BARRACUDA NETWORKS
Global Data Processing Addendum
This Global Data Processing Addendum (“DPA”) forms part of the Barracuda Terms and Conditions located at https://trust.barracuda.com/legal, the agreement between Barracuda Networks, Inc. (“Barracuda”) and Customer and Customer Affiliates (collectively, “Customer”), for the purchase of Barracuda Products and Services (“Agreement”). This DPA applies to the extent the Processing of Personal Data by Barracuda on behalf of Customer is subject to Data Protection Laws.
1. Compliance with Data Protection Laws. The parties desire to comply with Data Protection Laws with respect to their obligations and rights set out in the Agreement. This DPA is intended to ensure that both parties comply with relevant and applicable Data Protection Laws with respect to Customer Personal Data.
2. Definitions. In this DPA, the Capitalized terms are defined below. Capitalized terms not defined in this section have the meaning given to them in the Agreement.
2.1 “Barracuda Affiliate” means an entity that owns or controls, is owned or controlled by, or is or under common Control with Barracuda, where “Control” is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
2.2 “Customer Affiliate” means an entity that owns or controls, is owned or controlled by, or is or under common control with Customer.
2.3 “Customer Personal Data” means any Personal Data Processed by Barracuda or its Sub-Processor on behalf and at the instruction of Customer, in connection with the Agreement. Customer Personal Data does not include data processed by Barracuda as a Controller.
2.4 “Data Protection Laws” means all applicable regulations, laws, statutes, or legal obligations in any relevant jurisdiction including but not limited to, the EU General Data Protection Regulation 2016/679 (the “GDPR”) together with applicable national legislation implementing or supplementing the same or otherwise relating to the processing of Personal Data of natural persons, the United Kingdom GDPR as it forms part of United Kingdom law pursuant to Section 3 of the European Union (Withdrawal) Act 2018, and the UK Data Protection Act 2018 (collectively, the “UK GDPR”), the Swiss Federal Act on Data Protection (the “FADP”), and the California Consumer Privacy Act (“CCPA”), all as may be amended from time to time.
2.5 “Deidentified Data” means information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular Data Subject.
2.6 “IDTA” means the UK International Data Transfer Addendum B1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022.
2.7 “Data Breach” means an event leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.
2.8 “Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council annexed to the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
2.9 “Sub-Processor” means any person appointed by or on behalf of Barracuda or any Barracuda Affiliate to Process Personal Data on behalf of any Customer in connection with the Agreement.
2.10 The terms, “Business,” “Control,” “Controller,” “Data Subject,” “Member State,” “Personal Data,” “Process,” “Processing,” “Processor,” “Service Provider,” and “Supervisory Authority” have the same meaning as in the applicable Data Protection Laws, and their cognate terms are construed accordingly. The word “include” means include without limitation, and cognate terms are construed accordingly. In the event of a conflict between these terms under applicable Data Protection Laws, the definition which confers the highest level of protection to the Customer Personal Data applies.
3. Processing of Customer Personal Data.
3.1 Roles of the Parties. Customer and Barracuda agree that Customer is the Controller or Processor of Customer Personal Data and Barracuda is the Processor of such data. For purposes of the CCPA, Customer is a Business and Barracuda is a Service Provider relevant to the Customer Personal Data.
3.2 Barracuda Obligations under this DPA. Barracuda will not Process Customer Personal Data other than: (i) as necessary to provide the Products and Services in accordance with Customer’s instructions, which include the terms of the Agreement, Customer’s use of the Services, and the terms of this DPA; or (ii) as required to comply with laws to which Barracuda is subject. Barracuda will not retain, use, or disclose Customer Personal Data outside of the direct business relationship with Customer. Barracuda will comply with its obligations as to the Customer Personal Data under relevant Data Protection Laws, as applicable. Barracuda will inform Customer if an instruction violates applicable Data Protection Laws. Barracuda may suspend the provision of Services until such time as Customer’s instructions become compliant with applicable Data Protection Laws.
3.3 Confidentiality. Barracuda takes reasonable steps to ensure that its employees who may have access to the Customer Personal Data are subject to confidentiality undertakings, or professional or statutory obligations, of confidentiality. Access to Customer Personal Data is reasonably limited.
3.4 Customer Obligations Under this DPA.
3.4.1 Customer must comply with all applicable laws and regulations related to privacy and data protection with respect to its procurement and use of Barracuda Products and Services. Customer will not Process Personal Data, including Customer Personal Data, in any manner that violates or conflicts with the requirements of Data Protection Laws and Regulations. Customer’s instructions for the Processing of Customer Personal Data must comply with Data Protection Laws and Regulations. Customer has sole responsibility and liability for the accuracy, quality, and legality of Customer Personal Data including the way Customer collects such Customer Personal Data.
3.4.2 Customer warrants that it has or will obtain all legally required consents and provide all legally required notices for the Processing of Customer Personal Data by Barracuda.
3.4.3 Customer warrants that all Customer Personal Data provided to and Processed by Barracuda is collected and Processed by the Customer in accordance with Data Protection Laws including without limitation: (a) ensuring that all notifications to and approvals from regulators that are required by Data Protection Laws are made and maintained by the Customer; and (b) ensuring that all Customer Personal Data is collected and Processed fairly and lawfully and is accurate and current.
3.5 Details of the Processing. The details of the Processing of Customer Personal Data, including the duration, subject matter, nature and purpose, categories of Data Subjects, and types of Customer Personal Data, are provided in Attachment A.
4. Processing subject to US State Laws.
4.1 Purpose Limitation. To the extent that Customer discloses, shares, or otherwise makes available Customer Personal Data to Barracuda, Customer does so for the limited and specified purposes as described in the Agreement and other valid legal purposes under relevant laws.
4.2 Selling and Sharing. Barracuda will not Sell or Share Customer Personal Information as those terms are defined under applicable US Data Protection Laws, particularly the CCPA.
4.3 Deidentified Data. To the extent that Customer discloses or otherwise makes available Deidentified Data to Barracuda, or Barracuda deidentifies Customer Personal Data, Barracuda agrees to: (i) take reasonable measures to ensure that the Deidentified Data cannot be associated with an individual or household; (ii) publicly commit to maintain Deidentified Data in a deidentified form; and (iii) contractually obligate any further recipient to comply with all provisions of this Section.
4.4 Combining Personal Information. Barracuda will not combine Customer Personal Data regarding an individual that Barracuda receives from, or on behalf of, Customer with Personal Data that it receives from, or on behalf of, another person, or collects from Barracuda’s own interaction with the individual except as allowed under applicable Data Protection Law; including to perform a business purpose as defined in regulations adopted pursuant to Cal. Civ. Code 1798.185(a)(10).
4.5 Inability to Meet Data Protection Obligations. Barracuda will notify Customer if Barracuda reasonably determines that it can no longer meet its obligations under applicable US Data Protection Laws.
4.6 Unauthorized Use of Customer Personal Data. Customer may, upon reasonable notice to Barracuda, take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.
5. Security. Barracuda will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing of the Customer Personal Data as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, as further provided in Attachment A of this DPA.
6. Sub processing.
6.1 Appointment. Customer authorizes Barracuda to subcontract the Processing of Customer Personal Data to Sub-Processors who in each case are subject to terms between Barracuda and the Sub-Processor that are no less protective of Personal Data than those set forth in this DPA. The list of Sub-Processors currently engaged by Barracuda is available on the Barracuda website (as referred to in Section 6.2 below). Barracuda will provide Customer with further details about such Sub-Processors upon written request from the Customer.
6.2 Right to Object. The Barracuda website lists the Sub-Processors (available at https://trust.barracuda.com/privacy/documentation/sub-processors-and-cricital-vendors) that are currently engaged by Barracuda to carry out Processing activities. Barracuda will use reasonable efforts to provide prior notice of any new Sub-Processor to carry out Processing activities via the website. Customers may subscribe for updates via email. If Customer does not object in writing within fifteen (15) days of posting on the website, Customer is deemed to have accepted the new Sub-Processor. If Customer does object in good faith and on reasonable data privacy grounds in writing within fifteen (15) days of posting on the website, Barracuda and Customer will discuss possible resolutions. If no agreement can be reached, Customer may, at its option terminate the Agreement to the extent the Products or Services cannot be provided without the objected-to Sub-Processor, before the end of the notice period. Customer must provide written notice of termination and otherwise comply with the termination provisions in the Agreement, along with an explanation of the grounds for non-approval.
6.3 Sub-Processor Liability. Barracuda will be liable for the acts and omissions of its Sub-Processors to the same extent Barracuda would be liable if performing the services of each Sub-Processor directly under the terms of this DPA.
7. Responding to Data Subjects.
7.1 Notice to Customer. Barracuda will not independently respond to requests from Customer’s employees, agents or customers without Customer’s prior written consent, except where required by applicable law. Barracuda will, to the extent legally permitted, notify Customer as soon as reasonably practicable if Barracuda receives a formal request or communication from a Data Subject to exercise a right under applicable Data Protection Laws (“Data Subject Request”).
7.2 Assistance to Customer. Taking into account the nature of the Processing, Barracuda will assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws. In addition, to the extent Customer, in its use of the Products and Services, does not have the ability to address a Data Subject Request, Barracuda will, upon Customer’s request, provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Barracuda is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws.
8. Data Breach. In the event of a Data Breach impacting the Customer Personal Data, Barracuda will notify Customer, without undue delay after becoming aware it, in compliance with the applicable Data Protection Laws. Barracuda will cooperate with Customer and take such reasonable commercial steps as are requested by Customer to assist in the investigation, mitigation and remediation of each such Data Breach.
9. Data Protection Impact Assessment and Prior Consultation. Upon Customer’s request, taking into account the nature of the Processing and information available, Barracuda will provide reasonable cooperation and assistance to Customer to perform required data protection impact assessments or prior consultations with Supervisory Authorities related to the Processing of Customer Personal Data, to the extent Customer does not otherwise have access to the relevant information.
10. Deletion or Return. Barracuda will delete Customer Personal Data and instruct all Sub-Processors to delete Customer Personal Data after termination of the Agreement or sooner, where possible, upon Customer’s written request. In the event Customer desires a return of such data, where available, it may elect to download a copy via the Services prior to termination of the Agreement. Barracuda may retain copies of data where required by any law to which it is subject.
11. Audit Right.
11.1 Barracuda conducts annual audits, such as SSAE 18 SOC audit. Barracuda will, upon request, provide Customer a valid report from the most recent audit covering the Services, subject to the confidentiality provisions in the Agreement. Customer agrees that the foregoing fulfils Barracuda’s audit obligations under applicable Data Protection Laws, except for any additional audits subsequently required by a relevant data protection authority or regulatory body with authority over the Customer Personal Data.
11.2 Where required in accordance with the prior sentence and to the extent legally required by applicable Data Protection Laws, Barracuda will make available to Customer all additional information necessary to demonstrate Barracuda’s compliance with this DPA and any applicable Data Protection Laws, and will allow for and contribute to reasonable audits, including inspections, by Customer, or a third-party auditor mutually agreed upon by Customer and Barracuda, at Customer’s sole expense, in order to assess Barracuda’s compliance, provided always that this requirement will not oblige Barracuda to provide or permit access to information concerning: (i) Barracuda’s internal pricing information; (ii) information relating to Barracuda’s other customers; or (iii) any of Barracuda’s non-public reports. Unless otherwise required by a supervisory authority, Customer will give Barracuda at least thirty (30) days written notice of any request to conduct an audit and will not perform audits more frequently than once in any twelve (12) month period. The parties will discuss and agree upon the audit plan. The audit will be conducted during normal business hours. Audits will not include any hosting service providers (e.g., AWS, Microsoft) or penetration testing of Barracuda SaaS Services, it being acknowledged that doing so could endanger Barracuda’s other customers.
12. Cross Border Transfers. Customer Personal Data that Barracuda Processes on Customer’s behalf may be transferred to, and Processed in, the United States or other countries in which Barracuda and its Sub-Processors operate. Customer instructs Barracuda to perform any such transfer of Customer Personal Data to any such country and to Process Customer Personal Data to provide the Products and Services and fulfill its obligations under the Agreement.
12.1 Standard Contractual Clauses. For transfers of data where Customer is located the in the EEA, the UK, or Switzerland, or the Personal Data is otherwise subject to the Data Privacy Laws of the EEA, the UK, or Switzerland, and Barracuda is located outside the EEA, the UK, or Switzerland, in a country which is not recognized by the EEA, UK, or Switzerland, as providing an adequate level of protection for Personal Data (a “Restricted Transfer”), the Parties hereby agree to be bound by the Standard Contractual Clauses and IDTA (collectively, the “SCCs”), as applicable, in accordance with Exhibit 1 hereto.
12.2 Whenever the SCCs apply, they will be governed by the underlying terms in the Agreement and this DPA, including but not limited to audit rights and limitations of liability, to the extent such terms do not contradict the SCCs.
13. Governing Law and Venue. The governing law and venue applicable to this DPA is the same as those indicated between the parties in the Agreement.
14. Severability. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA will remain valid and in force. Any invalid or unenforceable provision will either be: (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible; or, if that is not possible, then (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
15. Customer Affiliate Claims. Customer Affiliates will not bring a claim directly against Barracuda. Any such claims are considered claims made by Customer and are subject to any liability restrictions set forth in the Agreement.
16. Hierarchy. To the extent there is a conflict between the Agreement and the DPA, the DPA takes precedent. To the extent a conflict exists between the DPA and SCCs, the SCCs take precedent with respect to their subject matter. Where the SCCs do not apply, the DPA prevails.
Attachment A
Details of processing activities
Duration of the processing. The duration of the Processing is for the term designated under the Agreement.
Subject matter of the processing. The subject matter of the Processing is limited to Customer Personal Data.
Nature of the processing. The nature of the Processing includes recording, organization, storing, consulting, using, and deleting Customer Personal Data.
Purpose of the processing. The purpose of the Processing of Customer Personal Data is the provision of the Services under the Agreement.
Categories of data subjects. Categories of data subjects are natural persons whose Personal Data is provided to Barracuda for Processing in accordance with the Services and this DPA. These may include Customers’ clients, employees, contractors, suppliers, customers, prospects, and other related third parties’ whose data Customer provides to Barracuda.
Type of Personal Data. Types of Customer Personal Data are determined entirely by Customer and is provided via Customer in accordance with the Agreement. Customer understands that Barracuda has no control over which data Customer provides to Barracuda via the Services.
Authorized Sub-Processors. https://trust.barracuda.com/privacy/documentation/sub-processors-and-cricital-vendors.
The technical and organizational measures implemented by Barracuda are further described in detail in the documentation published to Barracuda’s Trust Center as updated from time to time and as available to the Customer upon request by going to the Trust Center, currently located at: https://trust.barracuda.com/security.
Exhibit 1
Restricted Cross Border Transfers
Restricted Transfers Subject to the Standard Contractual Clauses. In accordance with Section 12 of the DPA, for transfers of Personal Data where the Standard Contractual Clauses serve as the transfer mechanism, the Parties agree that the Standard Contractual Clauses are completed as follows:
1. Where the Customer is acting as a Controller, Module 2 applies. Where Customer is acting as a Processor Module 3 applies.
2. Clause 7, the “Docking Clause (Optional)”, will be deemed incorporated.
3. Under Clause 9 (Use of Sub-Processors), the Parties select Option 2 (general authorization), and the time period for submitting requests for the addition or replacement of Sub-Processors is set forth in Section 5 of the DPA.
4. Under Clause 11 (Redress), the optional requirement that Data Subjects be permitted to lodge a complaint with an independent dispute resolution body does not apply.
5. Under Clause 17 (Governing law), the Parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The Parties select the law of Ireland.
6. Under Clause 18 (Choice of forum and jurisdiction), the Parties select the courts of Ireland.
Annexes I-III are set forth below.
Restricted Transfers Subject to UK GDPR. Regarding any Restricted Transfers of Personal Data subject to the UK GDPR, the Standard Contractual Clauses, completed above and subject to the IDTA thereto, applies. The IDTA available here and is completed as follows:
1. In Table 1 of the IDTA the Parties is defined as set out in Annex I below.
2. In Table 2 of the IDTA the EU Standard Contractual Clauses referenced are the Standard Contractual Clauses as completed herein and executed by reference between the Parties.
3. In Table 3 of the IDTA, the Annexes to the Standard Contractual Clauses are set out below.
4. In Table 4 of the IDTA, Barracuda may end the Addendum as set out in Section 19 thereof.
5. Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.
By entering this DPA, the parties are deemed to execute the IDTA to the Standard Contractual Clauses as indicated herein.
Restricted Transfers Subject to Swiss Data Protection Law. If any Personal Data subject to the Federal Act on Data Protection (the “FADP”) is transferred out of Switzerland, the Standard Contractual Clauses, completed as indicated above applies and is amended, for transfers subject to FADP only, as follows:
1. The competent supervisory authority in Annex I.C under Clause 13 is the Swiss Federal Data Protection and Information Commissioner (the “FDPIC”) insofar as the data transfer is governed by the FADP;
2. Applicable law for contractual claims under Clause 17 is Swiss law or the law of a country that allows and grants rights as a third-party beneficiary for contractual claims regarding data transfers pursuant to the FADP;
3. References to a “Member State” and “EU Member State” will not be read to prevent data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland); and
4. References to the GDPR should be understood as references to the FADP insofar as the data transfers are subject to the FADP.
Annexes to the Standard Contractual Clauses
Annex I
1. LIST OF PARTIES
Data exporter
Customer as identified in the relevant Order
Controller or Processor
Data importer
Barracuda Networks, Inc.
3175 S. Winchester Blvd. Campbell, CA 95008
Amanda Osorio, Director, Data Privacy Counsel, privacy@barracuda.com
Processor
2. THE DESCRIPTION OF THE TRANSFER – See Attachment A
Annex II
Technical and Organizational Measures, including technical and organisational measures to ensure the security of the data.
Barracuda implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing of the Customer Personal Data as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
Barracuda warrants that it will provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that Processing will meet the requirements of the Data Protection Laws and ensure the protection and rights of the data subjects.
The technical and organizational measures implemented by Barracuda are further described in detail in the documentation published to Barracuda’s Trust Center as updated from time to time and as available to the Customer upon request by going to the Trust Center, located at https://trust.barracuda.com/security.
Annex III
Customer authorizes the current list of Sub-Processors available here: https://trust.barracuda.com/privacy/documentation/sub-processors-and-cricital-vendors.