Legal

EXHIBIT C DATA SECURITY AND PRIVACY TERMS

ver. June 23, 2025

1. DATA PROTECTION LEGISLATION

  • In performing the Services, ActiveState will comply with, and will ensure that all ActiveState personnel comply with, the data protection and privacy legislation, guidelines, and industry standards applicable to the Services (such applicable legislation, guidelines, and industry standards, "Data Protection Laws").
  • ActiveState will not, by any act or omission on ActiveState's part, place Customer in breach of any applicable Data Protection Laws. For purposes of this Article, the terms "Processing", "Personal Data", and “Sensitive Personal Data” will have the meanings given in the Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 General Data Protection Regulation (“GDPR”). To the extent that the GDPR applies to any Personal Data processed by ActiveState, in that the Personal Data applies to data subjects who are in the European Economic Area ("EEA") and the processing activities relate to activities identified in Article 3 of the GDPR, the Parties agree that Customer is the "Controller" of such data and ActiveState is only acting as a "Processor" of such data, as such terms are defined in the GDPR.

2. PROCESSING OF PERSONAL DATA

If the Services involve the processing by ActiveState of personal data on behalf of Customer, ActiveState will:

  • process Personal Data provided by or on behalf of Customer only as needed to perform its obligations under this Agreement and to provide the Services, and will comply with, act on, instructions from or on behalf of Customer regarding the processing of that Personal Data;
  • impose a duty of strict confidentiality on any ActiveState personnel authorized to access or process Personal Data;
  • implement appropriate technical and organizational safeguards to ensure a level of security appropriate to process any Personal Data and protect the Personal Data against any accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access resulting from the sole negligence of ActiveState; and
  • upon receipt of Customer's written request, promptly delete or return all such Personal Data to Customer upon termination or expiration of this Agreement or following the conclusion of the Services related to processing such Personal Data, and delete any existing copies, unless otherwise required by applicable law.

3. PROCESSING BY SUBCONTRACTORS

ActiveState will ensure that any subcontractor engaged by ActiveState that may access or process Personal Data provided by Customer only uses such Personal Data in accordance with the terms of this Agreement and will enter into an appropriate Data Processing Agreement with ActiveState. ActiveState shall remain fully liable to Customer for the subcontractors.

4. BREACH

ActiveState will promptly inform Customer of any suspected or confirmed data breaches or unauthorized or unlawful processing, loss, or destruction of, or damage to, personal data impacting Customer within 72 hours after discovery of such event by ActiveState, the notice will describe the nature of the breach and the measures taken or to be taken by ActiveState to address such breach.

5. ADDITIONAL PROVISIONS

If the GDPR and / or the UK Data Protection Laws meaning the Data Protection Act 2018, and the GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland (“UK GDPR”), apply to ActiveState's processing of Customer's Personal Data, ActiveState will:

  • only process Personal Data where Customer is the Controller in accordance with Customer's instructions, including as set forth in this Agreement and/or any Statements of Work, unless otherwise required by applicable European Union or European Member State law (in which case, ActiveState will inform Customer of such legal requirement, unless that law prohibits such disclosure on important grounds of public interest);
  • not process Sensitive Personal Data for the Customer unless Customer has requested previous written consent from ActiveState to do so.
  • obtain prior general consent to engage any third party (including subcontractors) to process such Personal Data on behalf of Customer, ensure that such third-party subcontractor is subject to the provisions as set forth in Section 3, and inform Customer of any intended changes concerning the addition or replacement of such third parties, giving Customer the opportunity to object to such changes;
  • taking into account the nature of the processing and assist Customer, through appropriate technical and organizational measures (insofar as possible), in meeting its obligations under applicable law to respond to requests for exercising the data subject's rights;a. assist Customer in ensuring compliance with any applicable obligations under GDPR related to security, breach notification, data impact assessments and prior consultation with the supervisory authorities, taking into account the nature of processing and the information available to ActiveState;
  • provide reasonable information and assistance, as requested in writing by Customer in order to demonstrate ActiveState's compliance with its obligations imposed by this Agreement with respect to processing of Personal Data, and allow for and cooperate with privacy and security audits, including inspections, conducted by Customer or another third party auditor designated by Customer which shall only be conducted during ActiveState's normal business hours with a thirty (30) days' prior written notice and no more than once in twelve (12) months; and
  • Transfers of Personal Data to a jurisdiction outside of the EEA and/ or the United Kingdom of Great Britain and Northern Island (“UK”) from Controller to Processor (“Restricted Transfer”), will comply with the Standard Contractual Clauses for the transfer of Personal Data to third countries as updated by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021(SCC’s) and the Standard Data Protection Clauses issued by the UK Information Commissioner Office (“ICO”) as an addendum to the SCC’s.

6. PROCESSING BY THIRD PARTIES

This Exhibit only applies to any processing of Personal Data by ActiveState on behalf of Customer. Customer hereby agrees and acknowledges that ActiveState is not liable for any processing of Personal Data that may be done by a third parties in connection with any third-party software, applications, or other products, even if the Services contemplate Customer's use of such third-party software, applications, or other products. For the avoidance of doubt, third parties in this Section 6 includes any third parties contracted directly with the Customer and will not include ActiveState's subcontractors.

Your One Stop For Secure, Trusted Open Source

Talk to our team about how Curated Catalog fits into your workflow.