all Processing of Customer Personal Data by Service Provider under the Agreement. Should there be a conflict between this DPA, and the Agreement, this DPA will govern.
1. Definitions. In this DPA, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
1.1 “Applicable Laws” means all statutes, laws, rules, regulations, ordinances, and the like of any federal, international, city, state, provincial, or local government or governmental agency applicable to Services under the Agreement including without limitation Data Protection Laws.
1.2 “Confidential Information” is defined in the Agreement.
1.3 “Customer Personal Data” means any Personal Data provided by or made available by Customer to Service Provider or collected by Service Provider on behalf of Customer, which Service Provider Processes to perform the Services.
1.4 “Data Breach” means unauthorized acquisition of, access to, disclosure of, or use of, Customer Personal Data.
1.5 “Data Protection Laws” means Applicable Laws relating to privacy, security, or protection of Personal Data, as may be defined by such laws, including, for example and to the extent applicable, the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); the California Consumer Protection Act (“CCPA”), regulations and official guidance adopted thereunder, and any subsequent supplements, amendments, or replacements to the same.
1.6 “Data Subject” means an identified or identifiable natural person about whom Personal Data is Processed under this Agreement or as otherwise defined (including under similar terms such as “consumer”) under Data Protection Laws.
1.7 “Personal Data” means data that that relates to an identified or identifiable natural person or as otherwise defined under Data Protection Laws.
1.8 “Process, processed, or processing” means the collection, receipt, recording, organization, structuring, alteration, use, transmission, access, sharing, provision, disclosure, distribution, copying, transfer, storage, management, retention, deletion, combination, restriction, summarizing, aggregation, correlation, inferring, derivation, analysis, adaptation, retrieval, consultation, destruction, disposal, or other handling of Personal Data.
1.9 “Sell” or “selling” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s Personal Data to another business or a third party for monetary or other valuable consideration.
1.10 “Services” means services provided by Service Provider under the Agreement and all schedules, order forms, and statements of work thereunder.
1.11 “Share” or “sharing” means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Personal Data to a third party for cross-context behavioural advertising (as that term is defined in the CCPA), whether or not for monetary or other valuable consideration.
1.12 “Sub-processor” means any person or entity engaged by Service Provider that Processes Customer Personal Data.
1.13 The terms “Controller,” “Processor,” “Data Processor,” and “Business,” shall have the same meaning as in Data Protection Laws.
2. Data Ownership/Licenses
2.1 Ownership. For purposes of this DPA, as between the parties, Customer retains all right, title, and interest in Customer Personal Data.
2.2 License. Subject to its compliance with the Agreement and DPA, Customer grants to Service Provider a worldwide, perpetual, fully paid-up right and license under all applicable intellectual property laws to make, use, copy, distribute, display, organize, create derivative works from, and otherwise Process, the Customer Personal Data, and to sublicense all the foregoing rights to Sub-processors, as necessary for the Services, rights, and obligations under the Agreement and this DPA.
3. Scope of Processing
3.1 Roles of Parties. The parties acknowledge and agree that with respect to processing of Customer Personal Data, Service Provider is a Processor and a service provider (as that term is defined in Data Protection Laws) and Customer is a Controller and Business, except that if Customer is a Processor in which case Service Provider is a Sub-processor. If Customer is a Processor of Customer Personal Data, Customer represents and warrants that Customer’s instructions and Processing of Customer Personal Data, including its appointment of Service Provider as a Sub-processor, have been authorized by the respective Controller.
3.2 Details of Processing. Exhibit 1 to this DPA (Description of Processing and Transfer Details) provides information about the subject matter and details of the Processing of Personal Data.
3.3 Customer Instructions and Restrictions on Processing
3.3.1 Instructions. Service Provider will use, retain, and disclose Customer Personal Data solely for the specific business purpose of providing the Services and in accordance with Customer’s instructions, which are as set forth in the Agreement, DPA, and other agreements between the parties for the Services. Service Provider will inform Customer if any of Customer’s instructions infringes any Data Protection Laws.
3.3.2 Processing by Service Provider. Service Provider will Process Customer Personal Data in compliance with Data Protection Laws.
3.3.2.1 Service Provider will not:
3.3.2.1.1 Sell or Share Customer Personal Data;
3.3.2.1.2 use, retain, or disclose Customer Personal Data outside of its direct business relationship with the Customer;
3.3.2.1.3 use, retain, or disclose Customer Personal Data for any other purpose (including any other commercial purpose) other than as set forth in the Agreement and DPA, except as authorized by Customer or as required by law or by order of a court or authorized governmental agency (provided that prior notice first be given to the Customer unless such notice is prohibited by law or court order); or
3.3.2.1.4 combine Customer Personal Data with Personal Data that it (a) receives from or on behalf of third parties, or (b) collects from Service Provider’s own interactions with Data Subjects unrelated to the Services.
3.3.2.2 Service Provider may Process Customer Personal Data:
as necessary or appropriate:
3.3.2.2.1 to perform its rights and obligations under the Agreement and this DPA;
3.3.2.2.2 to operate, manage, test, maintain and enhance the Services including as part of its business operations;
3.3.2.2.3 to deidentify or aggregate Customer Personal Data in a manner that prevents individual identification of the Customer, or Data Subjects;
3.3.2.2.4 protect the Service from a threat to the Services, Customers, Customer Personal Data, and Service Provider’s systems; and
3.3.2.2.5 as otherwise expressly authorized by the Customer.
3.3.3 Employees and Agents. Service Provider will take commercially reasonable steps so that all Service Provider employees, contractors, and Sub-processors that Process Customer Personal Data are subject to written confidentiality agreements that provide substantially the same level of protection for Customer Personal Data as provided in this DPA and as required by Data Protection Laws.
3.3.4 Unauthorized Processing. Customer may take reasonable and appropriate steps to stop unauthorized Processing of Customer Personal Data, including without limitation, by instructing Service Provider to cease any such Processing.
3.3.5 Deidentification. Where Service Provider is permitted by applicable Data Protection Law or this DPA to use Customer Personal Data for its internal business purposes in a de-identified manner, Service Provider agrees to take reasonable measures designed to ensure that the Personal Data cannot be associated with an individual (or, household, where applicable), publicly commits to maintain and use the information in de-identified form only and make no attempt to re-identify the information except where necessary to test its de-identification processes, and contractually obligates any authorized recipients to comply with these obligations.
4. Data Security
4.1 Data Security Obligations. Service Provider will implement and maintain commercially reasonable administrative, technical, and physical safeguards, as described in Exhibit 2.
4.2 Data Breach.
4.2.1. If Service Provider learns of a Data Breach affecting Customer Personal Data, Service Provider shall take reasonable, appropriate, and prompt steps to: (a) investigate, mitigate, and remedy the Data Breach; (b) notify Customer of such Data Breach without unreasonable delay consistent with timing under applicable laws; (c) furnish to Customer necessary and relevant details of the Data Breach as may be available; (d) assist Customer, as needed, in its investigation, mitigation, and remedying of the Data Breach; and (e) provide information and assist Customer, as needed, in meeting Customer’s legal obligations, including any applicable obligations to notify individuals affected by the Data Breach.
4.2.2. Unless prohibited by Applicable Laws or court order, Service Provider will notify Customer if Service Provider learns of any third-party legal process relating to any Data Breach, including, but not limited to, any legal process initiated by any governmental entity.
4.2.3. Service Provider’s cooperation or obligation to report or respond to Data Breaches under this DPA shall not be deemed an acknowledgment by Service Provider of any fault or liability of Service Provider with respect to a Data Breach.
4.2.4. Service Provider shall not be identified in any notifications provided publicly or to third parties (such as to government entities or Data Subjects) unless the contents of the notifications are approved by Service Provider. Service Provider agrees to cooperate in promptly reviewing any notifications and will not unreasonably withhold approval. If such reviews and approvals are expressly prohibited by Applicable Law, Customer can provide them without review and approval.
4.3 Security Audit. If and to the extent Service Provider processes, handles, distributes or otherwise makes available, or stores Customer Personal Data as part of the Services, then Service Provider will have facilities that process, handle and/or store such information audited annually against SOCII Type 2/SSAE 18 (or its current equivalent) standards. The summary report of any security audit will be provided to Customer upon request. Customer agrees to treat such information provided by Service Provider in response to request under this Section 4.3 as Service Provider’s Confidential Information.
5. Data Protection Audits and Assistance. Upon Customer request, but no more than once per year, Service Provider will provide reasonable assistance and information to Customer regarding its Processing of Customer Personal Data to support compliance with its obligations and data protection impact assessments, where the information sought is not provided in the Agreement or this DPA or otherwise accessible to Customer. Service Provider will also provide reasonable assistance and information to Customer to support responses to regulatory enquiries and Data Subject Rights where such means and assistance are not provided in the Agreement or this DPA or otherwise accessible to Customer through the Admin Portal. No more than once annually, Service Provider will arrange for an independent audit or assessment of policies and technological and organizational measures in support of the obligations under this DPA according to SOCII Type 2 or comparable standards and will provide a summary report of audit or assessment upon Customer request.
6. Notice Regarding Third Party Requests and Inquiries. Service Provider will take reasonable steps to notify Customer if Service Provider receives the following in connection with its Processing of Customer Personal Data: (i) any requests from a Data Subject, including individual opt-out requests, requests for access and/or deletion and all similar individual rights requests; or (ii) any request from a government entity or regulator provided such notice is not prohibited by law or court order.
7. Sub-processors
7.1 Approved Sub-Processors. Customer authorizes access or transfer to Service Provider’s Sub-processors. At present, the Sub-processors Service Provider uses are listed in Exhibit 3 to this DPA. Service Provider will provide ten (10) calendar days’ notice before utilizing a new Sub-processor by posting an update to the list at https://trust.ngrok.com. Customer can subscribe under trust.ngrok.com to the trust center updates and will receive notifications about any such change. Customer authorizes Service Provider to use any such Sub-processor to process Customer Personal Data unless Customer objects within ten (10) calendar days of such notification. Any such objection must be based on reasonable grounds that any such Sub-processor is unable to adequately protect the Customer Personal Data in accordance with the Agreement. If such objection is justified, Customer and Service Provider will work together to find a mutually acceptable resolution to such objection, and if unsuccessful, Customer’s sole remedy is termination of the relevant Services under the terms of the Agreement.
7.2 Responsibility. Service Provider will have a written agreement in place with each Sub-processor that obligates the Sub-processor to Process Customer Personal Data in a manner that is no less protective than the obligations on Service Provider under this DPA. Where Sub-processor fails to fulfil its obligations under any sub-processing agreement or Data Protection Laws, Service Provider will remain liable to Customer for the fulfilment of its obligations under this DPA and the Agreement.
8. Location of Processing. Service Provider will only Process Customer Personal Data in the countries and regions listed in Exhibit 1 and at trust.ngrok.com (“Approved Regions”), or such other countries and regions as instructed or authorized by Customer (where Customer instruction or authorization received by email or other electronic means is acceptable).
9. Cross-Border Data Transfers. With regard to countries, regions, or territories with Data Protection Laws requiring a mechanism for valid export of Customer Personal Data (such countries, regions, or territories, are “Limited Transfer Region(s)” and such data is “Limited Transfer Data”), Service Provider may not transfer, export, receive, or Process such Limited Transfer Data outside of such Limited Transfer Regions unless it or its Sub-processors take measures to adequately protect such data consistent with applicable Data Protection Laws. Such measures may include (to the extent consistent with Data Protection Laws):
9.1 Processing Customer Personal Data in a country, a territory, or one or more specified jurisdictions that are considered under Data Protection Laws as providing an adequate level of data protection);
9.2 The parties’ agreement to enter into and comply with the Standard Contractual Clauses in Exhibit 4 and any successors or amendments to such clauses or such other applicable contractual terms adopted and approved under Data Protection Laws;
9.3 Processing in compliance with Binding Corporate Rules in accordance with Data Protection Laws;
9.4 Implementing any other data transfer mechanisms or certifications approved under Data Protection Laws, including, as applicable, any approved successor or replacement to the EU–US Privacy Shield framework and/or the Swiss–US Privacy Shield framework; or
9.5 To the extent that any substitute or additional appropriate safeguards or mechanisms under any Data Protection Laws of Limited Transfer Regions are required to transfer Customer Personal Data from a Limited Transfer Region, as applicable, to any third country, the parties agree to implement the same as soon as practicable and document such requirements for implementation in an attachment to this DPA governing the parties' Processing of Limited Transfer Data.
10. Retention and Deletion of Customer Personal Data. Upon Customer’s written request, or upon termination or expiration of the Agreement, Service Provider will delete all Customer Personal Data under Service Provider’s possession or control or provide Customer ability to delete such Customer Personal Data directly through tools or functionality made available by Service Provider. Service Provider will not delete to the extent that: (a) deletion is not permitted under Applicable Laws or the order of a governmental or regulatory body; (b) where Service Provider retains such data for internal record keeping, compliance with any legal obligations, and other lawfully permitted purposes; or (c) while Service Provider’s then-current data retention or similar back-up system stores Customer Personal Data provided such data will remain protected in accordance with the measures described in the Agreement and this DPA.
11. General Terms
11.1 Limitation of Liability. In no event will either party: (a) be liable for any indirect, incidental, consequential, punitive, special, or exemplary damages, whether or not such damages are foreseeable or a party has been advised of the possibility thereof, arising from or relating to this DPA; and (b) have aggregate liability for damages arising from or relating to this DPA in excess of one million United States of America dollars ($1,000,000 USD).
11.2 Insurance Coverage. During the terms of the Agreement, ngrok will maintain data security insurance sufficient to cover costs relating to Breaches described in Section 4.2 with minimum limits of one million United States of America dollars ($1,000,000 USD).
11.3 Indemnification. Service Provider and Customer shall each indemnify, defend and hold harmless each other, and their respective directors, officers, employees and agents (and successors, heirs and assigns) against any liability, damage, loss, fine, penalty, or expense (including reasonable attorneys’ fees and costs) incurred by such indemnifying party as a result of any claim, demand, lawsuit, investigation, or regulatory enforcement proceeding arising from a breach of any obligations or restrictions of this DPA by the indemnitor (“Claim”). The indemnified party will provide the indemnitor with prompt notice of any Claim (provided that the failure to promptly notify shall only relieve indemnitor of its obligation to the extent it can demonstrate material prejudice from such failure) and at the indemnitor’s expense, provide assistance reasonably necessary to defend such Claim. The indemnitor will not enter into a settlement that would result in liability to the indemnified party without the indemnified party’s prior written consent, which shall not be unreasonably withheld or delayed.
11.4 Termination and Survival. This DPA can be terminated as set forth in the Agreement. The provisions of this DPA that, by their terms, require performance after the termination or expiration of this DPA, or have application to events that may occur after the termination or expiration of this DPA, will survive the termination or expiration of this DPA, including the order of precedence, and Sections 1 and 10
11.5 Governing Law; Conflicts of Law; Severance. The parties to this DPA agree to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims relating to or arising under this DPA; and this DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement (without reference to its conflict of laws requirements), unless otherwise required by Data Protection Laws. To the extent any court or governmental entity with competent jurisdiction determines that a provision of this DPA is invalid or unenforceable, the parties agree and intend that such provision should be (a) amended solely as necessary to bring it back into force in a manner consistent with the parties’ manifest intent, or if that is not possible (b) severed from the DPA in a manner to give maximum legal force and effect to the remaining provisions
Service Provider:
ngrok
548 Market St
PMB 26741
San Francisco, CA 94104-5401 USA
Service Provider Contact: