Data Processing Addendum
Last updated: December 5, 2023
This Data Processing Addendum (“DPA”) is entered into as of the last date executed below by and between Localstack GmbH, a Swiss software company located at Uetlibergstrasse 95, 8045 Zurich, Switzerland (“LocalStack”) and Customer (defined below).THIS DPA APPLIES BETWEEN THE PARTIES WHERE CUSTOMER CLICKS A BOXINDICATING ACCEPTANCE, TRANSFERS PERSONAL DATA TO LOCALSTACK FOR PROCESSING BYMEANS OF THE LOCALSTACK ASSETS, OR OTHERWISE AFFIRMATIVELY INDICATES ACCEPTANCEOF THIS DPA. BY DOING SO, YOU: (A) AGREE TO THIS DPA EITHER ON BEHALF OFYOURSELF, OR THE ORGANIZATION, COMPANY, OR OTHER LEGAL ENTITY FOR WHICH YOU ACT(EACH, A “CUSTOMER”); AND (B)REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND CUSTOMER AND ITS AFFILIATES TOTHIS DPA. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THISDPA, YOU MAY NOT DIRECTLY OR INDIRECTLY TRANSFER PERSONAL DATA TO LOCALSTACK.LOCALSTACK RESERVES THE RIGHT TO MODIFY OR UPDATE THE TERMS OF THIS DPA IN ITSSOLE DISCRETION, THE EFFECTIVE DATE OF WHICH WILL BE THE EARLIER OF (I) 30 DAYSFROM THE DATE OF SUCH UPDATE OR MODIFICATION AND (II) CUSTOMER’S CONTINUEDTRANSFER OF PERSONAL DATA. This DPA forms part of LocalStack’s “Terms of Service” (located at: https://localstack.cloud/legal/tos) (referred to as the “Agreement” hereunder), unless LocalStack and Customer have entered into a separate written agreement for the use of the LocalStack Assets in which case such agreement is deemed the Agreement. LocalStack will provide the LocalStack Assets to Customer pursuant to the DPA and this Agreement which involves the Processing ofPersonal Data subject to Applicable Data Protection Laws (each as defined below). The purpose of this DPA is to set forth the terms under which LocalStack Processes Personal Data on behalf of Customer. This DPA consists of the main body and Schedules 1 through4. Execution of this DPA shall include signature and acceptance of the Standard Contractual Clauses (defined below) and its Annexes (see Schedule 2below).
Capitalized terms used but not defined in this DPA have the meanings set forth in the Agreement. The terms controller, data subject, processor and supervisory authority have the meanings set forth in the Applicable Data Protection Laws.
- “Authorized Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, where “control” refers to the power to direct or cause the direction of the subject entity, whether through ownership of voting securities, by contract or otherwise.
- “Applicable Data Protection Laws” means the privacy, data protection and data security laws and regulations of any jurisdiction applicable to the Processing of Personal Data under the Agreement, including, without limitation, European Data Protection Laws, UK GDPR and the United States including the CCPA.
“CCPA” means the California Consumer Privacy Act of 2018 and any regulations promulgated thereunder, in each case, as amended from time to time, including the California Privacy Rights Act of 2020, and any regulations promulgated thereunder.
“EEA” means the European Economic Area.
“European Data Protection Laws” means the GDPR and other dataprotection laws and regulations of the EEA and European Union, and the MemberStates of each of the foregoing, to the extent applicable to the Processing ofPersonal Data under the Agreement.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Information Security Incident” means a confirmed breach of LocalStack’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in LocalStack’s possession, custody or control. Information Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
“Personal Data” means Customer Data that constitutes “personal data,” “personal information,” or “personally identifiable information” defined in Applicable Data Protection Laws, or information of a similar character regulated thereby,” provided that such data is electronic data and information submitted by or for Customer to the Services.
“PublicAuthority” means a government agency or law enforcement authority, including judicial authorities.
“Processing” or “Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Security Measures” are LocalStack’s security measures implementedand maintained as administrative, technical and physical safeguards designed toprotect the security and integrity of Personal Data and prevent InformationSecurity Incidents, further described in Schedule 2 Annex III hereto and anyother measures required by Applicable Data Protection Laws.
“Standard Contractual Clauses
” means Standard Contractual Clausesfor the transfer of Personal Data to third countries pursuant to Regulation(EU) 2016/679 of the European Parliament and the Council approved by EuropeanCommission Implementing Decision (EU) 2021/914 of 4 June 2021, currentlylocated here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.
“Subprocessors” or “Sub-processor” means any third party processor that LocalStack engages to Process Personal Data in relation to the Services.
“UKGDPR” means the GDPR as saved into United Kingdom law by virtue of section3 of the United Kingdom's European Union (Withdrawal) Act 2018 ("UK GDPR") and the Data Protection Act 2019.
2. Duration and Scope of DPA
This DPA will remain in effect so long as LocalStack Processes Personal Data, notwithstanding the expiration or termination of the Agreement. Schedules 1 and 2 to this DPA apply solely to Processing subject to European Data Protection Laws. Schedule 3 to this DPA applies solely to Processing subject to the UK GDPR. Schedule 4 to this DPA applies solely to Processing subject to the CCPA to the extent Customer is a “business” (as defined in CCPA) with respect to such Processing.
3. Customer Instructions
LocalStack will Process Personal Data only in accordance with Customer’s instructions to LocalStack. This DPA is a complete expression of such instructions, and Customer’s additional instructions will be binding on LocalStack only pursuant to an amendment to this DPA signed by both parties. Customer instructs LocalStack to Process Personal Data via the Services and as authorized by the Agreement. LocalStack shall inform Customer immediately: (a)if, in its opinion, an instruction from Customer constitutes a breach of any Applicable Data Protection Laws; (b) if LocalStack is unable to follow Customer’s instructions for the Processing of Personal Data; or (c) if LocalStack has reason to believe that LocalStack is subject to changes in Applicable Data Protection Laws contrary to any Customer instructions or terms or requirements of this DPA.
4. Security of Personal Data.
5. Customer’s Responsibilities.
- Customer Obligations. Customer shall have sole responsibility for the accuracy,quality, and legality of Personal Data and the means by which Customer acquiredPersonal Data. Customer specifically acknowledges and agrees that its use ofthe Services will not violate the rights of any data subject, including thosethat have opted-out from sales or other disclosures of personal data, to theextent applicable under Applicable Data Protection Laws. Without limitation ofCustomer’s obligations under the Agreement, Customer: (a) agrees that Customeris solely responsible for its use of the Services, including (1) makingappropriate use of the Services to ensure a level of security appropriate tothe risk in respect of the Personal Data, (2) securing the accountauthentication credentials, systems and devices Customer uses to access theServices, (3) securing Customer’s systems and devices that LocalStack uses toprovide the Services, and (4) backing up Personal Data; and (b) has given allnotices to, and has obtained all consents from, including where theCustomer is a processor by ensuring that the ultimate controller does so, individuals to whom Personal Data pertains and all otherparties as required by applicable laws or regulations for LocalStack to ProcessPersonal Data as contemplated by the Agreement.
- Prohibited Data. Customer represents and warrants to LocalStack that CustomerData does not and will not, without LocalStack’s prior written consent, containany social security numbers or other government-issued identification numbers,protected health information subject to the Health Insurance Portability andAccountability Act (HIPAA) or other information regarding an individual’smedical history, mental or physical condition, or medical treatment ordiagnosis by a health care professional; health insurance information;biometric information; passwords for online accounts; credentials to anyfinancial accounts; tax return data; credit reports or consumer reports; anypayment card information subject to the Payment Card Industry Data SecurityStandard; information subject to the Gramm-Leach-Bliley Act, Fair CreditReporting Act or the regulations promulgated under either such law; informationsubject to restrictions under Applicable Data Protection Laws governingPersonal Data of children, including, without limitation, all information aboutchildren under 16 years of age; or any information that falls within anyspecial categories of data (as defined in GDPR).
6. Compliance with Laws & DataSubject Rights.
- Compliance with Laws. Each party will comply with all Applicable Data Protection Laws. In particular, Customer will comply with its obligations as controller (or on behalf of controller) and LocalStack will comply with its obligations as processor.
- Personal Data Disclosures & Government Requests. LocalStack will not disclosePersonal Data to any third party, including any Public Authority, except: (i)as otherwise permitted under the Agreement including this DPA; or (ii) asnecessary to comply with Applicable Data Protection Laws including with respectto any valid and/or binding Public Authority court order (e.g., a lawenforcement subpoena). If LocalStack receives a binding order from a PublicAuthority requesting access to or disclosure of Personal Data, LocalStack willnotify Customer of the request unless otherwise legally prohibited.
- Data Subject Request Assistance. LocalStack will (taking into account the nature of theProcessing of Personal Data) provide Customer with assistance reasonablynecessary for Customer to perform its obligations under Applicable DataProtection Laws to fulfill requests by data subjects to exercise their rightsunder Applicable Data Protection Laws (“DataSubject Requests”) with respect to Personal Data in LocalStack’s possessionor control. Where permitted under Applicable Data Protection Laws, Customerwill compensate LocalStack for any such assistance at LocalStack’s then-currentprofessional services rates, which will be made available to Customer uponrequest.
- Customer’s Responsibility for Requests. LocalStack will not respond to a Data Subject Requestitself, except where Customer authorizes LocalStack to redirect the DataSubject Request as necessary to allow Customer to respond directly. IfLocalStack receives a Data Subject Request, LocalStack will advise the datasubject to submit the request to Customer and Customer will be responsible forresponding to the request.
7. European & UK Data Protection LawsSpecific Provisions; Changes in Laws.
- GDPR. LocalStack will Process Personal Data in accordance with GDPR directly applicable to LocalStack’s provision of itsServices and as provided for in Schedules 1 and 2 hereto.
- UK GDPR. LocalStack will Process Personal Data in accordance with UK GDPR directly applicable to LocalStack’s provision of its Services and as provided for in Schedule 3 hereto.
- Changes in Applicable Data Protection Laws. LocalStack shall use reasonable efforts to make available to Customer a change in the Services, or recommend a commercially reasonable change to Customer’s configuration or use of the Services, to facilitate compliance with changes in Applicable Data Protection Laws without unreasonably burdening Customer. If LocalStack is unable to make available necessary changes promptly, Customer may terminate the applicable Order Form(s) and suspend the transfer of Personal Data in respect only to those Services which cannot be provided by LocalStack in accordance with the changes in Applicable Data Laws by providing written notice in accordance with the “Notices” section of the Agreement. Customer shall receive a refund of any prepaid fees for the period following the effective date of termination for such terminated Services.
- Consent to Subprocessor Engagement. Customer authorizes LocalStack’s Affiliates and the Subprocessors set forth in Schedule 2 Annex III to Process Personal Data pursuant to this DPA and the Agreement.
- Requirements for Subprocessor Engagement. When engaging any Subprocessor, LocalStack will enter into a written contract with such Subprocessor containing data protection obligations not less protective than those in this DPA with respect to Personal Data to the extent applicable to the nature of the services provided by such Subprocessor. LocalStack shall be liable for all obligations under the Agreement subcontracted to, the Subprocessor or its actions and omissions related thereto.
- Subprocessor Changes. When LocalStack engages any new Subprocessor after the Effective Date of the Agreement, LocalStack will notify Customer. This Section 7(c) will not apply with respect to GDPR but instead will be replaced by the requirementsof the Standard Contractual Clauses set forth in Section 4(g) and 4(h) of Schedule 1 hereto.
- Opportunity to Object to Subprocessor Changes. If Customer objects to such engagement in a written notice to LocalStack on reasonable grounds relating to the protection of Personal Data, Customer and LocalStack will work together in good faith to find a mutually acceptable resolution to address such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Customer may, as its sole and exclusive remedy, terminate the Agreement by providing written notice to LocalStack.
9. Return or Deletion of Personal Data.
Upon request by Customer made within 30 days after the effective date of termination or expiration of this Agreement, LocalStack will delete or return Customer Data as set forth in LocalStack’s Security Protocols]. After such 30-day period, LocalStack will have no obligation to maintain or provide any Customer Data, and as provided in the Documentation will thereafter delete or destroy all copies of Customer Data in its systems or otherwise in its possession or control, unless legally prohibited.
Except as expressly modified by the DPA, the terms of the Agreement remain in full force and effect. In the event of any conflict or inconsistency between this DPA and the other terms of the Agreement, this DPA will govern. Not withstanding anything in the Agreement or any order form entered in connection therewith to the contrary, the parties acknowledge and agree that LocalStack’s access to Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement. Not withstanding anything to the contrary in the Agreement, any notices required or permitted to be given by LocalStack to Customer under this DPA may be given: (a) in accordance with any notice clause of the Agreement; (b) to LocalStack’s primary points of contact with Customer; or (c) to any email provided by Customer for the purpose of providing it with Services-related communications or alerts. Customer is solely responsible for ensuring that such email addresses are valid.
Transfer Mechanicsm for Standard Contractual Clauses Data Transfers
For the purposes of Schedules 1 and 2, these terms shall be defined as follows:
- "EUC-to-P Transfer Clauses" means Standard Contractual Clauses sections I, II, III and IV (as applicable) to the extent they reference Module Two(Controller-to-Processor).
- "EUP-to-P Transfer Clauses" means Standard Contractual Clauses sections I, II III and IV (as applicable) to the extent they reference Module Three(Processor-to-Processor).
2. International Transfer Mechanisms.
If, in the performance of the Services, Personal Data that is subject to GDPR, or any other law relating to the protection or privacy of individuals under European Data Protection Laws, is transferred to countries which do not ensure an adequate level of data protection within the meaning of the European Data Protection Laws, the transfer mechanisms listed below shall apply to such transfers and can be directly enforced by the parties to the extent such transfers are subject to the European Data Protection Laws:
- The EU C-to-P Transfer Clauses. Where Customer and/or its Authorized Affiliate is a Controller and a data exporter of Personal Data and LocalStack is a Processor and data importer in respect of that Personal Data, then the parties shall comply with the EU C-to-P Transfer Clauses, subject to the additional terms in Schedule 1; and/or
- The EU P-to-P Transfer Clauses. Where Customer and/or its Authorized Affiliate is a Processor acting on behalf of a Controller and a data exporter of Personal Data and LocalStack is a Processor and data importer in respect of that Personal Data, the parties shall comply with the terms of the EU P-to-P Transfer Clauses, subject to the additional terms in Schedule 1.
For the purposes of the EU C-to-P Transfer Clauses and the EU P-to-P Transfer Clauses, Customer is the data exporter and LocalStack is the data importer and the parties agree to the following. If and to the extent an Authorized Affiliate relies on the EU C-to-P Transfer Clauses or the EU P-to-P Transfer Clauses for the transfer of Personal Data, any references to Customer in this Schedule includes such Authorized Affiliate. Where this Schedule 1 does not explicitly mention EU C-to-P Transfer Clauses or EU P-to-P Transfer Clauses it applies to both of them.
4. Standard Contractual Clauses Operative Provisions and Additional Terms.
5. Additional Terms for the EU P-to-P Transfer Clauses.
For the purposes of the EU P-to-P Transfer Clauses (only), the parties agree the following:
- Instructions and notifications. For the purposes of clause 8.1(a), Customer hereby informs LocalStack that it acts as Processor under the instructions of the relevant Controller in respect of Personal Data. Customer warrants that its Processing instructions as set out in the Agreement and this DPA, including its authorizations to LocalStack for the appointment of Subprocessors in accordance with this DPA, have been authorized by the relevant Controller. Customer shall be solely responsible for forwarding any notifications received from LocalStack to the relevant Controller where appropriate.
- Security of Processing. For the purposes of clause 8.6(c)and (d), LocalStack shall provide notification of a personal data breach (i.e., an Information Security Incident) concerning Personal Data Processed by LocalStack to Customer.
- Documentation and Compliance. For the purposes of clause 8.9, all enquiries from the relevant Controller shall be provided to LocalStack by Customer. If LocalStack receives an enquiry directly from a Controller, it shall forward the enquiry to Customer and Customer shall be solely responsible for responding to any such enquiry from the relevant Controller where appropriate.
- Data Subject Rights. For the purposes of clause 10 and subject to section 3 of this DPA, LocalStack shall notify Customer about any request it has received directly from a Data Subject without obligation to handle it (unless otherwise agreed) but shall not notify the relevant Controller. Customer shall be solely responsible for cooperating with the relevant Controller in fulfilling the relevant obligations to respond to any such request.
ANNEX I Through III to the Standard Contractual Clauses
This Schedule 2 contains Annex I through IIIto the Standard Contractual Clauses and and must be completed and signed byeach party below where indicated.
A. LIST OF PARTIES
Data exporter(s): [Identity and contact details of the dataexporter(s) and, where applicable, of its/their data protection officer and/orrepresentative]
- Name: The person that executes this DPA on behalf of the Customer
Address: Customer’s address set forth in the Order Form
Contact person’s name, position and contact details: Those of the person that executes this DPA
Activities relevant to the data transferred under these Clauses: Controller/Processor of personal data
Signature and date: The Effective Date of the Agreement
Role(controller/processor): Controller or Processor
- Name: LocalStack GmbH
Address: Uetlibergstrasse 95, 8045 Zurich, Switzerland
Contact person’s name, position and contact details: Gerta Sheganaku, COO
Role(controller/processor): Processor (or Subprocessor as the case may be)
Activities relevant to the data transferred under these Clauses: Processor and/or Subprocessor
B. DESCRIPTION OF THE TRANSFER
The Processing activities carried out by LocalStack under the Agreement may be described as follows:
Categories of data subjects whose personal data is transferred
- Customer and its end users
Categories of personal data transferred
- Categories of personal data chosen by acontroller and issued to processor or subprocessor as the case may be via theSoftware and/or Service
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
- Solely to the extent controller chooses to transmit any such data via the Software or Services
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
- For processor’s Cloud Deployment Type of the Service, on a continuous basis as determined by a controller as permitted under the Agreement For processor’s On-Prem Software offerings, only when controller configures the Software and/or Services in a way that transmits personal data to processor during the provision of technical Support as requested by controller.
Nature of the processing
- For processor’s Cloud Deployment Type of theService, processing of personal data for the Software and Services as describedunder the AgreementForprocessor’s On-Prem Software offerings, during the provision of technicalSupport as requested by controller but solely to the extent controllerconfigures the Software and/or Services in a way that transmits personal datato processor
Purpose(s) of the data transfer and further processing
- For processor’s Cloud Deployment Type of theService, for processor to provide the Services to a controller as requiredunder the AgreementFor processor’s On-Prem Software offerings,during the provision of technical Support as requested by controller but solelyto the extent controller configures the Software and/or Services in a way thattransmits personal data to processor
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
- For the term of the Agreement
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
- For the term of the Agreement
C. COMPETENT SUPERVISORY AUTHORITY
The competent supervisory authority in accordance with Clause 13 of the Standard Contractual Clauses as identified in Schedule 1 Section 4(k) of this DPA.
Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of the Data
LocalStack processes all Personal Data received from Controller under this DPA in conformity with the following technical and organizational measures:
Information Security Organization
- LocalStack’s Information Security Policy outlines roles and responsibilities for personnel with responsibility for the security, availability, and confidentiality of the Product and Service.
- The Chief Technology Officer (CTO) is responsible for the design, implementation, and management of the organization’s security policies, which are reviewed at least annually. Annual review includes assessment of internal controls used in the achievement of LocalStack’s Service commitments and system requirements. Following review, any deficiencies are resolved in accordance with the Risk Assessment and Management Program.
- The Chief Technology Officer also performs an annual formal risk assessment, which includes the identification of relevant internal and external threats related to security, availability, confidentiality, and fraud, and an analysis of risks associated with those threats. The CTO maintains a risk register, which records the risk mitigation strategies for identified risks, and the development or modification of controls consistent with the risk mitigation strategy.
- The Security team is responsible for identifying and tracking incidents and creating a ‘lessons learned’ document and sharing it with the Engineering team. The Engineering team is responsible for Software development and deployment.
Information Security Organization
- LocalStack has established a Code of Conduct outlining ethical expectations, behavior standards, and ramifications of noncompliance, as well as Acceptable Use, Data Protection, and Information Security Policies. Internal personnel acknowledge all codes and procedures within 30 days of hire.
- Background checks are performed on full-time employees within 30 days of the employee’s start date as permitted by local laws. Reference checks are performed on contractors who have access to production data.
- Internal personnel complete annual training programs for information security to help them understand their obligations and responsibilities related to security.
Access Controls and Asset Management
- Internal users are provisioned access to systems based on role as defined in the access matrix, which is reviewed and approved annually by the Chief Technology Officer. The CTO approves any additional access required outside the access matrix.
- The Chief Technology Officer and the Co-founder conduct quarterly user access reviews of production servers, databases, and applications to validate internal user access is commensurate with job responsibilities. Identified access changes are tracked to remediation.
- Internal user access to systems and applications with service data requires two-factor authentication in the form of user ID / password, and one-time passcode.
- LocalStack has formal policies for password strength and use of authentication mechanisms.
- Production infrastructure is restricted to users with a valid SSH key; administrative access to production servers and databases is restricted to the Back-end Engineering team.
- Upon termination or when internal users no longer require access, infrastructure and application access is removed within one business day.
- Internal use of the internal admin tool is logged. These logs are reviewed monthly for appropriateness.
- Firewall configurations help ensure available networking ports and protocols are restricted to approved business rules.
- The Engineering team maintains a list of the company’s system components, owners, and their business function, and the Chief Technology Officer reviews this list annually.
Incident Management and Business Continuity
- LocalStack’s Incident Response Plan outlines the process of identifying, prioritizing, communicating, assigning, and tracking incidents through to resolution.
- The Security team tracks identified incidents according to the Incident Response Plan and creates a ‘lessons learned’ document after each high or critical incident. This document is shared with the Engineering team to make any required changes.
- The Chief Technology Officer maintains a disaster recovery plan, which is tested at least annually. The Engineering team reviews test results and makes changes to the plan accordingly.
- LocalStack’s Change Management Process and Standard governs the system development life cycle, including documented policies for tracking, testing, approving, and validating changes.
- System changes are tested via automated test scripts prior to being deployed into production.
- Code change requests are independently peer reviewed prior to integrating the code change into the master branch.
- System users who make changes to the development system are unable to deploy their changes to production without independent approval.
- The Engineering team uses a tool to enforce standard production images for production servers.
- Configuration changes are tested (if applicable) and approved prior to being deployed into production.
- The production and testing environments are segregated; production data is not used in the development and testing environments.
Data and Availability Controls
- LocalStack’s Data Protection Policy details the security and handling protocols for service data.
- Full backups are performed daily and retained in accordance with the Backup Policy. The Engineering team restores backed-up data to a non-production environment at least annually to validate the integrity of backups.
- LocalStack’s Encryption and Key Management Policy supports the secure encryption and decryption of app secrets, and governs the use of cryptographic controls.
- Encryption is used to protect the transmission of data over the internet; service data is encrypted at rest.
- The Engineering team encrypts hard drives for portable devices with full disk encryption.
- System tools monitor company load balancers and notify appropriate personnel of any events or outages based on predetermined criteria. Any identified issues are tracked through resolution in accordance with the Incident Response Plan.
- The Platform is configured to operate across availability zones to support continuous availability.
Vendor and Vulnerability Management
- LocalStack’s Vendor Risk Management Policy defines a framework for the onboarding and management of the vendor relationship lifecycle. The Chief Technology Officer assesses new vendors according to the Vendor Risk Management Policy prior to engaging with the vendor.
- LocalStack’s Vulnerability Management and Patch Program outlines the procedures to identify, assess, and remediate identified vulnerabilities.
- Vulnerability scans are executed monthly on production systems. The Chief Technology Officer and the Engineering team track critical or high-risk vulnerabilities through resolution. Management has implemented intrusion prevention and detection tools to provide monitoring of network traffic to the production environment.
- The Engineering team uses logging and monitoring software to collect data from servers and endpoints, and detect potential security threats and unusual system activity.
- Malware detection software is installed on susceptible endpoints that can access the production environment and is configured to perform daily scans.
- The Engineering team uses alerting software to notify impacted teams of potential security and availability events.
Schedule 3 Transfer Mechanisms for UK GDPR
For the purposes of this Schedule 3, these terms shall be defined as follows:
B. International Transfer Mechanisms
If, in the performance of the Services, PersonalData that is subject to UK GDPR or any other law relating to the protection orprivacy of individuals that applies in the United Kingdom is transferred out ofthe United Kingdom to countries which do not ensure an adequate level of dataprotection within the meaning of the European Data Protection Laws, the UK GDPRIDTA and/or UK Addendum shall apply to such transfers and can be directlyenforced by the Parties to the extent such transfers are subject to the UKGDPR.
C. Appendix Information
Annex I through III, set for thin Schedule 2 to this DPA, contain Appendix Information for the UK IDTA and UK Addendum and are incorporated therein by reference.
United States Schedule
- The parties acknowledge that Customer discloses Personal Data to LocalStack for the limited and specified purposes set forth in the Agreement and DPA, and as instructed by Customer.
- Customer shall have the right to take the reasonable and appropriate steps set forth in the Agreement designed to stop and remediate unauthorized use of Personal Data.
- LocalStack will not retain, use, disclose, sell, or share the Personal Data other than providing the Services specified by Customer’s documented instructions. LocalStack will not combine Personal Data with information received from, or on behalf of other entities, except to perform the purpose of providing the Services specified by Customer’s documented instructions. LocalStack shall Process Personal Data in accordance with Data Protection Laws applicable to LocalStack’s provision of the Services to its customers generally (i.e., without regard for Customer’s particular use of the Services), when the Services are used according to this DPA, the Agreement, the Documentation, and the applicable Order Form. LocalStack shall inform Customer if LocalStack determines it is unable to meet its obligations under the CCPA.
- The parties acknowledge that LocalStack’s retention, use and disclosure of personal information authorized by Customer’s instructions documented in the DPA are integral to LocalStack’s provision of the Services and the business relationship between the parties.