This is applicable only to Customer data where Samsara is Processing Customer Personal Data which is subject to Data Protection Laws (all such terms as defined in our Agreement).
1.1 In this Addendum, the following terms will have the meanings set out below:
1.1.1 “Customer Personal Data” means any Personal Data subject to Data Protection Laws contained in Customer Data that the Customer provides or has made available to Samsara and is Processed by Samsara on Customer’s behalf pursuant to the Agreement; and
1.1.2 “Data Protection Laws” means the EU General Data Protection Regulation (EU 2016/679) (“GDPR”) and any applicable national legislation which supplements it.
1.2 The terms “Controller,” “Data Subject,” “Personal Data,” “Personal Data Breach,” “ Processing,” “Processor,” and “Supervisory Authority” will have the same meaning as in the GDPR. Capitalized terms not otherwise defined herein will have the meaning given to them in the Agreement.
2. Processing of Customer Personal Data
2.1 As between the parties, Samsara acts as a Processor of the Customer Personal Data on Customer’s behalf. As a Processor, Samsara will:
2.1.1 Process Customer Personal Data in accordance with this Addendum (including, without limitation, Appendix A), Documentation and/or Customer’s documented instructions as set forth in the Agreement, or as otherwise required by applicable law to which Samsara is subject (the “Customer Instructions”). If Samsara is required by applicable Union and Member State law to Process Customer Personal Data other than in accordance with the Customer Instructions, Samsara will to the extent permitted by applicable Union and Member State law inform the Customer of that legal requirement before such Processing, unless that law prohibits such information on important grounds of public interest.
2.1.2 Not be responsible for obtaining consent, authorization, approval, agreement as may be required under applicable laws or policies, or for providing notices with regard to Customer Personal Data, in order to enable Samsara to receive and Process the Customer Personal Data in accordance with the Agreement. It will be the Customer's sole responsibility for the accuracy, quality and legality of the Customer Personal Data, the means by which it acquires and uses the Customer Personal Data, and for the Customer Instructions regarding the Processing of Customer Personal Data. Customer shall ensure that its acts or omissions, including its Customer Instructions, do not put Samsara in breach of any applicable laws or regulations. Where Samsara believes that an instruction would be in breach of applicable Union or Member State data protection provisions, Samsara shall notify Customer of such belief without undue delay. Samsara shall be entitled to suspending performance on such instruction until Customer confirms or modifies such instruction.
3. Samsara Personnel
Samsara will hold Customer Personal Data in confidence pursuant to the confidentiality provisions of the Agreement and will require Samsara personnel granted access to Customer Personal Data to protect all Customer Personal Data accordingly. Any person entitled to Process Customer Personal Data on behalf of Customer has undertaken a commitment to secrecy or is subject to an appropriate statutory obligation to secrecy. All such secrecy obligations shall survive the termination or expiration of such Processing.
Samsara will implement appropriate technical and organizational measures designed to safeguard Customer Personal Data and to ensure the adequate protection of Customer Personal Data, which measures shall fulfil the requirements of the GDPR and specifically its Article 32 GDPR. Samsara shall at least implement measures contained in the attached Security Description herein at Appendix B. Samsara may modify such measures from time to time, provided that such modifications will not materially reduce the overall level of protection for Customer Personal Data.
5.1 Customer authorizes each Samsara affiliates, as well as such other third parties noted in Documentation, to be sub-processors (each a “Subprocessor”). Samsara may disclose Customer Personal Data to its Subprocessor for the purposes of providing the Products provided that Samsara will impose substantially similar obligations on its Subprocessors regarding the security and confidentiality of Customer Personal Data as those set forth in this Addendum to meet the requirements of Data Protection Laws.
5.2 Customer shall be entitled to contradict any change of Subprocessors as notified by Samsara from time to time within thirty (30) calendar days of such notification, and only for materially important reasons. Where Customer fails to contradict such change within such period of time, Customer shall be deemed to have consented to such change. Where a materially important reason for such contradiction exists and is provided in writing to Samsara, and failing an amicable resolution of this matter by the parties (each party acting reasonably and in good faith), Customer shall be entitled to terminate the Agreement by providing written notice to Samsara.
5.3 Samsara will remain responsible for the acts or omissions of Subprocessors to the same extent required by Data Protection Laws as if the acts or omissions were performed by Samsara “Subprocessor Liability”), and shall be permitted to re-perform or to procure the re-performance of any such obligations and Customer acknowledges and accepts that such re-performance shall diminish any claim that Customer has against Samsara in respect of any Subprocessor Liability.
6. Data Subject Requests
6.1 Where Samsara directly receives requests from Data Subjects, or anyone acting on their behalf, to exercise their rights under Data Protection Laws (“Data Subject Request”), and provided Samsara can reasonably identify from the information provided that such request relates to the Customer and/or Customer Personal Data, then unless prohibited by applicable law, Samsara will (a) promptly notify Customer of such request; and (b) not respond to any such request unless required by applicable law to which Samsara is subject, in which case Samsara will, to the extent permitted by applicable law, inform Customer of that legal requirement before the responding to such request. Samsara may require the Customer to bear the actual costs incurred as a result of the assistance provided in accordance with this Section based on the then currently applicable service rates of Samsara.
6.2 For avoidance of doubt, Customer is responsible as Data Controller for responding to Data Subject Requests. Samsara’s Services include technical and organizational measures that have been designed, taking into account the nature of its Processing, to assist Customer, insofar as this possible, in fulfilling its obligations to respond to Data Subject requests.
7. Personal Data Breach
Samsara will notify Customer without undue delay upon Samsara becoming aware of a Personal Data Breach affecting Customer Personal Data. For the avoidance of any doubt, a Personal Data Breach shall not include (i) any incidents which are unlikely to result in a material risk to the rights and freedoms of natural persons that are the subject of the Customer Personal Data; (ii) acts or omissions which do not breach Samsara’s security or the security of any Subprocessor; (iii) port scans, authorized penetration tests, and denial of service attacks; or (iv) any access to or Processing of Customer Personal Data that is consistent with Customer Instructions. At Customer’s request, Samsara will provide reasonable assistance and co-operation to assist Customer in fulfilling any applicable notification obligations under applicable Data Protection Laws with respect to the Personal Data Breach. Samsara’s notification of, or response to, a Personal Data Breach shall not be construed as an acknowledgement by Samsara or, if relevant, its Subprocessors of any fault or liability with respect to the performance of Products. Samsara may require the Customer to bear the actual costs incurred as a result of the assistance provided in accordance with this Section based on the then currently applicable service rates of Samsara.
8. Data Protection Impact Assessment and Prior Consultation
At Customer’s request, Samsara will provide reasonable assistance to Customer with any data protection impact assessments and prior consultations with Supervising Authorities required by article 35 or 36 of the GDPR, in each case solely in relation to Samsara’s Processing of Customer Personal Data under the Agreement, and taking into account the nature of the Processing and information available to Samsara. Samsara reserves the right to charge a reasonable fee for such requested assistance, to the extent permitted by applicable law.
9. Audit rights
9.1 Samsara may retain independent third-party auditors to prepare a Service Organization Control 2 (Type I or II) report, or other industry-standard successor report (“Report”). Upon Customer’s written request, Samsara will provide to Customer at no cost a copy of the most recent Report, up to once a year. Such Reports will be Samsara’s Confidential Information under the confidentiality provisions of the Agreement. Customer agrees that the Reports will be used to satisfy any audit or inspection request by or on behalf of Customer in relation to Data Protection Laws and/or Agreement.
9.2 If a Report is not available, Customer may request, upon 30 days’ prior written notice and up to once per calendar year, to perform a review at its own expense, with a scope, dates, duration, auditor and any security and/or confidentiality controls to be mutually agreed, of relevant Samsara policies and procedures governing Samsara’s handling of Customer Personal Data in connection with the Services, for purposes of verifying Samsara’s compliance with this Addendum. This review will be conducted in a manner that does not compromise confidentiality obligations to Samsara’s other customers. The parties acknowledge and agree that such policies and procedures are Samsara’s Confidential Information under the confidentiality provisions of the Agreement.
10. Data Transfers
Samsara may transfer Customer Personal Data to any country or territory, as reasonably necessary for the provision of the Services, consistent with this Addendum. Samsara is certified under the E.U.-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. To the extent that provision of Services under the Agreement involves a transfer of Customer Personal Data from Customer in the EU/EEA/Switzerland to Samsara in a location outside of the EU/EEA/Switzerland that has not been deemed by the European Commission to provide an adequate level of data protection, the Privacy Shield Framework(s) will be the lawful transfer mechanism for Customer Personal Data.
11. Retrieval and Deletion of Customer Personal Data
Customer hereby acknowledges and accepts the functionality of the Products and the data retention and deletion policies as provided to Customer by Samsara, which may impact Customer Personal Data. Samsara will enable Customer to delete Customer Personal Data during the term of the Agreement in a manner consistent with the functionality of the Products. Following termination or expiration of the Agreement, Customer will be entitled to retrieve its Customer Personal Data in accordance with the Agreement and Samsara will promptly delete Customer Personal Data from its systems following such retrieval period, unless applicable law requires storage of the Customer Personal Data.
DESCRIPTION OF PROCESSING ACTIVITIES
Samsara’s provision of the Products to the Customer.
Duration of the Processing
The term of the Agreement plus the period from the expiry or termination of the Agreement until deletion of all Customer Data by Samsara in accordance with the Agreement. Specific Customer Personal Data may have specific data retention and deletion policies in place (e.g., video data from dash cameras utilized by the customers located in the EEA, which is uploaded to the Hosted Software have a six months retention policy and deletion schedule in place as a default setting; which the Customer accepts, which can be amended due to Customer requirements).
Nature and Purpose of the Processing
Samsara will process Customer Personal Data for the purposes of providing the Products to the Customer in accordance with, and as otherwise permitted by, the Agreement, and for any disclosures compelled by law.
Categories of Personal Data
Personal Data relating to individuals provided to Samsara via the Products, by (or at the direction of) Customer or by any employee or end user of the Customer which include, without limitation, names, contact information (e.g., company, email, address, telephone number), ID data, connection data, location data, profile pictures, and images and video captured by the Products (e.g., images of individuals inside a vehicle operating a dash cam, and other information capable of identifying individuals from such imagery e.g., vehicle registration and license plates, signposts for buildings, houses and other landmarks).
Data subjects include the individuals about whom Personal Data is provided to Samsara via the Products by (or at the direction of) Customer or by any employee or end user of the Customer which include, without limitation, users, employees, officers, directors, contractors, agents, vendors, customers, clients, visitors, and such other individuals who may be captured by the Products.
Location of Processing
The Customer Personal Data may be Processed by Samsara and its Subprocessors in various locations and countries including, without limitation, in countries outside of the EEA in which Samsara or Subprocessors may maintain facilities, employees and/or infrastructure e.g., Amazon Web Services, Inc. in California, USA, for cloud hosting infrastructure services. Customer acknowledges and accepts that the applicable data protection laws and regulations in such countries may be less protective of individuals’ rights than that afforded in the EEA.
Samsara, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing as well as the risk of varying likelihood and severity for the legally protected interests of natural persons, shall implement the necessary technical and organizational measures to ensure a level of security appropriate to the risk when Processing Personal Data, in particular as regards the processing of special categories of Personal Data.
These measures may include pseudonymization and encryption of personal data, if such means are possible in view of the purposes of Processing.
Samsara takes steps to restrict access to Customer Personal Data to Customer, its users, and authorized Samsara personnel and Subprocessors. In addition, Samsara has processes designed to protect its systems containing or accessing the Customer's Personal Data against Personal Data Breaches. The underlying infrastructure leverages Amazon AWS, which is ISO 27001 and SOC 1 Type II certified. Network devices, including firewall and other boundary devices, are in place to monitor and control communications at the external boundary of the network and at key internal boundaries within the network. These boundary devices employ rule sets, access control lists (ACL), and configurations to enforce the flow of information to specific information system services. ACLs, or traffic flow policies, are established on each managed interface, which manage and enforce the flow of traffic.
Data is logically separated across distributed databases with required authentication checks for every application-layer and data-layer access made to any tenant's data. The logical separation is designed to associate data with exactly one customer, and required authentication checks at the application and data layers aim to isolate data by customer and accounts provisioned for that customer.
The Services employ a Virtual Private Cloud to provide resource isolation and minimize attack surface area. The Services are protected by IP- and port-based firewalls. Administrative access to Samsara’s infrastructure is restricted and verified by AWS Identity and Access Management. Distributed Denial of Service (DDoS) attacks can be mitigated with elastic load balancing and highly available DNS services.
When a storage device containing Customer Personal Data has reached the end of its useful life, procedures include a decommissioning process that is designed to prevent the data from being exposed to unauthorized individuals. Techniques detailed in DoD 5220.22-M (“National Industrial Security Program Operating Manual “) or NIST 800-88 (“Guidelines for Media Sanitization”) are used to destroy data as part of the decommissioning process. All decommissioned magnetic storage devices are degaussed and physically destroyed in accordance with industry-standard practices.
Samsara implements measures designed to enhance the physical security of its networks, servers, cloud and other information systems in which Customer Data is stored, processed, transmitted, or accessed and to maintain them in a secure manner that satisfies the requirements of this Appendix.
Samsara reviews information technology security measures annually. On an annual basis a qualified independent third-party conducts penetration tests of Samsara’s system for security vulnerabilities. Samsara maintains suitable processes to identify, isolate and remediate security vulnerabilities.