Data Processing Addendum (DPA)
Last revised 9/26/2025
This Data Processing Agreement (“DPA”) forms part of the End User License Agreement (the “Agreement”) between Claroty Ltd. or its Affiliate (“Claroty”) and User (“User”) pursuant to the Agreement. Both parties shall be referred to as the “Parties” and each, a “Party”. This DPA forms a binding legal agreement to reflect the Parties’ agreement with regard to the Processing of Personal Data (as such terms are defined below).
WHEREAS, Claroty shall provide the products and/or services set forth in the Agreement (collectively, the “Services”) for User, as described in the Agreement; and
WHEREAS, In the course of providing the Services pursuant to the Agreement, Claroty may process Personal Data on User’s behalf, in the capacity of a “Data Processor”; and the Parties wish to set forth the arrangements concerning the processing of Personal Data (defined below) within the context of the Services and agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
NOW THEREFORE, in consideration of the mutual promises set forth herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged by the Parties, the parties, intending to be legally bound, agree as follows:
1. INTERPRETATION AND DEFINITIONS
1.1 The headings contained in this DPA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this DPA. References to clauses or sections are references to the clauses or sections of this DPA unless otherwise stated. Words used in the singular include the plural and vice versa, as the context may require. Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement. Definitions:
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
“Authorized Affiliate” means any of User’s Affiliate(s) which (a) is subject to the Data Protection Laws and Regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Services pursuant to the Agreement between User and Claroty, but has not signed its own agreement with Claroty and is not a “User” as defined under the Agreement
“Controller” or “Data Controller” means the entity which determines the purposes and means of the Processing of Personal Data. For the purposes of this DPA only, and except where indicated otherwise, the term “Data Controller” shall include the User and/or the User’s Authorized Affiliates.
“CCPA” means the California Consumer Privacy Act of 2018 (Cal. Civil Code § 1798.100 et seq.), including, but not limited to, amendments of the CCPA or applicable regulations promulgated by the California Privacy Protection Agency.
“Claroty” means the relevant Claroty entity as specified in the Agreement.
“Claroty Group” means Claroty and its Affiliates and their employees, personnel, contractors and consultants engaged in the Processing of Personal Data.
"Data Privacy Framework" or "DPF" means the EU-US Data Privacy Framework as adopted by the European Commission on July 10, 2023, and/or the Swiss-US Data Privacy Framework. "UK Extension" means the United Kingdom's extension to the EU-US Data Privacy Framework.
“Data Protection Laws and Regulations” means all laws and regulations of the European Union, the European Economic Area and their Member States, including the GDPR, the UK GDPR, and the Israeli Privacy Protection Law, 1981 and the regulations promulgated thereunder (including Privacy Protection Regulations (Transfer of Data to Databases Abroad), 5761-2001 and Privacy Protection Regulations (Data Security), 5777-2017), and any binding instructions, guidelines and requirements of the Israeli Privacy Protection Authority, as applicable to the Processing of Personal Data under the Agreement.
“Data Subject” means the identified or identifiable person to whom the Personal Data relates.
“Member State” means a country that belongs to the European Union and/or the European Economic Area. “Union” means the European Union.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Personal Data” or “Personal Information” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, as defined under Data Protection Laws and Regulations and/or under the CCPA, as applicable.
“Process(ing)” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” or “Data Processor” means the entity which Processes Personal Data on behalf of the Controller.
“Security Documentation” means the Security Documentation applicable to the specific Services purchased by the User, as can be found at: https://claroty.com/trust, and may be updated from time to time.
“Standard Contractual Clauses” or “SCCs” means (i) the standard contractual clauses for the transfer of Personal Data to Data processors established in third countries which do not ensure an adequate level of protection as set out in Regulation (EU) 2016/679 of the European Parliament and of the Council from June 4, 2021, as available here as updated, amended, replaced or superseded from time to time by the European Commission; or (ii) where required from time to time by a supervisory authority for use with respect to any specific restricted transfer, any other set of contractual clauses or other similar mechanism approved by such Supervisory Authority or by Applicable Laws for use in respect of such Restricted Transfer, as updated, amended, replaced or superseded from time to time by such Regulatory Authority or Data Protection Laws and Regulations;
“Sub-processor” means any Processor engaged by Claroty and/or Claroty Affiliate to Process Personal Data on behalf of User.
“Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR.
“UK GDPR” means the Data Protection Act 2018, as updated, amended, replaced or superseded from time to time by the ICO.
“UK Standard Contractual Clauses” or “UK SCCs” means the standard contractual clauses for the transfer of Personal Data to Data processors established in third countries which do not ensure an adequate level of protection as set out by the ICO, as available here, as updated, amended, replaced or superseded from time to time by the ICO.
For the purposes of this DPA, references to any applicable laws and to terms defined therein shall be construed as references to such laws as they may be replaced, amended, extended, re-enacted, or consolidated from time to time (including, without limitation, the GDPR, the UK GDPR, the CCPA, and any subsequent Data Protection Laws and Regulations), and to the equivalent terms as defined under any such subsequent legislation once in force and applicable.
2. PROCESSING OF PERSONAL DATA
Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Personal Data, (i) User is the Data Controller, (ii) Claroty is the Data Processor and that (iii) Claroty may engage Sub-processors pursuant to the requirements set forth in Section 5 “Sub-processors” below. The User, User’s vendors and/or User’s business partners and the Data Subjects shall provide the Personal Data to Claroty by supplying the Personal Data to Claroty’s Service. For the avoidance of doubt, the log-in details to Claroty’s platform are subject to Claroty’s privacy policy, as updated from time to time, and not to this DPA, and therefore, Claroty operates as the Data Controller of such data.
2.1 User’s Processing of Personal Data. User shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations and comply at all times with the obligations applicable to data controllers (including, without limitation, Article 24 of the GDPR). For the avoidance of doubt, User’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. User shall have sole responsibility for the means by which User acquired Personal Data. Without limitation, User shall comply with any and all transparency-related obligations (including, without limitation, displaying any and all relevant and required privacy notices or policies) and shall have any and all required legal bases in order to collect, Process and transfer to Claroty the Personal Data and to authorize the Processing by Claroty of the Personal Data which is authorized in this DPA. User shall defend, hold harmless and indemnify Claroty, its Affiliates and subsidiaries (including without limitation their directors, officers, agents, subcontractors and/or employees) from and against any liability of any kind related to any breach, violation or infringement by User and/or its authorized users of any Data Protection Laws and Regulations and/or this DPA and/or this Section.
2.2 Claroty’s Processing of Personal Data.
2.2.1 Subject to the Agreement, Claroty shall Process Personal Data that is subject to this DPA only in accordance with User’s documented instructions and only as necessary for the performance of the Services and for the performance of the Agreement and this DPA, unless required to otherwise by Union or Member State law or (to maximum extent permitted by law) any other applicable law to which Claroty and its Affiliates are subject, in which case, Claroty shall inform the User of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The duration of the Processing, the nature and purposes of the Processing, as well as the types of Personal Data Processed and categories of Data Subjects under this DPA are further specified in Schedule 1 (Details of the Processing) to this DPA.
2.2.2 To the extent that Claroty or its Affiliates cannot comply with a request (including, without limitation, any instruction, direction, code of conduct, certification, or change of any kind) from User and/or its authorized users relating to Processing of Personal Data or where Claroty considers such a request to be unlawful, Claroty (i) shall inform User, providing relevant details of the problem (but not legal advice), (ii) Claroty may, without any kind of liability towards User, temporarily cease all Processing of the affected Personal Data (other than securely storing those data), and (iii) if the Parties do not agree on a resolution to the issue in question and the costs thereof, each Party may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected Processing, and User shall pay to Claroty all the amounts owed to Claroty or due before the date of termination. User will have no further claims against Claroty (including, without limitation, requesting refunds for Services) due to the termination of the Agreement and/or the DPA in the situation described in this paragraph (excluding the obligations relating to the termination of this DPA set forth below).
2.2.3 Claroty will not be liable in the event of any claim brought by a third party, including, without limitation, a Data Subject, arising from any act or omission of Claroty, to the extent that such is a result of User’s instructions.
3. RIGHTS OF DATA SUBJECTS
If Claroty receives a request from a Data Subject to exercise its rights as described under Data Protection Laws and Regulations (“Data Subject Request”), Claroty shall, to the extent legally permitted, promptly notify and forward such Data Subject Request to User. Taking into account the nature of the Processing, Claroty shall use commercially reasonable efforts to assist User by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of User’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations (including, without limitation, Articles 32 to 36 of GDPR), including in relation to security of processing, data subject requests, data breaches, data protection impact assessments, litigation or regulatory inquiries. To the extent legally permitted, User shall be responsible for any costs arising from Claroty’s provision of such assistance.
4. CLAROTY PERSONNEL
4.1 Confidentiality. Claroty shall grant access to the Personal Data to persons under its authority (including, without limitation, its personnel) only on a need-to-know basis and ensure that such persons engaged in the Processing of Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.2 Claroty may disclose and Process the Personal Data (a) as permitted hereunder (b) to the extent required by a court of competent jurisdiction or other Supervisory Authority and/or otherwise as required by applicable laws or applicable Data Protection Laws and Regulations (in such a case, Claroty shall inform the User of the legal requirement before the disclosure, unless that law prohibits such information on important grounds of public interest), or (c) on a “need-to-know” basis under an obligation of confidentiality to legal counsel(s), data protection advisor(s), accountant(s), investors or potential acquirers.
5. AUTHORIZATION REGARDING SUB-PROCESSORS
5.1 User hereby grants general written authorization to Claroty to appoint Sub-Processors to perform specific Processing activities on Customer Personal Data on its behalf. Claroty’s current list of Sub-Processors is included at https://www.claroty.com/third-party-sub-processors (“Sub-Processor List”) and is hereby approved by Customer.
5.2 Claroty offers a mechanism for User to subscribe to notifications of changes to Claroty’s Sub-Processor List via https://www.claroty.com/third-party-sub-processors. If User subscribes to receive such updates, Claroty shall provide notification of any intended changes concerning the addition or replacement of other Sub-Processor(s) to the email address which has subscribed thereby giving User the opportunity to object.
5.3 Objection Right for New Sub-processors. User may reasonably object to Claroty’s use of a new Sub-processor for reasons related to the GDPR by notifying Claroty promptly in writing within three (3) business days after receipt of Claroty’s notice in accordance with the mechanism set out in Section 5.2 and such written objection shall include the reasons related to the GDPR for objecting to Claroty’s use of such new Sub-processor. Failure to object to such new Sub-processor in writing within three (3) business days following Claroty’s notice shall be deemed as acceptance of the new Sub-Processor. In the event User reasonably objects to a new Sub-processor, as permitted in the preceding sentences, Claroty will use reasonable efforts to make available to User a change in the Services or recommend a commercially reasonable change to User’s use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the User. If Claroty is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, User may, as a sole remedy, terminate the applicable Agreement and this DPA with respect only to those Services which cannot be provided by Claroty without the use of the objected-to new Sub-processor by providing written notice to Claroty provided that all amounts due under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to Claroty. Until a decision is made regarding the new Sub-processor, Claroty may temporarily suspend the Processing of the affected Personal Data. User will have no further claims against Claroty due to the termination of the Agreement (including, without limitation, requesting refunds) and/or the DPA in the situation described in this paragraph.
5.4. In case Sub-processors are engaged by Claroty, Claroty shall enter into contractual agreements with the Sub-processors that are drafted in a manner that they reflect the data protection obligations as set out in this DPA. In accordance with Articles 28.7 and 28.8 of the GDPR, if and when the European Commission lays down the standard contractual clauses referred to in such Article, the Parties may revise this DPA in good faith to adjust it to such standard contractual clauses
5.4 This Section 5 shall not apply to subcontractors of Claroty which provide ancillary services to support the performance of the DPA. This includes, for example, telecommunication services, maintenance and user service, cleaning staff, or auditors.
6. SECURITY
6.1 Controls for the Protection of Personal Data. Taking into account the state of the art, the costs of implementation, the scope, the context, the purposes of the Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Claroty shall maintain industry-standard technical and organizational measures required pursuant to Data Protection Laws and Regulations, including, without limitation, Article 32 of the GDPR for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data), confidentiality and integrity of Personal Data, as set forth in the Security Documentation which are hereby approved by User. Upon the User’s request, Claroty will use commercially reasonable efforts to assist User, at User’s cost, in ensuring compliance with the obligations pursuant to Data Protection Laws and Regulations, including, without limitation, Articles 32 to 36 of the GDPR taking into account the nature of the processing, the state of the art, and the information available to Claroty.
6.2 Third-Party Certifications and Audits. Upon User’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement and this DPA, Claroty shall make available to User that is not a competitor of Claroty (or User’s independent, third-party auditor that is not a competitor of Claroty) a copy or a summary of Claroty’s then most recent third-party audits or certifications, as applicable (provided, however, that such audits, certifications and the results therefrom, including the documents reflecting the outcome of the audit and/or the certifications, shall only be used by User to assess compliance with this DPA, and shall not be used for any other purpose or disclosed to any third party without Claroty’s prior written approval and, upon Claroty’s first request, User shall return all records or documentation in User’s possession or control provided by Claroty in the context of the audit and/or the certification). At User’s cost and expense, Claroty shall allow for and contribute to audits, including inspections of Claroty’s, conducted by the controller or another auditor mandated by the controller (who is not a direct or indirect competitor of Claroty) provided that the parties shall agree on the scope, methodology, timing and conditions of such audits and inspections. Notwithstanding anything to the contrary, nothing in this DPA will require Claroty either to disclose to Customer (and/or its authorized auditors), or provide access to: (i) any data of any other customer of Claroty; (ii) Claroty’s internal accounting or financial information; (iii) any trade secret of Claroty; or (iv) any information that, in Claroty’s sole reasonable discretion, could compromise the security of any of Claroty’s systems or premises or cause Claroty to breach obligations under any applicable law or its obligations to any third party. Furthermore, any information or records provided pursuant to this assessment process shall be considered Claroty’s Confidential Information and subject to the Confidentiality section of the Agreement.
7. PERSONAL DATA INCIDENT MANAGEMENT AND NOTIFICATION
To the extent required under applicable Data Protection Laws and Regulations, Claroty shall notify User without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, including Personal Data, transmitted, stored or otherwise Processed by Claroty of which Claroty becomes aware (a “Personal Data Incident”). Claroty shall make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as Claroty deems necessary, possible and reasonable in order to remediate the cause of such a Personal Data Incident to the extent the remediation is within Claroty’s reasonable control. The obligations herein shall not apply to incidents that are caused by User or User’s users or are otherwise unrelated to the provision of the Services. In any event, User will be the party responsible for notifying supervisory authorities and/or concerned data subjects (where required by Data Protection Laws and Regulations).
8. RETURN AND DELETION OF PERSONAL DATA
Subject to the Agreement, Claroty shall, at the choice of User, delete or return the Personal Data to User after the end of the provision of the Services relating to Processing, and shall delete existing copies unless applicable law requires storage of the Personal Data. In any event, to the extent required or allowed by applicable law, Claroty may retain one copy of the Personal Data for evidence purposes and/or for the establishment, exercise or defence of legal claims and/or to comply with applicable laws and regulations. If the User requests the Personal Data to be returned, the Personal Data shall be returned in the format generally available for Claroty’s customers.
9. AUTHORIZED AFFILIATES
9.1 Contractual Relationship. The Parties acknowledge and agree that, by executing the DPA, the User and Claroty each enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate DPA between Claroty and each such Authorized Affiliate. Each Authorized Affiliate agrees to be bound by the obligations under this DPA. All access to and use of the Services by Authorized Affiliates must comply with the terms and conditions of the Agreement and this DPA and any violation of the terms and conditions therein by an Authorized Affiliate shall be deemed a violation by User.
9.2 Communication. The User shall remain responsible for coordinating all communication with Claroty under the Agreement and this DPA and shall be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.
10. TRANSFERS OF DATA
10.1 Transfers to countries that offer adequate level of data protection. Personal Data may be transferred from the EU Member States, the three EEA member countries (Norway, Liechtenstein and Iceland) (collectively, “EEA”), the United Kingdom to countries that offer adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the Union, the Member States or the European Commission, the UK supervisory authority (“Adequacy Decisions”), without any further safeguard being necessary.
10.2 To the extent that there is Processing of Personal Data which includes transfers from the EEA, the UK to countries which do not offer adequate level of data protection or which have not been subject to an Adequacy Decision (“Other Countries”), the below terms shall apply:
a) With respect to the EU transfers of Personal Data, Customer as a Data Exporter (as defined in the SCCs) and Claroty on behalf of itself and each Claroty Affiliate (as applicable) as a Data Importer (as defined in the SCCs) hereby enter into the SCC set out in Schedule 2. To the extent that there is any conflict or inconsistency between the terms of the SCC and the terms of this DPA, the terms of the SCC shall take precedence.
b) With respect to the UK transfers of Personal Data (from the UK to other countries which have not been subject to a relevant Adequacy Decision), Customer as a Data Exporter (as defined in the UK SCCs) and Claroty on behalf of itself and each Claroty Affiliate (as applicable) as a Data Importer (as defined in the UK SCCs), hereby enter into the UK SCC set out in Schedule 2. To the extent that there is any conflict or inconsistency between the terms of the UK SCC and the terms of this DPA, the terms of the UK SCC shall take precedence.
12. CCPA
To the extent that the Personal Data is subject to the CCPA, Claroty shall not sell or share Customer's Personal Data. Claroty acknowledges that when processing Personal Data in the context of the provision of the Services, Customer is not selling or sharing Personal Data to Claroty. Claroty agrees not to retain, use or disclose Customer Personal Data: (i) for any purpose other than the Business Purpose (as defined below); (ii) for no other commercial or Business Purpose; or (iii) outside the direct business relationship between Claroty and Customer. Notwithstanding the foregoing, Claroty may use, disclose, or retain Customer Personal Data to: (i) transfer the Personal Data to other Claroty’s entities (including, without limitation, affiliates and subsidiaries), service providers, third parties and vendors, in order to provide the Services to Customer; (ii) to comply with, or as allowed by, applicable laws; (iii) to defend legal claims or comply with a law enforcement investigation; (ii) for internal use by Claroty to build or improve the quality of its services and/or for any other purpose permitted under the CCPA; (iii) to detect data security incidents, or protect against fraudulent or illegal activity; and (iv) collect and analyse anonymous information. Claroty shall use commercially reasonable efforts to comply with its obligations under CCPA. If Claroty becomes aware of any material applicable requirement (to Claroty as a service provider) under CCPA that Claroty cannot comply with, Claroty shall use commercially reasonable efforts to notify Customer. Upon written Customer’s notice, Claroty shall use commercial reasonable and appropriate steps to stop and remediate Claroty’s alleged unauthorized use of Personal Data; provided that Customer must explain and demonstrate in the written notice which processing activity of Personal Data it considers to be unauthorized and the applicable reasons. Claroty shall use commercially reasonable efforts to enable User to comply with consumer requests made pursuant CCPA. Notwithstanding anything to the contrary, User shall be fully and solely responsible for complying with its own requirements under CCPA. “Business purpose” means the Processing activities that Claroty will perform to provide Services (as described in the Agreement), this DPA and any other instruction from User, as otherwise permitted by applicable law, including, CCPA and the applicable regulations, or as otherwise necessary to provide the Services to User.
11. TERMINATION
This DPA shall automatically terminate upon the termination or expiration of the Agreement under which the Services are provided. Sections 2.1, 2.2.3, 8, 12 and 13 shall survive the termination or expiration of this DPA for any reason. This DPA cannot, in principle, be terminated separately to the Agreement, except where the Processing ends before the termination of the Agreement, in which case, this DPA shall automatically terminate.
12. RELATIONSHIP WITH AGREEMENT
In the event of any conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement. Claroty shall be liable in accordance with limitations as set out in the Agreement. Notwithstanding anything to the contrary in the Agreement and/or in any agreement between the parties and to the maximum extent permitted by law: (A) In no event will Claroty and/or Claroty Affiliates and/or their third-party providers, be liable under, or otherwise in connection with this DPA for: (i) any indirect, exemplary, special, consequential, incidental or punitive damages; (ii) any loss of profits, business, or anticipated savings; (iii) any loss of, or damage to data, reputation, revenue or goodwill; and/or (iv) the cost of procuring any substitute goods or services; and (B) The foregoing exclusions and limitations on liability set forth in this Section shall apply: (i) even if Claroty, Claroty Affiliates or third-party providers, have been advised, or should have been aware, of the possibility of losses or damages; (ii) even if any remedy in this DPA fails of its essential purpose; and (iii) regardless of the form, theory or basis of liability (such as, but not limited to, breach of contract or tort).
13. AMENDMENTS
This DPA may be amended at any time by a written instrument duly signed by each of the Parties
14. LEGAL EFFECT
Claroty may assign this DPA or its rights or obligations hereunder to any Affiliate thereof, or to a successor or any Affiliate thereof, in connection with a merger, consolidation or acquisition of all or substantially all of its shares, assets or business relating to this DPA or the Agreement. Any Claroty obligation hereunder may be performed (in whole or in part), and any Claroty right (including invoice and payment rights) or remedy may be exercised (in whole or in part), by an Affiliate of Claroty.
List of Schedules
SCHEDULE 1 - DETAILS OF THE PROCESSING
Subject matter. Claroty will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further instructed by User in its use of the Services.
Nature and Purpose of Processing
Providing the Service(s) to User
Setting up profile(s) for users authorized by User
To enable User's use of the Services
For Claroty to comply with documented reasonable instructions provided by User where such instructions are consistent with the terms of the Agreement.
Performing obligations related to the Agreement, this DPA and/or other contracts executed by the Parties.
Providing support and technical maintenance, if agreed in the Agreement.
Any other tasks reasonably related to the above.
Duration of Processing
Subject to any Section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Claroty will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
Type of Personal Data
User may submit Personal Data to the Services, the extent of which is determined and controlled by User in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
IP address, MAC addresses, users, and hostnames of personal devices (such as laptops, tablets, smartphones) connected to User’s network.
IP addresses of web services accessed by users who were connected to User’s network through their personal devices.
Accession Numbers of scans performed by User’s imaging devices.
Any other Personal Data or information that the User decides to provide or supply to Claroty or the Services.
The User and the Data Subjects shall provide the Personal data to Claroty by supplying the Personal data to Claroty’s Service; User acknowledges that Claroty does not control which User Personal Data User shares with it in the context of the Services.
Notwithstanding anything to the contrary, User acknowledges that the same personal information or Personal Data provided by User or processed on behalf of User may have already been (or will be) provided by other customers to Claroty or may have already been (or will be) collected by Claroty independently or from other customers or may be available on public sources. For avoidance of doubt, this data and information may be collected, used and processed by Claroty and/or disclosed by Claroty to third parties and other customers without this being deemed a breach of this DPA and/or the Agreement.
Categories of Data Subjects
User may submit Personal Data to the Services, the extent of which is determined and controlled by User in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
If applicable, User’s patients, guests, visitors and/or customers
User’s users authorized by User to use the Services
Employees, agents, advisors, freelancers of User (who are natural persons)
Prospects, customers, business partners and vendors of User (who are natural persons)
Employees or contact persons of User’s prospects, customers, business partners and vendors
SCHEDULE 2 - STANDARD CONTRACTUAL CLAUSES
Controller to Processor
EU SCCs
If the Processing of Personal Data includes transfers from the EU to countries outside the EEA which do not offer adequate level of data protection or which have not been subject to an Adequacy Decision, the Parties shall comply with Chapter V of the GDPR. The Parties hereby agree to execute the Standard Contractual Clauses as follows:
a) The Standard Contractual Clauses (Controller-to-Processor and Processor to Processor) as applicable, will apply, with respect to restricted transfers between User and Claroty that are subject to the GDPR.
b) The Parties agree that for the purpose of transfer of Personal Data between User (as Data Exporter) and Claroty (as Data Importer), the following shall apply: (i) Clause 7 of the Standard Contractual Clauses shall be applicable; (ii) In Clause 9, option 2 shall apply and the method described in Section 5 of the DPA (Authorization Regarding Sub-Processors) shall apply; (iii) Clause 11 of the Standard Contractual Clauses shall be not applicable; (iv) In Clause 13: the relevant option applicable to the User, as informed by User to Claroty; (v) In Clause 17, option 1 shall apply. The Parties agree that the Standard Contractual Clauses shall be governed by the laws of Ireland and (vi) In Clause 18(b) the Parties choose the courts of Ireland, as their choice of forum and jurisdiction.
c) Annex I.A: With respect to Module Two: (i) Data Exporter is User as a data controller and (ii) the Data Importer is Claroty as a data processor. With respect to Module Three: (i) Data Exporter is User as a data processor and (ii) the Data Importer is Claroty as a data processor (sub-processor). Data Importer Contact Details: as detailed in the Agreement and/or: Legal Department, privacy@claroty.com, Data Exporter: As detailed in the Agreement. Signature and Date: By entering into the Agreement and this DPA, each Party is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the DPA.
d) Annex I.B of the Standard Contractual Clauses shall be completed as described in Schedule 1 (Details of the Processing) of this DPA.
e) Annex I.C of the Standard Contractual Clauses shall be completed as follows: The competent supervisory authority is the Ireland supervisory authority.
f) Annex II of the Standard Contractual Clauses shall be completed as described in the Security Documentation.
g) Annex III of the Standard Contractual Clauses shall be completed with the authorized sub-processors detailed in the Sub-Processor List.
UK SCCs
If the Processing of Personal Data includes transfers from the UK to countries which do not offer adequate level of data protection or which have not been subject to an Adequacy Decision, the Parties shall comply with Article 45(1) of the UK GDPR and Section 17A of the Data Protection Act 2018. The Parties hereby agree to execute the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses as follows:
a) The UK Standard Contractual Clauses (Controller-to-Processor and Processor to Processor) if applicable, will apply with respect to restricted transfers between User and Claroty that are subject to the GDPR.
b) The Parties agree that for the purpose of transfer of Personal Data between User (as Data Exporter) and Claroty (as Data Importer), the following shall apply: (i) Clause 7 of the Standard Contractual Clauses shall be applicable; (ii) In Clause 9, option 2 shall apply and the method described in Section 5 of the DPA (Authorization Regarding Sub-Processors) shall apply; (iii) Clause 11 of the Standard Contractual Clauses shall be not applicable; (iv) In Clause 17, option 1 shall apply. The Parties agree that the Standard Contractual Clauses shall be governed by the laws of England and Wales; and (v) In Clause 18(b) the Parties choose the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts, as their choice of forum and jurisdiction. Which Parties may end this Addendum as set out in Section 19: Importer and/or Exporter, in accordance with the agreed terms of the DPA.
c) Annex I.A: With respect to Module Two: Data Exporter is User as a data controller and the Data Importer is Claroty as a data processor. With respect to Module Three: Data Exporter is User as a data processor and the Data Importer is Claroty as a data processor (sub-processor). Data Importer Contact Details: as detailed in the Agreement and/or: Legal Department, privacy@claroty.com, Data Exporter: As detailed in the Agreement. Signature and Date: By entering into the Agreement and this DPA, each Party is deemed to have signed these UK Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the DPA.
d) Annex I.B of the UK Standard Contractual Clauses shall be completed as described in Schedule 1 (Details of the Processing) of this DPA.
e) Annex I.C of the UK Standard Contractual Clauses shall be completed as follows: The competent supervisory authority is the ICO supervisory authority.
f) Annex II of the UK Standard Contractual Clauses shall be completed as described in the Security Documentation.
g) Annex III of the UK Standard Contractual Clauses shall be completed with the authorized sub-processors detailed in the Sub-Processor List.
