Data Processing Agreement - Managed Solutions
This Data Processing Agreement (“DPA”) supplements and forms part of the agreement between Customer and Equinix (“Agreement”) which governs the provision of the Managed Solutions to Customer (“Services”), to the extent that Data Protection Laws apply to Equinix’s Processing of Customer Personal Data.
Accordingly, the Parties have agreed and entered into this DPA to govern such Processing activity.
Definitions. Any capitalised terms not defined below will have the meaning given to them in the Agreement.
“CCPA” means the California Consumer Privacy Act of 2018, Civil Code section 1798.100 et seq.
“Controller” means the entity that determines the purposes and means of the Processing of Personal Data.
“Cross-Context Behavioural Advertising” has the meaning given to it by the CCPA.
“Customer Data” includes all data loaded, stored, received, retrieved, transmitted through or otherwise processed by Customer as part of its use of the Services.
“Customer Personal Data” means all Personal Data that form part of the Customer Data.
“Customer SCC Agreement” means the agreement between Customer and Equinix, incorporating the Standard Contractual Clauses, that forms part of this DPA, that takes effect upon the commencement of any Restricted Transfer and that is set out at https://docs.equinix.com/en-us/Content/shared-responsibilities/customer-SCC-agreement.htm.
“Data Protection Laws” means all laws regulating the Processing of Personal Data which are applicable to the Processing of Customer Data by Equinix in connection with the Services.
“Data Subject” means the identified or identifiable living individual to whom personal data relates.
“GDPR” means General Data Protection Regulation, Regulation (EU) 2016/679.
“Personal Data” means any information relating to an identified or identifiable natural person and whose collection, use, disclosure, storage or otherwise Processing is regulated by Data Protection Laws.
“Personal Data Breach” means a breach of security, leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
“Processor” means the entity that Processes Personal Data on behalf of the Controller.
“Processing” (including “Processed” and “Process”) means any operation or set of operations performed on Personal Data, such as access, collection, recording, organization, storage, retrieval, consultation, use, and as this term may further be defined under Data Protection Laws.
“Restricted Transfer” means any international or cross border transfer of Customer Personal Data which, in the absence of the Standard Contractual Clauses or other applicable legal mechanism, would be unlawful under Data Protection Laws.
“Security incident” An event that has the potential to breach Equinix ’s security or confidentiality policies or otherwise threatens the Equinix ’s ability to maintain adequate security, confidentiality or availability related to data, personnel, or other Equinix resources.
“Sell” has the meaning given to it by the CCPA.
“Standard Contractual Clauses” or “SCC” means, as applicable to any Restricted Transfer between the parties, the relevant standard contractual clauses for the international transfer of Personal Data (i) set out in the European Implementing Decision (EU) 2021/914 (“EU SCCs”); (ii) set out in the UK Addendum; or(iii) issued by a competent authority under any other applicable Data Protection Law.
“Targeted Advertising” has the meaning given to it by the CCPA.
“UK Addendum” means the International Data Transfer Addendum to the Standard Contractual Clauses issued by the UK Information Commissioner under section 119A(1) Data Protection Act 2018.
EXECUTION OF THE PROCESSING
If Equinix Processes Customer Personal Data as a result of the provision of Services, Customer acts as a Controller and Equinix acts as a Processor, and the provisions of this DPA will apply and be read in accordance with, and supplemented by, the terms of the Product Policies for the Services and the Shared Responsibility Model which describe the Parties’ responsibilities and can be found here: https://docs.equinix.com/en-us/Content/shared-responsibilities/shared-responsibility.html
Each Party will comply with its respective obligation under Data Protection Laws and will provide at least the level of protection to Customer Personal Data as required by Data Protection Laws.
The scope and nature of Equinix’s Processing of Customer Personal Data is set out in Schedule 1 to this DPA.
Customer will determine the purposes and means of the Processing of Customer Personal Data. Customer will, without prejudice to Equinix’s obligations under the Agreement and this DPA, and without limitation to its obligations under the Data Protection Laws, take all steps necessary to ensure that Customer Personal Data may be lawfully made available to, and Processed by, Equinix for the purposes instructed by Customer under the Agreement and this DPA.
Equinix will only Process Customer Personal Data for the specific business purpose of performing its obligations under the Agreement and this DPA. The Agreement and this DPA form Customer’s complete written instructions to Equinix regarding the Processing of Customer Personal Data. Notwithstanding the foregoing, Equinix may Process Customer Personal Data to comply with applicable Data Protection Laws but will inform Customer of that legal requirement before Processing, unless such law prohibits such information. Customer has the right, upon notice, to take reasonable and appropriate steps to stop and remediate Equinix's unauthorized use of Customer Personal Data.
Except as otherwise expressly permitted by Data Protection Laws, Equinix will not sell, retain, use, share, disclose or otherwise Process Customer Personal Data, whether in aggregate or individual form:
for any commercial purpose or any other purpose, including the servicing of a different business other than the specific purpose described in Section 1.5
outside the direct business relationship between Equinix and Customer; or
for Cross‑Context Behavioural Advertising or Targeted Advertising.
Equinix agrees that any aggregated, anonymous, de‑identified, or pseudonymous Customer Personal Data that it receives from or on behalf of Customer or that it generates through providing the Services cannot be re‑associated or re‑identified with an individual. Equinix will publicly commit to not attempt to re‑identify such information. Equinix will not combine Customer Personal Data with Personal Data that it receives from, or on behalf of, another person or persons, or collects from its own interactions with data subjects, except as allowed by Data Protection Laws.
As Controller, Customer is responsible for informing data subjects about the Processing of Customer Personal Data, and for responding to requests to exercise data subject rights under Data Protection Laws. Customer acknowledges that Equinix has configured the Services and implemented appropriate technical and organisational measures that are designed to enable Customer to access, modify, and delete Customer Personal Data without further assistance from Equinix. Considering the nature of the Processing and the limited extent of Equinix’s access to Customer Personal Data, Equinix will provide Customer, on request, with any further assistance reasonably required to enable Customer to comply with data subject rights.
Customer authorises Equinix to engage any Affiliate or third party as a further Processor (“Sub-Processor”), subject to Equinix:
entering into a data processing agreement with Customer which complies with the Data Protection Laws;
notifying Customer in advance of any changes to its use of Sub-Processors, thereby giving Customer the opportunity to object; and
remaining liable to Customer for any failure by a Sub-Processor to fulfil its obligations in relation to the Processing of Customer Personal Data.
The Sub-Processors engaged by Equinix as of the date of the Agreement are those set forth in Schedule 2 to this DPA.
SECURITY
In its capacity as Data Processor of Customer Personal Data, and taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Equinix will take appropriate technical and organizational security measures that it considers reasonably necessary to protect the Customer Personal Data, and will assist Customer, insofar as this is reasonably feasible, with Customer’s security obligations under Data Protection Laws. The Parties acknowledge that in certain cases, Equinix may offer additional technical and organizational security measures as separate commercial products and services, the choice for which lies wholly with Customer. Equinix’s security controls, which together with the commitment given in this Section 2.1, constitute Equinix’s sole responsibility with respect to the security of Customer Data. Equinix security controls are described in Schedule 3. In addition, those measures also comply with the requirements set forth in ISO 27001. A description of the security controls for these requirements is available to Customer, upon request.
Equinix will notify Customer without undue delay upon becoming aware of any Personal Data Breach. Insofar as the information is available to Equinix, it will provide Customer with information about the nature and likely consequence of the Personal Data Breach and about the measures that were or will be taken to address the Personal Data Breach, and any other information which Customer is entitled to under Data Protection Laws.
Equinix will ensure that persons authorised to Process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
AUDITS
Equinix’s Audit Program. Equinix engages external auditors to assess the adequacy of its security measures with respect to its Processing of Customer Personal Data. Such audits are performed at least once a year at Equinix’s expense. The audits are performed by qualified and independent third-party security professionals at Equinix’s selection and result in the generation of a confidential audit summary (“Audit Report”). Equinix will, upon Customer’s written request and at reasonable intervals, provide Customer with a copy of its most recent Audit Report. All such Audit Reports are Equinix’s Confidential Information and provided for the sole use of Customer.
Customer Audit. Customer agrees that any audit rights granted by Data Protection Laws will be satisfied by production of this Audit Report. To the extent that Customer can demonstrate that the Audit Report does not provide sufficient information to verify Equinix’s compliance with this DPA, or where Customer is required to arrange a further audit by any supervisory authority, the Parties will mutually agree on the scope of the Customer audit plan that: (a) ensures the use of an independent third party; (b) provides Equinix with reasonable advance notice, in writing, of the commencement of the audit; (c) requires access to Equinix personnel and infrastructure only during normal business hours; (d) accepts billing to Customer at Equinix’s then-current rates for time spent by Equinix personnel on the audit; (e) occurs no more than once annually; (f) restricts its findings to only data relevant to Customer; and (g) obligates Customer and its third-party auditor, to the extent permitted by law or regulation, to keep maintain the confidentiality of any information disclosed or otherwise gathered during the course of the Customer audit.
RETURN OR DELETION OF CUSTOMER CONTENT
Equinix will provide Customer, upon Customer written request, with any further assistance reasonably required to enable Customer to delete or return Customer Personal Data, at customer’s cost and expense.
Retention Required by Law. Notwithstanding anything to the contrary in this Section 4, Equinix may retain Customer Personal Data, or any portion of it, if required by applicable law or regulation, including Data Protection Law, provided such Customer Personal Data remains protected in accordance with the terms of the Agreement, this DPA, and Data Protection Law.
INTERNATIONAL TRANSFERS
If there is a Restricted Transfer between the parties, the parties agree to enter into the Standard Contractual Clauses in the form set out in Equinix’s Customer SCC Agreement, available at: [Insert URL], or other applicable legal mechanism. The Customer SCC Agreement is incorporated into and forms part of this DPA and takes effect upon the commencement of a Restricted Transfer between the parties.
INFORMATION REQUESTS
Equinix will, on request, and taking into consideration the nature of the Processing and the information available to Equinix, reasonably assist Customer regarding Customer’s obligations in respect of data protection or privacy impact assessments required by Data Protection Laws.
MISCELLANEOUS
Customer acknowledges and agrees that Equinix may, in its sole discretion, modify this DPA from time to time, which, in its reasonable opinion, is necessary to ensure the Parties’ continued compliance with Data Protection Laws, and that such modified DPA terms will be effective upon posting.
The provisions of this DPA form part of, and are supplemental to, the terms of the Agreement, In the event of any ambiguity, conflict or inconsistency conflict between the terms of this DPA and the terms of the Agreement, the terms of the DPA will control. This DPA replaces any other agreements entered into by Equinix in its capacity as Processor of Customer Personal Data with regards to the Services.
Schedule 1 to the Data Processing Agreement
As per clause 1.3, this is the scope and nature of Equinix Processing.
| Tier Name | Product examples | Purpose of Processing | Equinix Role | Customer Role |
Categories of Personal Data |
|---|---|---|---|---|---|
| Infrastructure as a Service |
Managed Private Cloud |
(a) Backup, support, planning, and enabling migration, deployment, and development of Services; Encryption (enabled by default for data at rest in MPC Storage) (b) Infrastructure management (preventing, detecting, investigating, mitigating, and repairing problems, including security incidents and problems identified in the Services; and (c) Enhancing delivery, efficacy, quality, and security of our Services, including keeping Services up to date, and enhancing reliability, efficacy, quality, and security and fixing defects. |
Data Processor |
Data Controller |
As determined by Customer |
| Enhanced Platform as a Service | Managed Private Backup | As above | Data Processor |
Data Controller |
As determined by Customer |
| Infrastructure as a Service | Managed Private Storage | As above | Data Processor |
Data Controller |
As determined by Customer |
Schedule 2 to the Data Processing Agreement
As per clause 1.9, this is the Sub-Processor list:
Globally: Equinix Services Inc.
Equinix (US) Enterprises Inc.
Equinix (UK) Enterprises Ltd.
Equinix (Germany) Enterprises GmbH
Equinix (Netherlands) Enterprises BV
Virtu Secure Webservices BV
Equinix (Italy) Enterprises SRL
Equinix (Japan) Enterprises KK
Equinix (Japan) Technology Services KK
Equinix do Brasil Solucoes de Tecnologia en Informatica Ltda
Equinix do Brasil Telecommunicacoes Ltda
Equinix MX Services SA de CV
Equinix (Canada) Enterprises Ltd.
Equinix (Sweden) Enterprises AB
Equinix (France) Enterprises SAS
Equinix (Spain) Enterprises SAU
Equinix (Finland) Enterprises Oy
Equinix (Ireland) Enterprises Ltd
Schedule 3 - TECHNICAL AND ORGANISATIONAL MEASURES
The table below illustrates the Technical and Organisational Measures implemented by Equinix for the provison of Services:
| Domain |
Practices |
|---|---|
|
Organization of Information Security Organizational Context Risk Management Strategy Roles, Responsibilities, and Authorities Policy Oversight |
Equinix has organized governance of Information Security around the following teams and programs which review, evaluate and enhance Equinix security practices: Audit and compliance – Equinix formally complies with various industry standards, such as ISO 27001. Audit attestations and certificates are provided by qualified third-party auditors. These auditors coordinate activities with various business and technology teams like Business Assurance Services, Internal Audit, and Operations. Information Security team – Working closely with the legal organization, this team is charged to follow global and business unit guidelines to help ensure compliance with local and federal laws and regulations. Information Security Risk Management - Working closely with business representatives to establish Equinix’ priorities, constraints, risk tolerance and appetite statements, and ensuring that assumptions are established, communicated, and used to support operational risk decisions. Information Security policies – The Equinix Information Security team administers and enforces a comprehensive set of confidential Information security policies that is reviewed and endorsed by senior management. This team ensures that the internal policies are global in scope, covering country-specific and region-specific laws, regulations, and business requirements. Areas covered by these internal security policies include, but are not limited to: acceptable use of technology, anti-virus and malware, data backup and retention, data classification, labeling and handling, logical access, passwords, patch management, mobile devices, personal computers, remote access and VPN, and social media. |
|
Information Protection Human Resource Security |
Equinix has implemented and maintains employee security training programs regarding information security risks and requirements. The security awareness training programs are reviewed and updated at least annually. Where permitted by law, and to the extent available from applicable governmental authorities, Equinix requires each employee to undergo a background check. |
| Asset Management |
Asset Inventory - Equinix has implemented processes that focus on identifying and cataloging all assets used to deliver services. This process includes physical assets, virtual assets and intangible assets like software licenses. By maintaining an accurate up to date inventory, Equinix can effectively track its assets, monitor their usage, and plan for maintenance. Asset Handling - This involves implementing technical and organizational measures to protect assets from damage, theft, or unauthorized access. Technical measures may include implementing security systems to safeguard physical assets, such as surveillance cameras and access control systems. Equinix may employ encryption and authentication protocols to protect customer data stored on digital assets. Organizational measures involve establishing policies and procedures for asset handling, including guidelines for asset maintenance, usage, and disposal. |
| Physical and Environmental Security |
Safeguarding physical security of every IBX Center where information systems processing and storing customer data are located is a high operational priority. Each IBX Center uses an array of security equipment, techniques and procedures to monitor the facility and to control and record access. Access – The access control subsystem allows authorized users inside the building and within the facility. Biometric security devices, proximity cards and other technologies identify users to the access control system, and upon authentication allow contacts to navigate the IBX as permitted. Alarm Monitoring and Intrusion Detection – The alarm monitoring and intrusion detection subsystem monitor the status of various devices associated with the security system. Monitoring devices include door position switches, glass break detectors, motion detectors, and tamper switches. If the status of any device changes from their secure state, an alarm is activated, the event is recorded, and appropriate measure is taken. CCTV – The closed-circuit television subsystem provides the display, control, recording and playback of live video from cameras throughout the facility, as well as outside the facility where legally permitted. This system is integrated with the alarm monitoring and intrusion detection subsystem, so in the event of an alarm, cameras are displayed automatically to view the event in real time. |
| Communications and Operations Management |
Vulnerability Assessments - Equinix performs regular internal and external vulnerability assessments and penetration testing of the Equinix EMS information systems and will investigate identified issues and track them to resolution in a timely manner. Malicious Software - Equinix has anti-malware controls to help avoid malicious software gaining unauthorized access to customer data including malicious software originating from public networks. Change Management - Equinix maintains controls designed to log, authorize, test, approve and document changes to existing resources and will document change details within its change management or deployment tools. Equinix will test changes according to its change management standards prior to migration to production. Equinix will maintain processes designed to detect unauthorized changes to the Equinix information systems and track identified issues to a resolution. Data Integrity - Equinix maintains controls designed to provide data integrity during transmission, storage, and processing within the Equinix Services information systems. Event Logging - Equinix logs, or enables Customer to log, access and use information systems containing customer data -specific to that customer- registering the access ID, time, authorization granted or denied, and relevant activity. Backup/Restore – Customer Data is backed up where applicable via backup tooling. Equinix employees managing these backups have no access to the Customer Data. In case a restore is required, Customer can request this restore. |
| Access Control |
Equinix makes the Customer Data accessible only to authorized personnel, and only as necessary to maintain and provide the Equinix Services. Equinix maintains access policies and controls to manage authorizations for access to the customer data from each network connection and user through the use of firewalls, controlled access connectivity or functionally equivalent technology and authentication controls. Data Segregation - Equinix maintains access controls designed to restrict unauthorized access to Customer Data and segregate each Customer’s Data from other Customers’ Data. User access controls - Relates to access to Equinix information include, but are not limited to: - least privilege principles based on personnel job functions - review and approval prior to provisioning access - at least quarterly review of access privileges - when necessary, revoke access privileges in a timely manner - two-factor authentication for access to the Customer Data - monitoring by Equinix (or enabled Customers) for anomalies in access activity such as for example (but not limited to) repeated attempts to gain access to the information system using an invalid password. |
| Information Security |
Incident Management Incident Response Process - Equinix maintains incident response plans (runbooks) to respond to potential security threats to the Managed Solution Services. Equinix runbooks will have defined processes to detect, mitigate, investigate, and report security incidents. The Equinix runbooks include incident verification, attack analysis, containment, data collection, and problem remediation. For each Security Breach that is a Security Incident, appropriate notification by Equinix EMS will be made in compliance with local regulations. Service Monitoring - Equinix monitors on a continuous basis, or enables Customer to monitor, for anomalies related to security events (for example but not limited to repeated attempts to gain access to the information system using an invalid password). |
| Business Continuity Management |
Emergency and Contingency plans - Equinix maintains emergency and contingency plans for the facilities in which Equinix information systems that process Customer Data are located. These plans will be tested annually. Data recovery - Equinix redundant storage and its procedures for recovering data are designed to attempt to reconstruct Customer Data in its original or last-replicated state. |
