This Data Processing Agreement, including any attachments, exhibits or schedules (collectively the “DPA”) is incorporated into and made a part of the Master Subscription Agreement or similar master agreement governing the provision of Solutions (the “Services Agreement”) entered into by Customer and Astronomer, Inc. (“Astronomer” or “Processor”) and applies solely to the extent that Astronomer processes any Customer Personal Data in connection with the Solution. Customer and Astronomer may be referred to individually as a “Party” or collectively as the “Parties”.
In the event of conflict, the provisions of this DPA shall control over the Services Agreement. All capitalized terms not defined herein shall have the meaning set forth in the Services Agreement. For the purposes of the DPA only, and except where otherwise indicated, the term “Customer” shall include Customer and its Authorized Affiliates.
1. APPLICATION OF THIS DPA. In the course of providing the Solution to Customer pursuant to the Services Agreement, the Parties acknowledge that (a) the Customer acts as a Data Controller; (b) the Customer wishes to subcontract certain services, which imply the processing of personal data, to Astronomer and Astronomer is acts as the Processor; (c) the Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation); and (d) the Parties wish to document their rights and obligations.
2. DEFINITIONS.
“Agreement” means this DPA and the Services Agreement with Astronomer, Inc. incorporating this DPA, and all associated terms of service, schedules, SOWs, and order forms.
“Astronomer Control Plane” means the elements of the Solution residing within Astronomer’s Cloud Environment, including without limitation the user interface of the Solution.
“Cloud Environment” means a cloud computing or other storage resource operated by or for Astronomer or Customer, as the case may be, pursuant to this Agreement.
“Customer Data” means all data, records, files, information, and content uploaded by or on behalf of Customer to the Solution.”
“Customer Personal Data” means any Personal Data processed through Customer’s use of the Solution or a Subprocessor on behalf of Customer pursuant to or in connection with the Agreement.
“Data Plane” means the portion of a Cloud Environment in which Customer Data is processed as part of the Solution.
“Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country or jurisdiction.
“EU Data Protection Laws” means the GDPR and laws implementing or supplementing the GDPR as amended, replaced or superseded from time to time.
“GDPR” means EU General Data Protection Regulation 2016/679.
“CCPA” means California Consumer Privacy Act as amended by the California Privacy Rights Act.
“Subprocessor” means any third party appointed by or on behalf of Processor to process Personal Data on behalf of the Customer in connection with the Agreement.
“Standard Contractual Clauses” means the standard contractual clauses attached to the European Commission’s Implementing Decision (EU) 2021/914.
“International Data transfer Addendum” means the International Data Transfer Addendum to EU SCCs, issued by the British ICO under s119A(1) of the Data Protection Act 2018, version B1.0.
The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
3. PROCESSING OF CUSTOMER PERSONAL DATA.
3.1. The Customer instructs Processor to process Customer Personal Data to provide the Solution to the Customer as described in the Services Agreement and in accordance with this DPA. Processor shall (a) comply with all applicable Data Protection Laws in the Processing of Customer Personal Data; (b) not process Customer Personal Data other than on the relevant Customer’s documented instructions unless required to do so by applicable laws to which Processor is subject, in which case, Processor shall inform Customer of that legal requirement before Processing, unless applicable law prohibits such information on important grounds of public interest; and (c) immediately inform Customer if, in the Processor’s opinion, an instruction infringes Data Protection Laws.
3.2. The Customer shall not provide sensitive personal information or special category personal data, as defined under applicable Data Protection Laws to Astronomer-controlled product interfaces or store such data in a manner that is persistent or retained by Astronomer (including in logs but excluding transient processing solely within Customer workloads), to the platform. This includes, but is not limited to, Social Security numbers, driver’s license or passport details, financial account information, health data, and information related to minors. Processing such data as part of Customer workflows is permitted, provided that such data is not uploaded to or stored within the platform.
4. PROCESSOR PERSONNEL. Processor shall take reasonable steps to ensure the reliability of any employee, agent, or contractor of Processor or any Subprocessor who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know or access the relevant Customer Personal Data, as strictly necessary for the purposes of the Agreement, and to comply with applicable laws, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
5. SECURITY.
5.1. Astronomer shall implement and maintain reasonable administrative, technical, and physical safeguards designed to protect Customer Personal Data. Astronomer shall take account the risks that are presented by Processing, in particular from a Personal Data Breach to ensure a level of security appropriate to that risk, including, as applicable, the measures referred to in Article 32(1) of the GDPR.
5.2. Customer is solely responsible for what Customer Personal Data is processed within the Data Plane in the Cloud Environment. Customer acknowledges its obligation to implement, maintain and review relevant and sufficient security and organizational measures to protect Customer Personal Data in the Data Plane environment. Customer hereby acknowledges and agrees that Astronomer does not provide or have access to provide security measures within Customer’s Data Plane environment
5.3. The parties shall comply with the Security Addendum found at https://www.astronomer.io/legal/security. Astronomer may update the Security Addendum from time to time to ensure that its technical and organizational measures maintain an appropriate level of security, provided that such modifications will not materially or substantially degrade Astronomer’s security commitments or impose additional obligations upon Customer. Astronomer will provide Customer with at least 30 days’ prior notice of any material changes to the Security Addendum as further described in the Security Addendum.
6. SUBPROCESSING.
6.1. Customer authorizes Astronomer to disclose Customer Personal Data to Subprocessors provided that: (i) such disclosure is necessary to enable Astronomer to provide the Solution, (ii) Astronomer has conducted appropriate due diligence of that third party in accordance with Data Protection Laws; (iii) the terms on which Astronomer has appointed such third party are enforceable and at least equally protective of Customer Personal Data as those set out in this DPA, in particular providing sufficient guarantees from such third party to meet or exceed the security requirements, and (iv) the Subprocessor is either listed in Schedule 1 to this DPA or Astronomer has notified Customer of the inclusion of the Subprocessor in the list in Schedule 1 in accordance with the provisions of clause 6.2. Astronomer shall be liable for the acts and omissions of each Subprocessor to the same extent Astronomer would be liable if performing the services of each Subprocessor directly under the terms of this DPA.
6.2. Astronomer shall provide Customer at least 30 days’ prior notice of the addition of any Subprocessor to this list and the opportunity to object to such addition(s). If Customer makes such an objection on reasonable grounds and Astronomer is unable to modify the services to prevent the Personal Data transfer to the additional Subprocessor, Customer shall have the right to terminate the relevant Processing.
7. DATA SUBJECT RIGHTS.
7.1. Astronomer shall implement appropriate technical and organizational measures to assist in Customer’s fulfilment of its obligations to respond to requests specific to the exercise of Data Subject rights under the Data Protection Laws.
7.2. Astronomer shall (a) promptly notify Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; (b) not respond to such request except on Customer’s documented instructions or as required by Applicable Law, in which case Astronomer will, to the extent legally permitted, notify Customer of the legal requirement before responding; and (c) not sell personal data as that term is defined in the CCPA.
7.3. Customers shall make Data Subject Rights requests through privacy@astronomer.io.
8. PERSONAL DATA BREACH. Astronomer will notify Customer without undue delay upon Astronomer becoming aware of a Personal Data Breach affecting Customer Personal Data. Astronomer will provide Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws. Astronomer will cooperate with the Customer and take reasonable commercial steps as directed by Customer to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.
9. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION. Astronomer shall provide reasonable assistance to the Customer in response to any data protection impact assessment requests and prior consultations with supervisory authorities or other competent data privacy authorities, which Customer reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case specific to Astonomer’s Processing of Customer Personal Data taking into account the nature of the Processing and information available to Astronomer.
10. DELETION OR RETURN OF CUSTOMER PERSONAL DATA. Astronomer shall promptly, and in any event within thirty (30) days of the date of termination or expiration of the Service Agreement or upon written request, delete and procure the deletion of all copies of those Customer Personal Data. Upon reasonable written request, or within thirty (30) days of the date of termination or expiration of the Services Agreement, Astronomer will make available to Customer a copy of such Customer Personal Data.
11. AUDIT RIGHTS. Notwithstanding anything to the contrary in the Services Agreement, Astronomer shall make available to the Customer on request all information necessary to demonstrate compliance with this DPA, and shall allow reasonable audits and questionnaires, including inspections by the Customer or an auditor mandated by the Customer in relation to the Processing of the Customer Personal Data by Astronomer and its Subprocessors.
12. DATA TRANSFER.
12.1. European Economic Area. In the event of any transfer of Customer Personal Data collected within the European Economic Area (“EEA”) to a country outside of the EEA that does not guarantee a level of protection considered adequate by the European Commission, the Parties agree to be bound by the terms of Module 2 (Controller to Processor) of the Standard Contractual Clauses which shall be deemed to be populated and completed as follows:
- Clause 7: Docking clause shall not apply;
- Clause 9: Use of Subprocessors option 2 (general written authorisation) shall apply and the relevant time period for notice shall be 30 days;
- Clause 11(a): Redress: The optional language shall not apply;
- Clause 17: Governing Law: Option 2 shall apply and where applicable, the laws of Ireland shall govern;
- Clause 18: Choice of Forum and Jurisdiction: the courts of Ireland are selected;
- Annex 1. A (List of Parties) shall be deemed to be Customer as data exporter and Processor as data importer;
- Annex I.B (Description of Transfer) shall be deemed to incorporate the information in Schedule 1;
- Annex I.C (Competent Supervisory Authority) shall be deemed to refer to the supervisory authority of Ireland;
- Annex 2 (Technical and Organisational Measures) shall be deemed to refer to the measures set out Security Addendum available at https://www.astronomer.io/legal/security; and
- Annex 3 (List of Subprocessors) shall be deemed to be completed by the list of Subprocessors available at https://trust.astronomer.io
12.2. United Kingdom: In the event of any transfer of Personal Data collected within the United Kingdom to a country outside of the United Kingdom that does not guarantee a level of protection considered adequate by the British government from time to time, the Parties shall be bound by the terms of the International Data Transfer Addendum which shall be deemed to be populated and completed as described above and as follows:
- Table 1 shall be deemed to be populated with Customer as data exporter and Processor as data importer;
- Table 2 shall be deemed to be populated with the corresponding details and selections described in relation to Module 2 of the Standard Contractual Clauses in clause 11.1 above;
- Table 3 shall be deemed populated with the information set out in Schedule 1;
- Table 4 is completed by only ‘Importer’ being selected.
12.3. In the event of any inconsistency between the Standard Contractual Clauses and the International Data Transfer Addendum and this DPA or the Services Agreement, the Standard Contractual Clauses or the International Data Transfer Addendum, as applicable, shall prevail. Any onward transfer of Personal Data by Astronomer shall be made only in accordance with applicable Data Protection Laws.
13. GENERAL TERMS
13.1. Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that: (a) disclosure is required by law; (b) the relevant information is already in the public domain.
13.2. Notices. All notices and communications given under this DPA must be in writing and will be delivered personally, sent by post, or sent by email (with confirmation of receipt) to the address or email address set out in the heading of this DPA at such other address as notified from time to time by the Parties changing address.
13.3. Modification. From time to time, Astronomer may propose modifications to this DPA. Astronomer shall notify Customer of the proposed changes through communications via Customer’s Account, email, or other means. All such modifications shall be subject to the mutual agreement of the Parties.
14. GOVERNING LAW AND JURISDICTION. Except to the extent otherwise specifically required by Data Protection Laws, the provisions of the Services Agreement for governing law and resolution of disputes shall apply to this DPA.
15. CONFLICT. The terms and conditions of this DPA and any relevant Services Agreement are intended to complement each other. To the extent they conflict, the terms and conditions of this DPA will control over the Services Agreement.
SCHEDULE 1 – DATA PROCESSING DETAILS
| Categories of Data Subjects | Determined by Controller. |
| Categories of Personal Data | Determined by Controller save to the extent that Customer acknowledges that data as per clause 3.2 may not output plain-text sensitive data in Scheduler or task logs; store in XComs, within Runtime images, data pipeline code, or lineage metadata |
| Sensitive and special category personal data (if applicable) | Determined by Controller as included in clause 3.2. |
| Frequency of the transfer | Ongoing. |
| Nature of the Processing | Data orchestration services as further described in the Services Agreement. |
| Purpose of the Processing | Provision of Solution to Customer under the Services Agreement. |
| Period for which the Personal data will be processed and retained | For the duration of the Services Agreement and up to 30 days after the date of termination or expiry of the Services Agreement. |
| Appointed Subprocessors | As set out at https://trust.astronomer.io/ |
Previous Versions
2024
March 11, 2024 - Astronomer Data Processing Agreement
2023
Get started free.
OR
By proceeding you agree to our Privacy Policy, our Website Terms and to receive emails from Astronomer.