Data Processing Agreement

This Data Processing Agreement (“DPA”) supplements and forms part of the services agreement between Customer and Equinix governing Customer’s use of Equinix Metal (the “Agreement”), to the extent that Data Protection Laws apply to Equinix’s Processing of Customer Personal Data.

Customer is responsible for removing all Customer Data from the Equinix Metal server(s) on or before the end of the term of the Agreement. If Customer Data is not removed from the Equinix Metal server(s) by Customer, then Equinix will delete Customer Data as part of its deprovisioning activities. If Equinix’s deprovisioning of the Equinix Metal server(s) results in the deletion of Customer Personal Data, such action may be considered an act of Processing.

Accordingly, the Parties have agreed and entered into this DPA to govern such Processing activity.

1. DEFINITIONS. Any capitalized terms not defined below shall have the meaning given to them in the Agreement.

1.1 “Controller” means the entity that determines the purposes and means of the Processing of Personal Data.

1.2 “Customer Data” means all data loaded, stored, received, retrieved, transmitted through, or otherwise processed by Customer as part of its use of Equinix Metal.

1.3 “Customer Personal Data” means all Personal Data that forms part of the Customer Data.

1.4 "Data Protection Laws” means all laws in the appropriate jurisdiction including the State of California, the European Union, the European Economic Area and/or its member states, Switzerland and/or the United Kingdom regulating the Processing of Personal Data which are applicable to the Processing of Customer Personal Data by Equinix in connection with the Digital Services.

1.5 “Equinix Metal" means the Digital Services comprising the provision of bare metal servers (known as Equinix Metal), provided either on-demand or as part of a subscription, by Equinix under the Agreement.

1.6 “Personal Data” means any information relating to an identified or identifiable natural person and whose collection, use, disclosure, storage or otherwise processing is regulated by Data Protection Laws.

1.7 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data transmitted, stored, or otherwise Processed.

1.8 “Processing”, “Processed”, “Process” means any operation or set of operations performed on Personal Data, such as access, collection, recording, organization, storage, retrieval, consultation, use, and as this term may further be defined under Data Protection Laws.

1.9 “Processor” means the entity that processes Personal Data on behalf of the Controller.

1.10 “Shared Responsibility Model” means the division of responsibility between a Customer and Equinix for various Equinix services which can be reviewed at: https://docs.equinix.com/en-us/Content/shared-responsibilities/shared-responsibility.html.

2. DATA PROCESSING

2.1 If Equinix Processes Personal Data as a result of the provision of Equinix Metal, Customer acts as a Controller and Equinix acts as a Processor, and the provisions of this DPA shall apply. The Parties will comply with their respective obligations under the Data Protection Laws. The scope and nature of Equinix’s Processing of Customer Personal Data is set out in Schedule 1 to this DPA.

2.2 To the extent Customer does not itself use the controls available to it to remove Customer Data from an Equinix Metal server prior to the expiry or termination of an applicable Order, Customer as Controller hereby instructs Equinix as Processor to remove all Customer Data, including Customer Personal Data, from Equinix Metal upon the expiry or termination of the applicable Order in accordance with Section 5.1 of this DPA. Customer shall take all steps necessary to ensure that the Customer Personal Data will be lawfully made available to, and Processed by, Equinix for the purposes instructed by Customer under this DPA.

2.3 Equinix will only Process the Customer Personal Data set forth in Section 2.2 of this DPA, which form the Customer’s complete written instructions to Equinix regarding the Processing of Customer Personal Data.

2.4 As Controller, Customer is responsible for informing data subjects about the Processing of Customer Personal Data, and for responding to requests to exercise data subject rights under Data Protection Laws. Customer further acknowledges that Equinix has configured Equinix Metal and implemented appropriate technical and organisational measures that are designed to enable Customer to access, modify and delete Customer Data without further assistance from Equinix, and which prevent Equinix from accessing, modifying, or deleting Customer Data during the term of an Order. Given the foregoing, as well as the nature of the Processing and the limited extent of Equinix’s Processing of Customer Personal Data, Equinix is unable to provide Customer with any further assistance reasonably required to enable Customer to comply with data subject rights.

2.5 Equinix does not use sub-processors for the Processing outlined here. If this position changes, Equinix will notify Customer.

 

3. SECURITY

3.1 Taking into consideration the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Equinix will take appropriate technical and organizational security measures that Equinix, in its sole discretion, considers reasonably necessary to protect Equinix Metal infrastructure and the physical environment in which it is located. Equinix’s security controls as at the date of the DPA are described in Schedule 2.

3.2 Customer is responsible for developing, implementing, maintaining, and employing appropriate administrative and technical safeguards which, in Customer’s sole discretion, are reasonably and appropriately designed to protect the security of Customer Data, including, without limitation: (i) encrypting Customer Data which is stored and processed on Equinix Metal; (ii) utilizing intrusion detection and monitoring, firewalls and anti-virus protection software; and other related security measures consistent with then-current industry standards; (iii) regularly backing up and storing backups of Customer Data; (iv) implementing appropriate remediation measures in order to mitigate loss, disruption, deletion, corruption, or modification of Customer Data; and (v) removing Customer Data from Equinix Metal before the expiry or termination of an Order.

3.3 Equinix will notify Customer without undue delay upon becoming aware of any Personal Data Breach. Insofar as the information is available to Equinix, provide Customer with information about the nature and likely consequence of the Personal Data Breach measures that were or will be taken to address the Personal Data Breach, and any other information which Customer requires under Data Protection Laws.

3.4 Equinix will ensure that persons authorised by it to Process Customer Personal Data as part of Equinix Metal have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.5 The Parties agree that their Processing of Customer Personal Data, including their respective obligations to implement appropriate technical and organisational measures to ensure the security of the Customer Personal Data, shall at all times be aligned with Equinix’s Shared Responsibility Model, as it applies to Equinix Metal.

4. AUDITS

4.1 Equinix’s Audit Program. Equinix uses external auditors to verify the adequacy of its security measures with respect to its processing of Customer Personal Data. Such audits are performed at least once annually at Equinix’s expense by independent third-party security professionals at Equinix’s selection and result in the generation of a confidential audit summary (“Audit Report”). Equinix will make available to Customer the Audit Report and all additional information which is reasonably necessary in to demonstrate Equinix’s compliance with its obligations set forth in this DPA. To the extent that Customer can demonstrate that the Audit Report does not provide sufficient information to verify Equinix’s compliance with this Addendum, or where Customer is required to arrange a further audit by any supervisory authority, the parties shall mutually agree an audit plan and scope.

5. RETURN OR DELETION OF CUSTOMER CONTENT

5.1 Equinix will provide Customer with appropriate technical tools which will enable Customer to delete or retrieve any Customer Personal Data which is stored within Equinix Metal. Customer will remove all Customer Data pursuant to Section 3.2. Before re-using Equinix Metal servers for another customer, Equinix will undertake steps to de-provision the Equinix Metal servers, which cleans up the hardware and returns it to a known state and sanitize storage media which results in the erasure of all data that previously remained on the Equinix Metal servers, but for the avoidance of doubt Equinix accepts no responsibility or liability for Customer’s failure to erase or remove Customer Data from Equinix Metal.

6. INTERNATIONAL TRANSFERS

6.1 In the Processing envisaged by the deprovisioning of an Equinix Metal server, the Parties acknowledge and agree that there shall not be any form of international transfer of any Customer Personal Data. If the Parties agree that this position changes, the parties will agree to enter into additional safeguards for such transfer as mandated by applicable law, such as the appropriate module of the EU Standard Contractual Clauses.

7. INFORMATION REQUESTS

7.1 Equinix shall, on request, and taking into consideration the nature of the Processing and the information available to Equinix, assist Customer in ensuring compliance with its obligations in respect of data protection or privacy impact assessments under Data Protection Laws.

8. MISCELLANEOUS

8.1 Subject to Section 8.2, any amendments to this DPA will be agreed by the Parties in writing.

8.2 Equinix may, on notice, make any amendment to this DPA which, in its reasonable opinion, is necessary to ensure the parties’ continued compliance with Data Protection Laws.

8.3 The provisions of this DPA: (a) form part of, and are supplemental to, the terms of the Agreement and (b) prevail over any conflicting provisions of the Agreement. This DPA replaces any other agreements entered into by Equinix in its capacity as Processor of Customer Personal Data.

 

Schedule 1 to the Data Processing Agreement

Tier	Tier Name	Product examples	Processing activity	Equinix Role	Customer Role	Categories of Personal Data	Frequency of Transfer
Tier 1	Co-location Bare Metal as a Service [BMaaS]	IBX Equinix Metal	Standard hard disk erasure on the Server	Data Processor	Data Controller	As determined by customer	As determined by customer

 

Schedule 2: Technical and Organisational Measures

Description of the technical and organisational measures implemented by Equinix Metal (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

1. Measures of pseudonymisation and encryption of personal data

   In respect the processing activity undertaken by Equinix, this is not relevant because the processing activity involves the removal of any data, including personal data, from the Equinix Metal server.

   In the context of Equinix Metal, the measures of pseudonymisation and encryption of personal data remains a customer responsibility as Equinix cannot perform these measures within the scope of Equinix Metal.

2. Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

   In respect of the processing undertaken by Equinix, Equinix Metal instigates a software-based operation that wipes the Equinix Metal server which will not release any data remaining on the Equinix Metal server, but will remove the data as further described under paragraph 7 below.

3. Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

In respect of the processing undertaken by Equinix, the intention is to delete and remove any residual Customer Data from the Equinix Metal server, including any Customer Personal Data, and accordingly, there will be no ability to restore and access Customer Data once Equinix’s processing activity has commenced. Designing an IT architecture with resilience and appropriate replication remains the responsibility of Customer. Equinix Metal servers are not sold in a redundant architecture.

Equinix maintains a public status page for Equinix Metal located at https://status.equinixmetal.com/ to communicate system outages or service degradation incidents quickly and effectively to its Customers. Equinix notifies any Customer affected by a security breach.

4. Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

   Equinix regularly evaluates the Equinix Metal platform via compliance audits, for example SOC-2 or ISO 27001. These audits cover evaluating the processes and code used to maintain a secure posture with regard to the controls specified in each audit.

   In respect of Equinix Metal, vulnerability scanning is conducted at all levels for Equinix products. As part of the DevSecOps (Development, Security and Operations) process, Equinix performs periodic SAST (Static Application Security Testing-White Box) and DAST (Dynamic Application Security Testing-Black Box) vulnerability scanning. To reduce the risk to Equinix infrastructure and to supplement existing security practices, routine vulnerability scans are performed on all critical infrastructure systems. All discovered security issues are mitigated in compliance with Equinix’s remediation policy. The Risk Levels are based on the OWASP Risk Rating Methodology.

   Equinix’s internal Product Security team conducts penetration testing against each of its products annually. In addition, Equinix Metal contracts an external vendor to identify exploitable vulnerabilities through penetration tests against its web facing applications, APIs and the network backbone services used to operate Equinix Metal products. Third party external penetration testing is performed annually.

5. Measures for user identification and authorisation

   Access to Equinix Metal services is managed through an Identity and Access Management component that supports MFA for user authentication, as well as federation that allows Customers to use their own IDP (Identity Provider). All access logs are securely logged and retained for troubleshooting and forensic needs. Passwords are never stored in plain text and are protected using hashing mechanism compliant with industry standards.

6. Measures for the protection of data during transmission

   In respect of the processing undertaken by Equinix, Equinix Metal will not instigate any transfer of Customer Data on Equinix Metal. Customer remains responsible for ensuring measures are implemented in the protection of any Customer Data during transmission.

7. Measures for the protection of data during storage

   Equinix Metal uses software to provide customers the ability to provision and deprovision their hardware in a secure way. When physical actions are required for repair and maintenance of the servers containing the Customer’s Data, several steps are taken to track the activities and their handle data securely.

   Before any Customer activity or Customer Data is stored on the Equinix Metal servers, the servers are processed into a state where the drives and memory are cleared of past stored data or formats. Customers choose what operating system to install and provide their configuration details that will be applied by Equinix and then Customer is supplied with the means to access their server. Customer is fully responsible for securing their data stored on the server.

   Once the server is provisioned, Equinix Metal does not have access or engage in activities that would access Customer Data. If physical access to a data storage device in the event of failure or upgrade is required, the removed drive is wiped before disposing or reusing it. When Customer deprovisions a server, the automated process runs data destruction routines on the storage devices to remove all Customer Data and attempts to verify if any Customer Data still exists after the destruction. If any of these automated destruction processes fail, Customer is notified, and the process is rerun until competition or physical maintenance is performed to replace and destroy the failed device.

8. Measures for ensuring physical security of locations at which personal data are processed

   Equinix uses security perimeters to protect areas that contain critical Customer information, information processing facilities or other critical data entry points for its systems. Secure areas are protected by appropriate entry controls like man-trap doors, locked cage perimeters and card access devices to ensure that only authorized personnel are allowed access. Equinix only provides access and information to employees or contractors who have a legitimate business need for such privileges. Any non-employee visitors who are allowed access to Equinix facilities are authorized and escorted by a Equinix employee. Visitors are clearly distinguished from employees using a visitor badge and must surrender their visitor identification upon exiting the facility. A visitor log is maintained to record physical access to the facility as well as for computer rooms and data centers where Customer Data is stored or transmitted. Logs are retained for a minimum of three months. Physical access to network jacks, wireless access points, gateways and handheld devices is restricted. Access points, such as delivery and loading areas, and other points where unauthorized persons may enter the premises are controlled and isolated to avoid unauthorized access to the data center facilities. The access control subsystem allows authorized users inside the building and through the various doors within the facility. Biometric hand geometry or fingerprint readers, proximity cards and other technologies permit users to identify themselves to the system and, upon authentication, obtain access to specific areas.

9. Measures for ensuring events logging

   All deprovision events are tracked in our database and the records are managed and retained in accordance with our Equinix Metal policies.

   Generally, Equinix uses a global system to monitor the health of company servers and infrastructure. Alerts are automatically generated and fed into a logging and alerting system. This includes access logs, processing logs, as well as logs indicating the operations of the critical services required for the products to function. The logs are stored in secure manner and access is restricted to authorized person.

10. Measures for ensuring system configuration, including default configuration

    Equinix is not responsible for monitoring the health or availability of hardware deployed or used by Customer at Equinix IBX datacenters. Instead, Equinix recommends that Customers put in place appropriate monitoring mechanisms and alert Equinix staff, via its support email or phone, of any issue relating to hardware or shared network services. Equinix will then work with Customer to resolve the issue.

11. Measures for internal IT and IT security governance and management

    The production environment used for providing services to Equinix’s customers is separate from the environment used by Equinix employees to conduct their day-to-day operations. The enterprise environment for conducting day-to-day operations is protected using the following mechanisms.

    Hardening: Equinix hardening guidelines and standards are documented and carried out during system builds.

    Remote access VPN: When Equinix Metal staff remotely access Equinix Metal corporate networks or systems, they are required to use company-supplied remote access and VPN solutions and two-factor authentication is required.

12. Measures for certification/assurance of processes and products

    The deprovisioning process follows guidelines from NIST 800-53 and these processes are regularly audited.

    Equinix maintains security certifications and attestations (SOC2, ISO 27001 and CSA). The status of these is listed and updated regularly (https://security.equinixmetal.com/). External 3rd party auditors are leveraged to conduct annual assessments and audits to validate the security posture. Equinix’s CSA Star Level 1 assessment is available publicly from the Cloud Security Alliance website and our ISO 27001 certificate and SOC2 Type 2 assessment report summary can be requested from Equinix under NDA. The list of certifications attained for each of our data centers can be found online at https://www.equinix.com/data-centers/design/standards-compliance.

13. Measures for ensuring data minimisation

    In respect of the processing undertaken by Equinix, Equinix Metal will not be able to ensure data minimisation, as Customer alone determines the Customer Data placed on the Equinix Metal server which would be removed as part of the processing undertaken by Equinix.

14. Measures for ensuring limited data retention

    In respect of the processing undertaken by Equinix, Equinix Metal will not retain any Customer Data, and Customer will be responsible to ensure ithe Customer retains any necessary Customer Data.

15. Measures for ensuring accountability

    In respect of the processing undertaken by Equinix, Equinix Metal will not be responsible for determining access to Customer Data, and Customer will be responsible for measures to ensure accountability of any Customer Data on Equinix Metal.

16. Measures for allowing data portability and ensuring erasure

    In respect of the processing undertaken by Equinix, Equinix Metal will not be able to support data portability and Customer remains responsible for ensuring it can extract any Customer Data from Equinix Metal and transfer it to alternative systems.