This Data Processing Addendum ("DPA") is entered into as an addendum to and incorporated into the agreement (hereinafter "Agreement") between customer ("Customer") and Black Duck Software, Inc. or its Affiliate ("Company"). Individually Customer and Company may be referred to as "Party" and together, as the "Parties". This DPA sets forth the terms under which Personal Data is Processed under the Agreement in connection with (i) the software or SaaS services provided by Company ("Software Services") and (ii) the related maintenance and support services for the Software Services ("Support Services"). All capitalized terms in this DPA not otherwise defined herein shall have the same meaning as in the Agreement.
1. DEFINITIONS
1.1 "Applicable Data Protection Law" means all data protection and privacy laws applicable to each respective Party in connection with the Processing of Personal Data under this DPA, which may include the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data ("General Data Protection Regulation" or "GDPR"), the United Kingdom GDPR (“UK GDPR”), the California Consumer Privacy Act of 2018 as amended by the California Rights Privacy Act of 2020 (collectively “CCPA”) and any other applicable privacy laws and regulations.
1.2 "Controller" means the entity that determines the purposes and means of Processing Personal Data.
1.3 "Data Subject" means an identified or identifiable natural person whose Personal Data is Processed pursuant to the Agreement.
1.4 "Personal Data" means any information related to an identified or identifiable individual.
1.5 "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
1.6 "Processed" or "Processing" means any set of operations that are performed on Personal Data or on sets of Personal Data, whether or not by automated means.
1.7 "Processor" means the entity that Processes Personal Data on behalf of the Controller.
1.8 "Restricted Transfer" means a transfer of Personal Data to a country or territory outside the European Economic Area (EEA) or the United Kingdom (UK), which is not subject to an adequacy decision under Article 45 of the EU GDPR or the UK GDPR (as applicable), and which would be unlawful in the absence of appropriate safeguards under Chapter V of the EU GDPR or the UK GDPR.
1.9 “Sell” and “Share” shall take their meanings respectively from the CCPA.
1.10 “Subprocessor” means a third-party service provider that the Processor engages to process Personal Data on behalf of the Controller.
1.11 "Supervisory Authority" means an independent public authority established by a Member State pursuant to Article 51 of the GDPR.
2. ROLES OF THE PARTIES
2.1 Software Services The Parties acknowledge that, in relation to Personal Data Processed in connection with the Software Services pursuant to the Agreement, each Party acts as a separate and independent Controller.
2.2 Support Services The Parties acknowledge that, in relation to Personal Data Processed in connection with the Support Services pursuant to the Agreement: (a) Customer acts as the Controller; and (b) Company acts as the Processor, Processing Personal Data on behalf of Customer.
2.3 Applicable Data Protection Law Each Party shall comply with Applicable Data Protection Law in the performance of this DPA.
3. CONTROLLER-TO-CONTROLLER TERMS (SOFTWARE SERVICES)
The following provisions apply to the Personal Data Processed by each Party acting as an independent Controller in connection with the Software Services:
3.1 Company shall implement appropriate security measures with the intent to protect Personal Data against unauthorized access, loss, destruction, or disclosure as described in Schedule C of this DPA. Such measures may be updated from time to time but shall not materially reduce any stated protections.
3.2 Company shall be responsible for responding to Data Subject requests and regulatory inquiries relating to its respective Processing of Personal Data as a Controller.
3.3 At Customer 's request, Company shall cooperate in good faith to assist Customerin responding to any regulatory inquiries Customer receives related to its Processing of Personal Data pursuant to the Agreement.
4. CONTROLLER-TO-PROCESSOR TERMS (SUPPORT SERVICES)
The following provisions apply to the Personal Data Processed by Company as a Processor on behalf of Customer in connection with the Support Services:
4.1 Scope of Processing
Company shall Process Personal Data only on the documented instructions of Customer Customer's documented instructions shall mean the description of Support Services in the Agreement and in Schedule A of this DPA. If Company believes that an instruction from Customer infringes on Applicable Data Protection Law attributable to either Party, Company shall promptly inform Customer. In the event Company is required by law to Process Personal Data beyond Customer's instructions, it shall notify Customer prior unless prohibited from doing so. The provisions in Schedule G shall also apply in relation to Personal Data that is subject to the CCPA.
4.2 Confidentiality
Company shall ensure that personnel authorized to Process Personal Data are subject to appropriate confidentiality obligations.
4.3 Subprocessors
Customer grants Company general authorization to engage Subprocessors in connection with the Processing of Personal Data for Support Services. A list of authorized Subprocessors is set out in Schedule B. Company shall provide at least thirty (30) days prior written notice of the addition or replacement of a new Subprocessor. Upon the provision of notice, Customer has thirty (30) days to object to the proposed new Subprocessor on reasonable and documented grounds related to data protection, including but not limited to compliance with GDPR, data security measures, and the Subprocessor's reputation. If Customer objects in writing to a proposed new Subprocessor during the Objection Period, the Parties will work in good faith to find a commercially reasonable solution to address Customer's concerns within 60 days. If a resolution cannot be reached within the 60 days, then the Customer may terminate the affected portion of the Support Services without penalty, except for fees paid for services rendered up to the date of termination. Subprocessors shall be subject to obligations no less protective than those set forth in this DPA, and Company shall remain fully liable for the acts and omissions of its Subprocessors as if they were its own acts or omissions.
4.4 Security Measures
Company shall implement appropriate security measures with the intent to protect Personal Data against unauthorized access, loss, destruction, or disclosure as described in Schedule C of this DPA. Such measures may be updated from time to time but shall not materially reduce any stated protections.
4.5 Data Subject Rights
Taking into account the nature of the Processing, Company shall provide reasonable assistance to Customer in fulfilling Customer's obligations to respond to requests from individuals exercising their rights under Applicable Data Protection Laws, including rights of access, deletion, correction, and restriction. Company shall notify Customer promptly upon receiving a request directly from a Data Subject and shall not respond except as required by law.
4.6 Personal Data Breach
In the event of a Personal Data Breach of Personal Data under Company’s control or possession, Company shall notify Customer without undue delay upon Company’s confirmation of such breach. The notification may be delivered to Customer's designated contact by email.
Company’s notification shall include a level of detail based on information reasonably available to Company at the time and may include, to the extent known: (i) the nature of the breach; (ii) the approximate number of affected Data Subjects, and (iii) measures taken or planned to address the breach. Company may provide such information in phases as it becomes available.
Customer is solely responsible for complying with incident notification laws applicable to Customer and fulfilling any notification obligations to third parties or Data Subjects. Nothing in this DPA shall be construed to require Company to notify any third party or Supervisory Authority of a Personal Data Breach on behalf of Customer.
The notification of a Personal Data Breach by Company shall not be construed as an acknowledgment by Company of any fault or liability with respect to the breach or the Personal Data Breach.
Company shall provide rolling notifications as appropriate for any new or additional material information through remediation.
4.7 Audits
Customer may audit Company’s compliance with the Controller-to-Processor terms of this DPA no more than once in any twelve (12) month period, unless there has been a confirmed Personal Data Breach directly attributable to Company’s failure to comply with this DPA (“Data Breach Audit”).
Any audit shall be:
Customer shall promptly provide Company with a copy of any audit report generated in connection with an audit under this section and shall treat such audit report as Confidential Information of Company. Notwithstanding anything to the contrary, in Company’s reasonable discretion, Company may satisfy audit requests under this section by providing Customer with relevant and current third-party certifications, attestations, or audit reports. Except for Data Breach Audits, each Party shall bear their own costs of any audit. In the event of a Data Breach Audit, Company shall bear reasonable audit costs for both Parties.
4.8 Return or Deletion
Upon termination or expiration of the Agreement, Company shall delete all Personal Data Processed in connection with the Support Services as stated in the Agreement, unless Company is required by applicable law to retain such data.
4.9 Cooperation with Authorities and Assistance
Company shall provide reasonable assistance to Customer in responding to requests from data protection authorities and other governmental regulators relating to the Processing of Personal Data under the Agreement. Company shall also reasonably assist Customer with any data protection impact assessments (DPIAs) and prior consultations with Supervisory Authorities that Customer is required to carry out under Applicable Data Protection Laws in relation to the Processing activities covered by this DPA. Such assistance shall take into account the nature of the Processing and the information available to Company.
5. CROSS-BORDER DATA TRANSFERS
5.1 International Data Transfers from the EEA - Controller to Controller (Software Services)
5.1.1 To the extent that the Company receives or otherwise processes Personal Data that is subject to the EU General Data Protection Regulation in its capacity as a Controller from the Customer in the EEA and such processing involves a Restricted Transfer, the Parties agree that they shall comply with the obligations set out in the Standard Contractual Clauses for controller-to-controller transfers, as approved by the European Commission in Decision (EU) 2021/914 of 4 June 2021 ("EU SCCs").
5.1.2 The Parties agree that for the purposes of the EU SCCs (Controller-to-Controller): (i) Module 1 (Controller-to-Controller) shall apply; (ii) The Customer is the "data exporter" and the Company is the "data importer"; (iii) Clause 7 (Docking Clause) shall not apply; (iv) Clause 11 (Redress) shall not apply; (v) Clause 17 (Governing Law) shall be the laws of Ireland; (vi) Clause 18 (Choice of Forum and Jurisdiction) shall be the courts of Ireland; (vii) Annexes I and II of the EU SCCs shall be populated as set out in Schedule D to this DPA.
5.2 International Data Transfers from the EEA - Controller to Processor (Support Services)
5.2.1 To the extent that the Company receives or otherwise processes Personal Data that is subject to the EU General Data Protection Regulation in its capacity as a Processor from the Customer in the EEA and such processing involves a Restricted Transfer, the Parties agree that they shall comply with the obligations set out in the Standard Contractual Clauses for controller-to-processor transfers, as approved by the European Commission in Decision (EU) 2021/914 of 4 June 2021.
5.2.2 The Parties agree that for the purposes of the EU SCCs (Controller-to-Processor): (i) Module 2 (Controller-to-Processor) shall apply; (ii) The Customer is the "data exporter" and the Company is the "data importer"; (iii) Clause 7 (Docking Clause) shall not apply; (iv) Clause 11 (Redress) shall not apply; (v) Clause 17 (Governing Law) shall be the laws of Ireland; (vi) Clause 18 (Choice of Forum and Jurisdiction) shall be the courts of Ireland; (vii) Annexes I and II of the EU SCCs shall be populated as set out in Schedule E to this DPA.
5.3 International Data Transfers from the UK
5.3.1 To the extent that the Company receives or otherwise processes Personal Data that is subject to the UK General Data Protection Regulation from the Customer in the UK, and such processing involves a Restricted Transfer to a country outside the UK, the Parties agree that the EU SCCs as outlined in Clauses 5.1 and 5.2 above shall apply and are incorporated by reference, subject to the following modifications to reflect the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK Information Commissioner's Office under Section 119A of the Data Protection Act 2018 (the "UK Addendum"):
(i) The EU SCCs are varied in accordance with Part 2 (Mandatory Clauses) of the UK Addendum; (ii) The "Importer" and "Exporter" shall complete the information required by Tables 1 to 4 of Part 1 of the UK Addendum, as set out in Schedule F to this DPA; (iii) In the event of any inconsistency between the EU SCCs and the UK Addendum, the terms of the UK Addendum shall prevail to the extent required by UK Data Protection Law.
6. GENERAL PROVISIONS
6.1 This DPA forms part of the Agreement. It does not create any additional warranties or liabilities beyond those expressly set forth in the Agreement.
6.2 Wherever possible, the terms of this DPA shall be read in such a manner so as to avoid conflict with the terms of the Agreement. In the event of conflict between the Agreement, this DPA, and the EU SCCs (including the UK Addendum), the following order of precedence shall apply: (1) the EU SCCs and the UK Addendum, where applicable; (2) this DPA; and (3) the Agreement.
6.3 For the avoidance of doubt, signature of the Agreement shall constitute signature of the EU SCCs and the UK Addendum.
6.4 This DPA shall remain in effect for the duration of the Agreement and shall automatically terminate upon the termination or expiration of the Agreement.
6.5 Company shall notify Customer promptly in the event it is unable to comply with any provisions of this DPA.
SCHEDULE A – Support Services: Data Processing Details
A. Role and Scope Customer acts as Controller and Company acts as Processor solely for the Processing of Personal Data in connection with the Support Services described in the Agreement.
B. Categories of Data Subjects Authorized users of the software platform (e.g., employees and contractors of Customer) who submit Support Services requests.
C. Categories of Personal Data First and Last Name, Company Email Address, Company, Job Title, Company Registration ID, Country, and support request content.
D. Special Categories of Data None.
E. Nature and Purpose of Processing The Processing of Personal Data is limited to the receipt, access, storage, review, and communication related to Support Services for the Software Services.
F. Duration of Processing See Section 4.8 of the DPA
G. Competent Supervisory Authority Ireland.
SCHEDULE B – Support Services: Authorized Subprocessors
Subprocessor |
Location |
Purpose |
Salesforce |
United States |
Storage of support ticket and case tracking system |
Black Duck Software, Inc. (as applicable) |
United States |
Responding to and Resolving Support Requests |
Silicon Frontline Technology (Canada) Inc. |
Canada |
Responding to and Resolving Support Requests |
Silicon Frontline Technology (UK) Limited |
UK |
Responding to and Resolving Support Requests |
Black Duck Software India Private Limited |
India |
Responding to and Resolving Support Requests |
SCHEDULE C – Technical and Organizational Security Measures
Security Governance
Under the direction of the Chief Information Security Officer (CISO), the team provides oversight and management for the development and implementation of a comprehensive cybersecurity program. Cybersecurity personnel have experience in their security domains, and each have significant institutional knowledge about operations. Company implements privacy by design and default throughout design and development and all other phases. Black Duck has defined and published a set of Cybersecurity policies which are based on ISO 27001, ISO 27002, NIST SP 800-53, and NIST CSF.
Data Encryption
Personal Data is encrypted using industry-standard mechanisms. Personal Data in transit from a hosted platform is secured using Transport Layer Security (TLS) version 1.2 or higher with Perfect Forward Secrecy (PFS). Data at rest on hosted platforms is protected using AES-256 encryption, applied via native platform controls or full-disk encryption for endpoint and administrative systems where Personal Data may be accessed or temporarily stored. Encryption keys are subject to strict access control, usage logging, and scheduled rotation.
Access Controls
Access to systems processing Personal Data is governed by role-based access control (RBAC) and the principle of least privilege. All user accounts are uniquely assigned, and administrative or privileged access requires multi-factor authentication (MFA) and is limited to personnel with a defined operational need. Sharing of login credentials is strictly prohibited. Access rights are reviewed on a regular basis. Access rights are revoked for role change, termination, or any other justifying event. Physical access to facilities and systems is restricted to authorized individuals and subject to monitoring, logging, and secure badge-based entry including 24/7 security monitoring for data servers. All access to Personal Data—whether via application interface, direct database query, or administrative tools—is logged, monitored, and audited on a regular basis.
Network Security
Multiple security controls and tools are employed within the hosting environment for a “defense in depth” approach which include as appropriate the following:
Secure Development Practices
Solution development and provisioning is aligned with at least industry standard practices of secure development throughout the SDLC process model.
Logging and Monitoring
The Processor maintains robust logging and monitoring controls to detect, investigate, and respond to unauthorized or anomalous access to systems that process Personal Data. All access to Personal Data—whether through applications, administrative consoles, APIs, or infrastructure layers—is recorded in secure audit logs that include timestamps, user IDs, source IPs, and actions performed. Logs are protected against tampering and unauthorized access, and are retained for a minimum of twelve (12) months or longer where legally required or contractually agreed. Logs are regularly reviewed by the Processor’s security team as part of its incident detection and compliance oversight process.
Backup and Recovery
We maintain a document and regularly tested BCDR program designed to ensure the resiliency and availability of our services. For Licensed Services, this includes multiple redundant data centers, automated backups, and high-availability architecture to minimize downtime or data loss. Our BCDR covers all Personal Data with specific Recovery Time Objective (RTO) targets.
Incident Response Measures
An incident response plan has been established that outlines responsibilities and requirements needed to support the identification, response, containment, mitigation, tracking, and post-mortem activities relating to cybersecurity incidents. Cybersecurity defines procedures and coordinates activities for monitoring and managing suspected security events and security incidents to minimize impact, ensure the prompt restoration of operations, and to prevent cybersecurity incidents from recurring. The incident response plan is reviewed and evaluated regularly and no less than annually. The Incident Response plan includes:
Employee Training
Company has implemented a security awareness program. The program is designed to teach personnel cybersecurity awareness education to ensure they are adequately trained to perform their information security-related duties and responsibilities consistent with Company policies and agreements.
Third-Party Vendor Management
Company has implemented a third-party vendor management program that inter alia covers standard statements for life cycle, information security in service agreements, access controls, and ongoing monitoring and reviews. Company has implemented a Third-Party Proprietary Software Policy that governs how it shall procure and utilize third-party proprietary software. The policy defines requirements for license approvals, incorporation into products/services, best practices, and roles and responsibilities.
Data Retention and Deletion Policies
Upon completion or successful termination of any commercial agreement, all Personal Data in association with provisioned services is deleted in compliance with the terms of the Agreement.
SCHEDULE D – Controller-to-Controller SCCs (Software Services)
Annex I – A. List of Parties
Data Exporter
Customer’s name, address and contact as set forth in the Agreement
Role: Controller
Data Importer
Name: Black Duck Software, Inc.
Address: 800 District Ave #101, Burlington, MA 01803
Contact: CPO, [email protected]
Role: Controller
Annex I – B. Description of the Transfer
Categories of data subjects:
Categories of personal data transferred:
Sensitive data transferred:
Frequency of the transfer:
Nature of the processing:
Purpose(s) of the data transfer and further processing:
Retention period:
Annex I – C. Competent Supervisory Authority
Ireland
Annex II – Technical and Organizational Measures
See Schedule C to this DPA
SCHEDULE E – Controller-to-Processor SCCs (Support Services)
Annex I – A. List of Parties
Data Exporter
Customer’s name, address and contact as set forth in the Agreement ]
Role: Controller
Data Importer
Name: Black Duck Software, Inc. or Affiliate name from the Agreement
Address: 800 District Ave #101, Burlington, MA 01803 or Affiliate Address from the Agreement
Contact: CPO, [email protected]
Role: Processor
Annex I – B. Description of the Transfer
Categories of data subjects:
Categories of personal data transferred:
Sensitive data transferred:
Frequency of the transfer:
Nature of the processing:
Purpose(s) of the data transfer and further processing:
Retention period:
Annex I – C. Competent Supervisory Authority
Ireland
Annex II – Technical and Organizational Measures
As specified in Schedule C to this DPA
SCHEDULE F – UK Addendum Tables
Table 1: Parties
Start Date |
Effective Date of the Agreement |
Exporter |
Customer name set forth in the Agreement |
Exporter Address |
Customer address set forth in the Agreement |
Exporter Contact Details |
Customer contact set forth in the Agreement |
Exporter Role |
Controller |
Importer |
Black Duck Software, Inc. or Affiliate name from the Agreement |
Importer Address |
800 District Ave #101, Burlington, MA 01803 or Affiliate Address from the Agreement |
Importer Contact Details |
CPO, [email protected] |
Importer Role |
Controller for Software Services; Processor for Support Services |
Table 2: Selected SCCs, Modules and Selected Clauses
Addendum EU SCCs: The version of the approved EU SCCs included in this DPA
Modules:
Clause 7 (docking clause): included Clause 11 (redress): excluded
Table 3: Appendix Information
This is a summary of the information set out in Annex I.A to II of the EU SCCs (see Schedules D and E of this DPA).
Annex 1(A): List of Parties: As detailed in Table 1 above
Annex 1(B): Description of Transfer:
Annex 1(C): Competent Supervisory Authority: UK Information Commissioner's Office (ICO)
Annex 2: Technical and Organizational Measures: See Schedule C to the DPA
Table 4: Ending the Addendum when the Approved SCCs Change
Neither party may end the Addendum as set out in Section 19 of the UK Addendum if the EU SCCs change.
SCHEDULE G – CCPA
This CCPA Addendum supplements the DPA and applies solely to the extent the data Processed is ‘personal information’ subject to the CCPA.
Company certifies that it understands the restrictions in CCPA Section 1798.140(ag)(2) and agrees that: