Venafi Data Processing Addendum
For the CyberArk Data Processing Addendum, click here.
Data Processing Addendum
Last updated on July 21, 2023
This Data Processing Addendum (“DPA”) forms part of the Venafi Terms of Use for Cloud Services, or other signed writing governing the use of Venafi Services (“Agreement”) that has been entered into by and between you (“Customer”) and Venafi, Inc. (“Venafi”). This DPA sets out the terms, requirements, and conditions that apply to the Processing of Customer Personal Data (defined below) by Venafi on behalf of Customer when providing machine identity management services under the Agreement. The DPA includes provisions required by the General Data Protection Regulation (EU) 2016/679 and other data protection laws.
-
Definitions. Capitalized terms used but not defined in this DPA will have the meanings assigned to them by the Agreement. The terms “Controller,” “Processor,” and “processing” as it relates to Personal Data will have the meanings ascribed to them in applicable Data Protection Laws (defined below).
-
“Customer Data” means data and information submitted by or for Customer to the Service or collected and processed by or for Customer using the Service.
-
“Customer Personal Data” means Customer Data that is Personal Data.
“Data Protection Laws” mean laws and regulations applicable to the processing of Customer Personal Data under the Agreement, including, as applicable: (i) the California Consumer Privacy Act as amended by the California Privacy Rights Act, (ii) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”), (iii) the Swiss Federal Act on Data Protection (“FADP”), (iv) the EU GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”) and (v) the UK Data Protection Act 2018; in each case, as updated, amended or replaced from time to time.
“Employee” means employees, directors, officers, agency workers, interns, consultants, and contractors.
“Personal Data” has the meaning assigned to “personal data” or similar terms in Data Protection Laws, and generally means information that relates to an identified or identifiable natural person.
-
“Schedules” means one of more schedules agreed to by the Parties and incorporated into this DPA. The default Schedules for this DPA are:
- Schedule A: Subject Matter and Details of Data Processing; Sub-Processors
- Schedule B: Technical and Organizational Measures
- Schedule C: Cross-Border Transfers and Supplementary Measures
“Service” means any and all software-as-a-service or multitenant application-over-the Internet services provided by Venafi or a particular subservice or tier thereof, including any set forth in an applicable Order Form or that Customer may use, access or for which Customer has registered.
-
-
Applicability of DPA
-
Roles and Scope. This DPA applies to the Parties whenever the processing of Customer Personal Data is subject to Data Protection Laws. The parties acknowledge and agree to the following: Customer is the Controller of Customer Personal Data and Venafi is the Processor of Customer Personal Data, except in limited defined circumstances where Venafi acts as a Controller processing Customer Personal Data in accordance with Section 3.4.
-
Duration. The DPA commences on the Effective Date and terminates upon expiration of the Agreement or the date on which Venafi has ceased processing Customer Personal Data on behalf of Customer, whichever is later.
-
-
Subject Matter and Details of Data Processing
-
Categories of Personal Data and Data Subjects. Customer authorizes Venafi to process the following categories of Customer Personal Data: names, business emails or contact information, client IP addresses, and other pseudonymized digital identifiers for Customer’s Employees and Customer Employee users of the Service.
-
Authorized Purposes of Data Processing. Customer authorizes Venafi to process the Customer Personal Data described in Section 3.1 for the following purposes:
Providing and updating the Service, or any other machine identity management services or support services pursuant to the Agreement, including making ongoing product improvements and providing personalized recommendations;
Delivering product communications and information to users;
Enabling security reviews, usage analysis, real-time monitoring, and resolution of bugs and errors;
Confirming license compliance or fulfilling other specific contractual obligations under the Agreement; and
Any additional purposes Customer and Venafi may agree to in writing from time to time.
Data Processing as a Controller. Venafi will process certain Customer Personal Data for its own lawful purposes, as an independent Controller, solely when the Processing is necessary and proportionate to one of the following exhaustive list of legitimate business purposes: (a) billing, account management, and Customer relationship management, including the provision of billing and sales communications and authorized marketing communications; (b) delivery and improvement of support services, professional services and customer success services; (c) provision of information through Venafi.com and the Venafi Community forums; or (d) responding to Data Subject Requests (defined in Section 7) for any Personal Data processed by Venafi as data Controller.
Duties of Data Processor. Regardless of its role as Processor or Controller, Venafi shall process all Customer Personal Data in compliance with Applicable Data Protection Laws. When acting as a Processor, Venafi will process Customer Personal Data to the extent, and in such a manner, as is necessary to fulfill the purposes described in Section 3.2 in accordance with the Customer instructions in this DPA. Venafi must promptly notify Customer if, in its opinion, Venafi cannot process Customer Personal Data because Customer instructions do not comply with Data Protection Laws.
Processor Assistance. Venafi will assist Customer, at no charge, with meeting Customer’s compliance obligations under Data Protection Laws under the terms of this subsection. Specifically, upon Customer’s request, Venafi will (i) provide information relevant to Customer’s compliance obligations if such information is in Venafi’s possession, and (ii) provide other reasonable and relevant assistance to help Customer meet accountability obligations, perform data protection impact assessments, or consult with data protection authorities. Customer’s requests for assistance shall be proportionate to the nature, scope, context and purposes of Venafi’s data processing and shall not unreasonably exceed any requirements of Data Protection Laws.
Duties of Data Controller. Customer will comply with Data Protection Laws by ensuring that it has established lawful bases under Data Protection Laws to instruct Venafi to process Customer Personal Data for the purposes set forth in the Agreement and the DPA. Customer may comply with Data Protection Laws by, for example, evaluating and confirming Customer’s legitimate interests in enabling the provision and analysis of machine identity management services through the processing of limited amounts of Customer Personal Data pertaining to product users and/or Employees.
-
-
Sub-Processors
To the extent that Venafi is a Processor:-
Use of Sub-Processors. Customer generally authorizes Venafi to engage sub-processors to process Customer Personal Data, and agrees that Venafi may engage Affiliates as sub-processors, upon the condition that Venafi shall: (i) enter into agreements with each sub-processor imposing and assuring data processing and protection obligations substantially equivalent to those set out in this DPA, including, if applicable, cross-border transfer mechanisms, and (ii) be liable for compliance with all obligations of this DPA and for sub-processor acts or omissions that breach Venafi’s obligations under this DPA.
-
Approved Sub-Processor List. Venafi shall maintain an up-to-date list of sub-processors who are approved to process Customer Personal Data, including their functions and locations. The list is available at venafi.com/gdpr-sub-processors. Venafi may update this list from time to time by notifying Customer of a new sub-processor at least thirty (30) days in advance of allowing the new sub-processor to process Customer Personal Data.
-
Objections to Sub-Processor. If Customer raises an objection to a new sub-processor within 30 days, based on reasonable concerns under specific Data Protection Law provisions, the Parties will discuss the concern in good faith. If the Parties are unable to reach a mutually agreeable resolution to either proceed with or decline to appoint a sub-processor, then, in the first instance, Venafi may limit the Processing of Customer Personal Data to exclude such sub-processor as the sole and exclusive remedy and, if Venafi does not so limit the processing of Customer Personal Data, then in the second instance, Customer as its sole and exclusive remedy may terminate its order for the affected Service and Venafi will refund any prepaid amounts, pro-rated for the remaining unused term.
-
-
Security
-
Security Measures. Venafi will implement, maintain, and enforce technical and organizational measures, procedures, and practices, as appropriate to the nature of the Customer Personal Data, that are designed to protect the security, confidentiality, integrity and availability of Customer Personal Data, as well as protect against any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data (“Security Incident”). These technical and organizational security measures are disclosed in Schedule B.
-
Incident Notice and Response. Venafi will notify Customer without undue delay after becoming aware of Customer Personal Data being affected by a Security Incident. Venafi shall immediately: (i) make its best efforts to identify the cause of the Security Incident, and (ii) mitigate effects and remediate the cause to the full extent possible in Venafi’s reasonable control. Security Incidents under Section 5 do not include unsuccessful attempts to breach security, including unsuccessful logins, pings, port scans, denial of service attacks or the like or Security Incidents which are partially successful but do not affect systems, databases or the like managing, storing, processing or transmitting Customer Personal Data, such as a threat actor gaining access to a port which does not provide further access to Customer Personal Data.
-
Assistance from Processor. Upon Customer’s request, and taking into account the nature and severity of the Security Incident, Venafi will assist Customer by providing all information reasonably available and reasonably necessary for Customer to meet its Security Incident notification obligations under Data Protection Laws. Customer acknowledges that Venafi’s notification of a Security Incident and its assistance under Data Protection Laws is not an acknowledgement by Venafi of its fault or liability.
-
-
Confidentiality.
-
Confidentiality by Processor. Venafi will ensure that all Venafi personnel and sub-processors who process Customer Personal Data either enter into written confidentiality agreements, or are subject to contractual or statutory obligations of confidentiality, which are at least as protective as the confidentiality obligations in the Agreement.
-
Legal Requests for Disclosure If a domestic law, court or regulator purports to require Venafi to disclose Customer Personal Data to a third party, or a Venafi sub-processor informs Venafi that they are being required through any process of law to disclose Customer Personal Data to a third party, then Venafi will inform Customer and give Customer an opportunity to object or challenge the request, with Venafi’s cooperation, unless domestic law prohibits the giving of such notice. Should Customer wish to object or challenge such a request, Venafi agrees that it shall reasonably assist, at Customer’s expense, with avoiding or limiting disclosure of Customer Personal Data to the maximum extent possible at law.
-
-
Data Subject Requests
-
Requests under Data Protection Laws. “Data Subject Request” refers to requests under Data Protection Laws by the person to whom Customer Personal Data relates (the “Data Subject”). Whether acting as a Controller or a Processor, Venafi will comply with Data Protection Laws when responding to Data Subject Requests.
-
Requests Properly Made to Controller. To the extent Venafi is a Processor, Data Subject Requests pertaining to Customer Personal Data should be directed to Customer rather than Venafi, and if Venafi does receive such a request from a Data Subject, Venafi will advise the Data Subject to submit the request to Customer. Venafi will provide any reasonable assistance requested by Customer with respect to such Data Subject Requests, including by helping to fulfil the request if Customer cannot fulfill such requests independently.
-
-
Data Return and Deletion
-
During Subscription Term. Customer may at any time during the Subscription Term use the features of the Service to the extent possible to access, download, or delete Customer Personal Data that Venafi is processing as a Processor or may submit any such requests to Venafi.
-
Post-Termination. If the Agreement is terminated, Venafi will cease processing Customer Personal Data as a Processor and will retain Customer Personal Data only as needed to allow Customer to instruct Venafi regarding the deletion or return of Customer Personal Data and for Venafi to follow those instructions. Venafi shall respond promptly to and comply with Customer instructions requiring Venafi to amend, delete, or otherwise process or stop processing Customer Data or Customer Personal Data. Venafi shall not retain Customer Personal Data longer than needed to fulfill Customer instructions. Deletion shall be in accordance with industry-standard practices and Venafi will confirm deletion in writing on request.
-
Exceptions. Unless Customer directs otherwise, instructions by Customer for Venafi to stop processing Customer Personal Data do not apply to contact information if a user or Customer Employee has chosen to receive communications from Venafi about products, services, resources, events or the like and has not exercised their individual choice to opt out of communications. Notwithstanding anything to the contrary in this DPA, Venafi may retain Customer Personal Data if required to by Data Protection Laws or to comply with Venafi’s standard backup or retention policies during the subscription term or a legal or regulatory requirement to retain such information.
-
-
Audits
-
Processor Records. Venafi will keep reasonable and customary records of its processing in compliance with Data Protection Laws and, upon Customer’s request, make available to Customer any available records reasonably necessary to demonstrate compliance with Venafi’s obligations under this DPA and Data Protection Laws.
-
Audits of Processing Activity. Customer has the right to request, at reasonable intervals, any available summary reports of the following examinations or certifications relating to Venafi’s information security or data processing as a Processor: Type 2 SOC 2 report and periodic penetration tests or vulnerability scans. Subject to the terms of this section, Customer also has the right to conduct a data processing audit at Customer’s expense that is of reasonable scope and duration, pursuant to an audit plan that is mutually agreed upon by the Parties and consistent with the Audit Parameters in Section 9.3. Customer may exercise its right to conduct an audit only: (i) if Venafi is unable to provide third-party reports with sufficient information for Customer to verify compliance with this DPA, or (ii) if exercising the right is necessary for Customer to respond to a government authority audit.
-
Audit Parameters. Each Audit must conform to the following parameters: (i) be conducted by an independent third party appointed by Customer that will enter into a confidentiality agreement with Venafi, (ii) be limited in scope to matters reasonably required for Customer to assess Venafi’s compliance with the DPA and Data Protection Laws, (iii) occur at a mutually agreed date and time, (iv) occur no more than once per Service subscription term (unless required under Data Protection Laws or in connection with a Security Incident), (v) cover only facilities controlled by Venafi, (vi) restrict findings to Customer Personal Data and (vii) treat any results as confidential information to the fullest extent permitted by Data Protection Laws.
-
-
Cross-Border Transfers
-
Global Transfers. Venafi and its Affiliates may process and transfer Customer Personal Data globally as necessary to provide the Service. If Venafi engages in a restricted cross-border transfer as defined in Section 10.2, then it will comply with Schedule C (Cross-Border Transfer Mechanisms and Supplementary Measures).
-
Restricted Cross-Border Transfers. A restricted cross-border transfer means (i) where EU GDPR applies, a transfer of Customer Personal Data from the European Economic Area (“EEA”) to a country outside the EEA that is not subject to an adequacy determination by the European Commission, (ii) where the UK GDPR applies, a transfer of Customer Personal Data from the United Kingdom to any other country not subject to an adequacy determination, or (iii) where FADP applies, a transfer of Customer Personal Data from Switzerland to any other country not subject to an adequacy determination.
-
-
General
-
Relationship to Agreement. This DPA is incorporated into the Agreement and subject to the terms of the Agreement. If any provisions of the DPA that relate to Venafi’s processing of Personal Data are inconsistent with the terms of the Agreement, the DPA will prevail.
-
Governing Law. The DPA is governed by the governing law of the Agreement unless otherwise provided by Data Protection Laws. Any legal claims brought in connection with the DPA will be subject to the terms, conditions, exclusions, and limitations set forth in the Agreement to the fullest extent permitted by Data Protection Laws.
-
SCHEDULE A: SUBJECT MATTER AND DETAILS OF PROCESSING
Name of Data Exporter: | [For Customer to Complete] |
Contact details for data protection: | |
Main address: | |
Role: | Controller |
Name of Data Importer: | Venafi, Inc. |
Contact details for data protection: | privacy@venafi.com |
Main address: | 175 E. 400 South, Suite 300, Salt Lake City, Utah 84111, USA |
Role: | Processor or Controller |
Details of Processing
Controller (Customer) to Processor (Venafi)
| ||
Data Subjects: | Employees of Controller | |
Data Categories: | Names, business emails, contact information, digital identifiers | |
Sensitive Data: | None | |
Frequency of transfer: | Continuous | |
Nature of Processing: | Collection and processing of user credentials; use of email addresses to deliver product communications; processing of data integral to provided services; analysis of data for product improvements and authorized purposes. | |
Purpose of Processing: | As instructed by Controller in this DPA, the purpose is: (a) providing and updating the Service, or any other machine identity management services or support services pursuant to the Agreement, including to make ongoing product improvements and provide personalized experiences and recommendations; (b) delivering product communications and information to users; (c) enabling security reviews, usage analysis, real-time monitoring, resolution of bugs and errors, and service improvements; and (d) confirming license compliance or fulfilling other specific contractual obligations under the Agreement. | |
Duration of Processing: | Duration specified in DPA, as instructed by Controller. |
Controller (Customer) to Controller (Venafi)
| ||
Data Subjects: | Employees of Controller | |
Data Categories: | Names, business emails, contact information, digital identifiers | |
Sensitive Data: | None | |
Frequency of transfer: | One-time, when information is submitted to Controller | |
Nature of Processing: | Processing may occur for one of the following exhaustive list of business purposes: (a) billing, account management, and Customer relationship management, including the provision of billing and sales communications and authorized marketing communications; (b) delivery and improvement of support services, professional services and customer success services; (c) provision of information through Venafi.com and the Venafi Community forums; or (d) responding to Data Subject Requests for any Personal Data processed by Venafi as data Controller. | |
Purpose of Processing: | Venafi’s legitimate business interests in providing customer service, support, and requested or relevant communications or information; as well as in complying with legal obligations to respond to Data Subject Requests. | |
Duration of Processing: | Venafi retains Customer Personal Data for as long as required for legitimate business purposes, using the following criteria to determine retention periods: (a) the length of time of Venafi’s relationship with a user of its machine identity management services or recipient of marketing or informational emails; (b) the amount of account activity and interactions with Venafi; (c) whether retention serves an ongoing business purpose, such as improving the level of service to a Customer or Employee or delivering requested content through Venafi websites, and (d) whether retention is required by a future legal obligation to which Venafi is subject. |
Authorized Sub-Processors
Customer authorizes Venafi’s use of sub-processors, available at Venafi.com/gdpr-sub-processors.
SCHEDULE B: TECHNICAL AND ORGANIZATIONAL MEASURES
Available with a Mutual NDA. Please contact privacy@venafi.com for access requests.
SCHEDULE C-1: CROSS-BORDER TRANSFER MECHANISMS
-
Definitions. Capitalized terms not defined in this Schedule are defined in the DPA.
-
“EU Standard Contractual Clauses” or “EU SCCs” means the Standard Contractual Clauses approved by the European Commission in decision 2021/914.
-
“UK International Data Transfer Agreement” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force as of March 21, 2022.
-
-
EU Transfers. Where Customer Personal Data is protected by EU GDPR and is subject to a Restricted Transfer, the following applies:
-
The EU SCCs are hereby incorporated by reference as follows:
(a) Module 2 (Controller to Processor) applies where Customer is a Controller of Customer Personal Data and Venafi is a Processor of Customer Personal Data;
(b) Module 3 (Processor to Processor) applies where Customer is a Processor of Customer Personal Data (on behalf of a third-party Controller) and Venafi is a Processor of Customer Personal Data;
(c) Customer is the “data exporter” and Venafi is the “data importer”; and
(d) by entering into this DPA, each party is deemed to have signed the EU SCCs (including their Annexes) as of the DPA Effective Date.
-
For each Module, where applicable the following applies:
(a) for purposes of Clause 8.1, the Agreement and this DPA constitute the instructions to Venafi for the Processing of Personal Information.
(b) for purposes of Clause 8.9, the parties agree that any audits or inspections be conducted in accordance with the terms set forth in the Agreement and the DPA.
(c) the optional docking clause in Clause 7 does not apply;
(d) in Clause 9, Option 2 will apply, the minimum time period for prior notice of sub-processor changes shall be as set out in the DPA, and Venafi shall fulfill its notification obligations by notifying Customer of any Subprocessor changes in accordance with the DPA;
(e) in Clause 11, the optional language does not apply;
(f) in Clause 13, all square brackets are removed with the text remaining;
(g) in Clause 17, the governing law shall be the law designated as governing law in the Agreement. If the Agreement is not governed by an EU Member State law, then the governing law shall be either (i) the laws of France, or (ii) where the Agreement is governed by the laws of the United Kingdom, the laws of England and Wales.
(h) in Clause 18(b), disputes arising from the EU SCCs will be resolved before the courts designated as the forum for dispute resolution in the Agreement. If the Agreement does not designate an EU Member State as having exclusive jurisdiction to resolve disputes or lawsuits arising out of or related to the Agreement, then the parties agree that the following courts will have such jurisdiction: (i) the courts of France, or (ii) where the Agreement designates the United Kingdom as having jurisdiction, then the courts of England and Wales.
Schedule A to this DPA (Subject Matter and Details of Processing; Sub-Processors) contains the information required in Annex 1 of the EU SCCs; and
(j) Schedule C to this DPA (Technical and Organizational Measures) contains the information required in Annex 2 of the EU SCCs.
-
Where context permits and requires, any reference in this DPA to the EU SCCs shall be read as a reference to the EU SCCs as modified in the manner set forth in this Section 2.
-
-
Swiss Transfers. Where Customer Personal Data is protected by the FADP and is subject to a Restricted Transfer, the following applies:
-
The EU SCCs apply as set forth in Section 2 (EU Transfers) of this Schedule C-1 with the following modifications:
(a) in Clause 13, the competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner;
(b) in Clause 17 (Option 1), the EU SCCs will be governed by the laws of Switzerland;
(c) in Clause 18(b), disputes will be resolved before the courts of Switzerland;
(d) the term Member State must not be interpreted in such a way as to exclude Data Subjects in Switzerland from enforcing their rights in their place of habitual residence in accordance with Clause 18(c); and
(e) all references to the EU GDPR in this DPA are also deemed to refer to the FADP.
-
-
UK Transfers. Where Customer Personal Data is protected by the UK GDPR and is subject to a Restricted Transfer, the following applies:
-
The EU SCCs apply as set forth in Section 2 (EU Transfers) of this Schedule C-1 with the following modifications:
(a) each party shall be deemed to have signed the “UK Addendum to the EU Standard Contractual Clauses” (“UK Addendum”) issued by the Information Commissioner’s Office under section 119 (A) of the Data Protection Act 2018;
(b) the EU SCCs shall be deemed amended as specified by the UK Addendum in respect of the transfer of Customer Personal Data;
(c) in Table 1 of the UK Addendum, the parties’ key contact information is located in Schedule A to this DPA;
(d) in Table 2 of the UK Addendum, information about the version of the EU SCCs, modules and selected clauses which this UK Addendum is appended to are located above in this Schedule C-1;
(e) in Table 3 of the UK Addendum:
(i) the list of parties is located in Schedule A to this DPA;
(ii) the description of transfer is located in Schedule A to this DPA;
(iii) Annex II is located in Schedule B to this DPA; and
(iv) the list of Sub-Processors is located in Schedule A to this DPA.
(f) in Table 4 of the UK Addendum, both the Importer and the Exporter may end the UK Addendum in accordance with its terms (and the respective box for each is deemed checked); and
(g) in Part 2: Part 2 - Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with section 119 (A) of the Data Protection Act 2018 on 2 February 2022, as it is revised under section 18 of those Mandatory Clauses.
-
SCHEDULE C-2: SUPPLEMENTARY MEASURES
Venafi implements the following supplementary measures for Restricted Transfers of Personal Data to the United States, if applicable. These supplementary measures are based on “EDPB Recommendations 01/2020 on Measures that Supplement Transfer Tools to Ensure Compliance With the EU Level of Protection of Personal Data” (adopted on 18 June 2021 and published on 21 June 2021). The measures are intended to compensate for the lack of a GDPR Article 45 adequacy decision for such Restricted Transfers, or to account for a GDPR Article 45 adequacy decision that allows for such transfers but which might later be subject to legal challenge.
-
Transparency Measures.
-
Venafi discloses the following information as relevant to Customer’s assessment of the level of protection afforded by the Agreement and this DPA in the United States:
(a) Venafi is not subject to (and would challenge any argument that it is subject to) receive disclosure orders from public authorities under the CLOUD Act or Foreign Intelligence Surveillance Act (FISA) sec. 702, including PRISM, because it does not process electronically stored communications data or communications metadata and is not a communications service provider. Venafi is a machine identity management provider providing business-to-business, organization-level security services such as certificate management and private PKI services for organizations. Venafi provides its core services by processing technical information, such as key and certificate data, that is not communications data and generally cannot be combined with or used to infer Personal Data of natural persons. The only Personal Data processed by Venafi is incidental to its core services, consisting of user data that is processed in order to provide users with access to Venafi services, product notifications, technical support and other authorized purposes.
(b) Venafi has never received any request from any public authorities to disclose Personal Data of Venafi customers or product users.
(c) The laws disclosed in paragraph (a) do not allow United States public authorities to request or compel a disclosure from Venafi of any Personal Data of Venafi customers or product users.
(d) No United States law prevents Venafi from disclosing or updating the information provided in paragraphs (a), (b) and (c) above.
-
-
Additional Contractual Measures.
-
In the event that Customer and Venafi reasonably agree, based on their interpretation of intervening decisions of regulators, data protection boards, or courts, that the mechanisms in Schedule C-1 and Schedule C-2 are inadequate to properly safeguard Customer Personal Information that is subject to a Restricted Transfer under Data Protection Laws, then Venafi will promptly implement additional supplementary measures for Restricted Transfers to ensure that Customer Personal Information is protected to the standard required by Data Protection Laws.
-
2.2. The additional contractual measures described in subsection 2.1 shall be discussed and mutually agreed in writing by Customer and Venafi. Such measures may include but are not limited to, for example, Venafi’s certification with the EU-US Data Privacy Framework once it is finalized with an adequacy decision in place.
-