diff --git a/dpa/index.md b/dpa/index.md index 4f01cc4..4b5c48b 100644 --- a/dpa/index.md +++ b/dpa/index.md @@ -6,9 +6,9 @@ description: > This Data Processing Addendum forms part of the underlying agreement along with any associated contractual document. --- -Effective date: 2024-02-19 +Last updated: 2024-09-12 -This Data Processing Addendum (“**DPA**”) is entered into by and between Tailscale and Customer and sets forth the parties’ obligations with respect to the Processing of Personal Data (definitions below). For purposes of this DPA, the “**Agreement**” refers to either the Tailscale Terms of Service or the Main Service Agreement between you and Tailscale (as applicable to you). This DPA is incorporated by reference into the Agreement. +This Data Processing Addendum (“**DPA**”) is entered into by and between Tailscale and Customer and sets forth the parties’ obligations with respect to the Processing of Personal Data (definitions below). The effective date of this DPA shall be the same as that for the Agreement. For purposes of this DPA, the “**Agreement**” refers to either the Tailscale Terms of Service or the Main Service Agreement between you and Tailscale (as applicable to you). This DPA is incorporated by reference into the Agreement and constitutes the entire agreement between the parties on the subject matter hereof. 1. **Definitions**. @@ -26,9 +26,7 @@ This Data Processing Addendum (“**DPA**”) is entered into by and between Tai 1.6 “**Subprocessing**” means any sub-contracted Processing that relates directly to the provision of the Tailscale Solution. This does not include ancillary services, such as telecommunication services, postal or transport services, maintenance and user support services or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing equipment. A “**Subprocessor**” is the person with which Tailscale has sub-contracted such Processing. - 1.7 “**Subprocessor List**” means the list of Subprocessors available at or its successor webpages. - - 1.8 “**UK SCC’s**” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, as published by the UK Information Commissioner’s Office and in force as of 21 March 2022. + 1.7 “**UK SCC’s**” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, as published by the UK Information Commissioner’s Office and in force as of 21 March 2022. 2. **Details of Processing**. @@ -36,61 +34,64 @@ This Data Processing Addendum (“**DPA**”) is entered into by and between Tai 2.2 **Restrictions**. In compliance with Data Privacy Laws, Tailscale will not: (i) “sell” Personal Data (as such term in quotes is defined in applicable Data Privacy Laws); (ii) “share” or Process Personal Data for purposes of “cross-context behavioral advertising” or “targeted advertising” (as such terms in quotes are defined in applicable Data Privacy Laws); (iii) combine Personal Data with personal information received from other sources as specifically prohibited under Data Privacy Laws; (iv) attempt to link, identify, or otherwise create a relationship between Personal Data and non-personal data or any other data without your express authorization; or (v) otherwise Process Personal Data for any purpose other than for the specific purposes set forth herein. -3. **Requirements and Commitments**. +3. **Requirements and Responsibilities**. - 3.1 **Tailscale:** + 3.1 **Confidentiality:** Tailscale will ensure that the persons we authorize to Process the Personal Data are subject to a written confidentiality agreement covering the Personal Data or are under an appropriate statutory obligation of confidentiality. - 3.1.1 Will ensure that the persons we authorize to Process the Personal Data are subject to a written confidentiality agreement covering the Personal Data or are under an appropriate statutory obligation of confidentiality. + 3.2 **Data Subject Requests.** If Tailscale receives any requests from Data Subjects seeking to exercise any rights afforded to them under Data Privacy Laws regarding their Personal Data, to the extent legally permitted, we will promptly notify you or refer the Data Subjects to you for handling. Such requests related to Personal Data may include: access, rectification, restriction of processing, erasure (“right to be forgotten”), data portability, objection to the Processing, or to not be subject to automated individual decision making (each, a “Data Subject Request”). Tailscale will not respond to such Data Subject Requests itself, and you authorize Tailscale to redirect the Data Subject Request as necessary to you for handling. In the event you are unable to address a Data Subject Request through self-service capabilities, Tailscale will, upon your request, provide commercially reasonable efforts to assist you in responding to the Data Subject Request, to the extent we are legally permitted to do so and the response to such Data Subject Request is required under Data Privacy Laws. To the extent legally permitted, you will be responsible for any costs arising from Tailscale’s provision of this additional support to assist you with a Data Subject Request. - 3.1.2 If we receive any requests from Data Subjects seeking to exercise any rights afforded to them under Data Privacy Laws regarding their Personal Data, and to the extent legally permitted, will promptly notify you or refer the Data Subjects to you for handling. Such requests related to Personal Data may include: access, rectification, restriction of processing, erasure (“right to be forgotten”), data portability, objection to the Processing, or to not be subject to automated individual decision making (each, a “**Data Subject Request**”). Tailscale will not respond to such Data Subject Requests itself, and you authorize Tailscale to redirect the Data Subject Request as necessary to you for handling. In the event you are unable to address a Data Subject Request through self-service capabilities, Tailscale will, upon your request, provide commercially reasonable efforts to assist you in responding to the Data Subject Request, to the extent we are legally permitted to do so and the response to such Data Subject Request is required under Data Privacy Laws. To the extent legally permitted, you will be responsible for any costs arising from Tailscale’s provision of this additional support to assist you with a Data Subject Request. + 3.3 **Public Authority Requests.** - 3.1.3 To the extent legally permitted, will notify you without undue delay if it receives a legally binding request for disclosure of or access to Personal Data from a public authority (including judicial or administrative authorities, or national security or intelligence agencies) or becomes aware of any direct access by a public authority to Personal Data. Such notification will include information about the Personal Data requested or accessed, the requesting or accessing authority, the legal basis for the request or access, and any response provided. If Tailscale is prohibited by applicable law or regulation from notifying you or disclosing the details of a public authority request to you, Tailscale will use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. + 3.3.1 To the extent legally permitted, Tailscale will notify you without undue delay if we receive a legally binding request for disclosure of or access to Personal Data from a public authority (including judicial or administrative authorities, or national security or intelligence agencies) or become aware of any direct access by a public authority to Personal Data. Such notification will include information about the Personal Data requested or accessed, the requesting or accessing authority, the legal basis for the request or access, and any response provided. If Tailscale is prohibited by applicable law or regulation from notifying you or disclosing the details of a public authority request to you, Tailscale will use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. - 3.1.4 Will use reasonably available legal mechanisms to challenge any binding legal requests for disclosure of or access to Personal Data made by a public authority that it receives, as well as any non-disclosure provisions attached to any such request. Tailscale will provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request. + 3.3.2 Tailscale will use reasonably available legal mechanisms to challenge any binding legal requests for disclosure of or access to Personal Data made by a public authority that we receive, as well as any non-disclosure provisions attached to any such request. Tailscale will provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request. - 3.1.5 To the extent legally permitted, and no more than once per calendar year unless otherwise required by Data Privacy Laws, will, upon Customer’s written request, provide a report to Customer regarding binding legal requests for disclosure of or access to Personal Data it has received from public authorities (including with respect to national security requests), such report to include the number of requests, the type of Personal Data requested, the requesting authority(ies), whether the requests have been challenged, and the outcome of such challenges. Requests for such transparency reports should be sent to: privacy@tailscale.com. + 3.3.3 To the extent legally permitted, and no more than once per calendar year unless otherwise required by Data Privacy Laws, Tailscale will, upon Customer’s written request, provide a report to Customer regarding binding legal requests for disclosure of or access to Personal Data we have received from public authorities (including with respect to national security requests), such report to include the number of requests, the type of Personal Data requested, the requesting authority(ies), whether the requests have been challenged, and the outcome of such challenges. Requests for such transparency reports should be sent to: [privacy\@tailscale.com](mailto:privacy@tailscale.com). - 3.1.6 Will promptly and without undue delay notify Customer if we determine that either: (i) we can no longer meet our obligations under this DPA or applicable Data Privacy Laws; or (ii) in our opinion an instruction from Customer infringes applicable Data Privacy Laws; and await your further instructions. Such notice will entitle you to terminate the Agreement (or, if applicable, only the affected Order Form(s)) and receive a prompt pro-rata refund of any prepaid amounts thereunder. This right to terminate and refund will be your sole and exclusive remedy. + 3.4 **Supervisory Authorities.** To the extent legally permitted, each party will notify the other party without undue delay of any inspections or measures conducted by that party’s supervisory or regulatory authority, insofar as they relate to this DPA. Each party will cooperate with the supervisory authority of the other party to aid in their supervisory or regulatory authority’s performance of its tasks (insofar as they relate to this DPA) at the reasonable cost and expense of the party being inspected. In addition, at Customer’s reasonable cost and expense, Tailscale will provide Customer with reasonable cooperation and assistance for Customer’s consultation with regulatory authorities in relation to the Processing or proposed Processing of Personal Data, including complying with any obligation applicable to Tailscale under Data Privacy Laws to consult with a supervisory or regulatory authority in relation to Tailscale’s Processing or proposed Processing of Personal Data. - 3.1.7 Certifies that we understand our obligations under this DPA (including without limitation the restrictions under this Section 3.1) and that we will comply with them. - - 3.2 **Each party:** - - 3.2.1 To the extent legally permitted, will notify the other party without undue delay of any inspections or measures conducted by that party’s supervisory or regulatory authority, insofar as they relate to this DPA. Each party will cooperate with the supervisory authority of the other party to aid in their supervisory or regulatory authority’s performance of its tasks (insofar as they relate to this DPA) at the reasonable cost and expense of the party being inspected. In addition, at Customer’s reasonable cost and expense, Tailscale will provide Customer with reasonable cooperation and assistance for Customer’s consultation with regulatory authorities in relation to the Processing or proposed Processing of Personal Data, including complying with any obligation applicable to Tailscale under Data Privacy Laws to consult with a supervisory or regulatory authority in relation to Tailscale’s Processing or proposed Processing of Personal Data. - - 3.2.2 To the extent legally permitted, will inform Data Subjects of a contact point authorized to handle Data Subject complaints regarding the Processing of Personal Data under this DPA. Unless prohibited by applicable law, each party will promptly notify the other party of any complaints or Claims regarding the Processing of Personal Data under this DPA. The parties will work together and provide reasonable cooperation and assistance to each other to promptly address any complaint or respond to the Claim (as applicable). - - 3.2.3 Will provide reasonable assistance to and cooperation with the other party for their performance of a data protection impact assessment or privacy impact assessment of Processing or proposed Processing activities, when required by applicable Data Privacy Laws. - - 3.2.4 Understands and acknowledges that each party’s successful compliance with this DPA and Data Privacy Laws will require the reasonable communication, cooperation and assistance of the other party. To that end, each party commits that it will operate in good faith and provide such reasonable cooperation and assistance. + 3.5 **Complaint Handling.** To the extent legally permitted, each party will inform Data Subjects of a contact point authorized to handle Data Subject complaints regarding the Processing of Personal Data under this DPA. Unless prohibited by applicable law, each party will promptly notify the other party of any complaints or Claims regarding the Processing of Personal Data under this DPA. The parties will work together and provide reasonable cooperation and assistance to each other to promptly address any complaint or respond to the Claim (as applicable). + + 3.6 **Impact Assessments.** Each party will provide reasonable assistance and cooperation to the other party for their performance of a data protection impact assessment or privacy impact assessment of Processing or proposed Processing activities, when required by applicable Data Privacy Laws. + + 3.7 **Customer Responsibilities.** Customer is responsible for the lawfulness of Personal Data Processing under or in connection with the Tailscale Solution. Customer will comply with all applicable Data Privacy Laws with respect to the collection and transfer of Personal Data to Tailscale and its Subprocessors, including providing any required notices to and obtaining all necessary consents, permissions and rights from Data Subjects under applicable Data Privacy Laws, for Tailscale to lawfully Process Personal Data for the purposes contemplated by the Agreement. Customer shall make appropriate use of the Tailscale Solution to ensure a level of security appropriate to Customer’s business. Customer shall ensure that its Processing instructions comply with applicable laws. Customer acknowledges that Tailscale has no obligation to assess the contents or accuracy of Personal Data, including to identify information subject to any specific legal, regulatory, or other requirement, and that Customer is responsible for making an independent determination as to whether its use of the Tailscale Solution will meet customer’s requirements and legal obligations under applicable Data Privacy Laws. + + 3.8 **Tailscale Compliance.** Tailscale certifies that we understand our obligations under this DPA and that we will comply with them. Tailscale will promptly and without undue delay notify Customer if we determine that either: (i) we can no longer meet our obligations under this DPA or applicable Data Privacy Laws; or (ii) in our opinion an instruction from Customer infringes applicable Data Privacy Laws; and await your further instructions. Such notice will entitle you to terminate the Agreement (or, if applicable, only the affected Order Form(s)) and receive a prompt pro-rata refund of any prepaid amounts thereunder covering the remainder of the applicable term after the effective date of termination. This right to terminate and refund will be your sole and exclusive remedy. + + 3.9 **Good Faith Cooperation and Assistance.** The parties understand and acknowledge that each party’s successful compliance with this DPA and Data Privacy Laws will require the reasonable communication, cooperation and assistance of the other party. To that end, each party commits that it will operate in good faith and provide such reasonable cooperation and assistance. 4. **Security Measures**. Tailscale places great importance on the security of the Tailscale Solution, and we have adopted a variety of administrative, technical, physical, and organizational measures designed to protect the Tailscale Solution against accidental or unlawful destruction, loss, alteration, disclosure or access (collectively the “**Security Measures**”). Tailscale will maintain our Security Measures to provide a level of protection that is appropriate to the risks concerning confidentiality, integrity, availability and resilience of our systems and the Tailscale Solution, while also taking into account the state of the art, implementation costs, the nature, scope and purposes of Processing, as well as the probability of occurrence and the severity of the risk to the rights and freedoms of Data Subjects. Tailscale’s Security Measures are as described in Schedule D. -5. **Personal Data Breaches.** Tailscale will notify you without undue delay (and in any event within 72 hours) of any known breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed (a “**Personal Data Breach**”). We will also provide reasonable assistance to you in your compliance with your Personal Data Breach-related obligations, including without limitation by: (a) taking steps to mitigate the effects of the Personal Data Breach and reduce the risk to Data Subjects whose Personal Data was involved (such steps to be determined by Tailscale in our sole discretion); and (b) providing you with the following information, to the extent known: (i) the nature of the Personal Data Breach, including, where possible, how the Personal Data Breach occurred, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned; (ii) the likely consequences of the Personal Data Breach; and (iii) the measures we have taken or propose to take to address the Personal Data Breach, including where appropriate measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification will contain the information then available and further information will, as it becomes available, subsequently be provided without undue delay. +5. **Personal Data Breaches.** Tailscale will notify you without undue delay (and in any event within seventy-two (72) hours) of any known breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed (a “**Personal Data Breach**”). We will also provide reasonable assistance to you in your compliance with your Personal Data Breach-related obligations, including without limitation by: (a) taking steps to mitigate the effects of the Personal Data Breach and reduce the risk to Data Subjects whose Personal Data was involved (such steps to be determined by Tailscale in our sole discretion); and (b) providing you with the following information, to the extent known: (i) the nature of the Personal Data Breach, including, where possible, how the Personal Data Breach occurred, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned; (ii) the likely consequences of the Personal Data Breach; and (iii) the measures we have taken or propose to take to address the Personal Data Breach, including where appropriate measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification will contain the information then available and further information will, as it becomes available, subsequently be provided without undue delay. For the avoidance of doubt, “Personal Data Breach” will not include unsuccessful attempts or activities that do not: (i) compromise the security of Personal Data, including, but not limited to, unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems, or other attempts to access data; or (ii) create a real and material risk of significant harm to Personal Data. The parties agree that notice under this section is not an admission of fault or liability by the notifying party. -6. **Subprocessors.** You acknowledge and agree that Tailscale may use its Affiliates and third party Subprocessors to Process Personal Data in accordance with this DPA and applicable Data Privacy Laws. Where Tailscale sub-contracts any of its rights or obligations concerning Personal Data, Tailscale will take steps to select and retain Subprocessors that are capable of maintaining appropriate privacy and security measures to protect Personal Data consistent with this DPA and applicable Data Privacy Laws. Tailscale will remain liable for the acts and omissions of its Subprocessors as if they were its own. You hereby consent to the use of Subprocessors listed at the Subprocessor List as of the effective date of this DPA. Tailscale will maintain the Subprocessor List and will provide customers with reasonable notice of any new subprocessor added to the list. The Subprocessor List page contains a mechanism to subscribe to notifications of updates to the Subprocessor List, and Tailscale will provide details of any such changes solely via this subscription mechanism. If you object to a new Subprocessor, you must notify Tailscale of your objection, if any, in writing within ten (10) days of receipt of information about the change. You will be entitled to terminate the Agreement with immediate effect and without liability in the event Tailscale does not consider and respond to your objections within a commercially reasonable period of time. Upon such termination, Tailscale will refund any prepaid fees covering the Tailscale Solution on a pro rata basis following the effective date of such termination. This right to terminate and refund will be Customer’s sole and exclusive remedy. +6. **Subprocessors.** + + 6.1 You acknowledge and agree that Tailscale may: (i) use its Affiliates and third party Subprocessors to Process Personal Data in accordance with this DPA and applicable Data Privacy Laws; and (ii) from time to time engage additional third parties for the purpose of providing the Tailscale Solution, including without limitation the Processing of Personal Data. Where Tailscale sub-contracts any of its rights or obligations concerning Personal Data, Tailscale will take steps to select and retain Subprocessors that are capable of maintaining appropriate privacy and security measures to protect Personal Data consistent with this DPA and applicable Data Privacy Laws. Tailscale will remain liable for the acts and omissions of its Subprocessors as if they were its own. By way of this DPA, you hereby consent to the use of the Subprocessors listed at [tailscale.com/dpa-subprocessors](https://tailscale.com/dpa-subprocessors) or its successor webpages (the **“Subprocessor Page”**) as of the effective date of this DPA, and provide general written authorization to Tailscale to engage Subprocessors as necessary to provide the Tailscale Solution. + + 6.2 The Subprocessor Page may be updated by Tailscale from time to time. The Subprocessor Page contains a mechanism to subscribe to notifications of updates to the Subprocessor Page; it is your obligation to subscribe to receive notifications and updates. Tailscale may provide details of any changes to the Subprocessor Page via this subscription mechanism or other electronic means. + + 6.3 At least ten (10) days before enabling any third party other than existing authorized Subprocessors to access or participate in the Processing of Personal Data, Tailscale will add such third party to the Subprocessor Page and provide notice of the change. You may object to such engagement by informing Tailscale within ten (10) days of the notice date, provided such objection is in writing and based on reasonable grounds relating to data protection. You acknowledge that certain Subprocessors are essential to providing the Tailscale Solution, and that objecting to the use of a Subprocessor may prevent Tailscale from offering the Tailscale Solution to you. If you do not object in writing within ten (10) days of notice by Tailscale, that third party will be deemed an authorized Subprocessor for the purposes of this DPA. If you reasonably object and Tailscale does not respond to or resolve your objections within a commercially reasonable period of time, you will be entitled to terminate the Agreement with immediate effect by providing written notice to Tailscale. Upon such termination, Tailscale will refund to you on a pro rata basis any prepaid Fees covering the remainder of your Order Form or subscription term (as applicable) after the effective date of termination. Termination hereunder shall not relieve you of any Fees owed to Tailscale up to the date of termination. This right to terminate and refund will be Customer’s sole and exclusive remedy with respect to the subject matter of this provision. + + 6.4 If the parties have entered into Standard Contractual Clauses (“SCCs”) as described in Section 7 (International Data Transfers): (a) the above authorizations will constitute your prior written consent to the subcontracting by Tailscale of the Processing of Personal Data if such consent is required under the SCCs; and (b) solely upon your written request, Tailscale will make available to you copies of the agreements with authorized Subprocessors pursuant to Clause 9(c) of the SCCs, redacted as necessary to protect commercial information or other Tailscale Confidential Information unrelated to the SCCs. 7. **International Data Transfers.** 7.1 Tailscale will not engage in any cross-border Processing of Personal Data, or transmit, directly or indirectly, any Personal Data to any country outside of the country from which such Personal Data was collected, without complying with applicable Data Privacy Laws and the provisions in this Section 7. Where Tailscale engages in an onward transfer of Personal Data, Tailscale shall ensure that, where legally required, a lawful data transfer mechanism is in place prior to transferring Personal Data from one country to another. Customer will ensure that Customer and Customer’s Permitted Users are entitled to transfer the Personal Data to Tailscale so that Tailscale may lawfully Process the Personal Data in accordance with this DPA, including without limitation by sub-contracting any Processing to an Affiliate or third party Subprocessor. - 7.2 To the extent legally required, the EU SCCs form part of this DPA and will be deemed completed as set forth in Schedule A. In the event of a conflict between the terms of the EU SCCs and this DPA, the EU SCCs will prevail. + 7.2 To the extent legally required, the EU SCCs form part of this DPA and will be deemed completed as set forth in [Schedule A](#schedule-a). In the event of a conflict between the terms of the EU SCCs and this DPA, the EU SCCs will prevail. - 7.3 To the extent legally required, the UK SCCs form part of this DPA and will be deemed completed as set forth in Schedule B. In the event of a conflict between the terms of the UK SCCs and this DPA, the UK SCCs will prevail. + 7.3 To the extent legally required, the UK SCCs form part of this DPA and will be deemed completed as set forth in [Schedule B](#schedule-b). In the event of a conflict between the terms of the UK SCCs and this DPA, the UK SCCs will prevail. 7.4 With respect to Personal Data transferred from Switzerland for which Swiss law (and not the law in any European Economic Area jurisdiction or the United Kingdom) governs the international nature of the transfer, references to the GDPR in Clause 4 of the EU SCCs are, to the extent legally required, amended to refer to the Swiss Federal Data Protection Act or its successor instead, and the concept of supervisory authority will include the Swiss Federal Data Protection and Information Commissioner. In the event of a conflict between the terms of the EU SCCs as amended by this Section 7.1.3 and this DPA, the EU SCCs as amended by this Section 7.1.3 will prevail. -8. **Auditing Compliance.** +8. **Auditing Compliance.** Upon your written request, and no more than once during each Order Form Term or Subscription Term (as applicable), we will provide you with our most recent security review reports and/or applicable certifications for the Tailscale Solution and provide reasonable assistance and information to you to understand the information in such reports. You agree that such third party reports and certifications are sufficient to demonstrate Tailscale’s compliance with the obligations set out in this DPA. If you have a reasonable objection that the information provided is not sufficient to demonstrate Tailscale’s compliance with this DPA, provided such objection is based on reasonable grounds related to data protection, you may conduct an audit, or select a mutually-agreed upon third-party to conduct an audit, of Tailscale’s practices related to Processing Personal Data in compliance with this DPA, at your sole expense (an **“Audit”**). General compliance Audits shall occur not more than once every twelve (12) calendar months. To the extent you use a third-party representative to conduct the Audit, you will ensure that such third-party representative is bound by obligations of confidentiality no less protective than those contained in this DPA and the Agreement. You will provide Tailscale with at least thirty (30) days prior written notice of its intention to conduct an Audit. Before any Audit, the parties will mutually agree upon the scope, timing, and duration of the Audit, as well as the Tailscale reimbursement rate for which you will be responsible. All reimbursement rates will be reasonable, taking into account the resources expended by or on behalf of Tailscale. You and your third-party representatives will conduct Audits: (i) acting reasonably, in good faith, and in a proportional manner, taking into account the nature and complexity of the Tailscale Solution; and (ii) in a manner that will result in minimal disruption to Tailscale’s business operations and during Tailscale’s normal business hours. Neither you nor your third-party representatives will be entitled to receive data or information of other Tailscale customers or any other Tailscale Confidential Information that is not directly relevant for the authorized purposes of the Audit in accordance with this provision. You will promptly provide us with the Audit results upon completion of the Audit. All Audit related materials will be considered “Confidential Information” subject to the confidentiality provisions of the Agreement. - 8.1 Upon your written request, and no more than once during each Order Form Term or Subscription Term (as applicable), we will provide you with our most recent security review reports and/or applicable certifications for the Tailscale Solution and provide reasonable assistance and information to you to understand the information in such reports. - - 8.2 If you have a reasonable objection that the information provided is not sufficient to demonstrate Tailscale’s compliance with this DPA, you may conduct an audit, or select a mutually-agreed upon third-party to conduct an audit, of Tailscale’s practices related to Processing Personal Data in compliance with this DPA, at your sole expense (an “**Audit**”). General compliance Audits shall occur not more than once every twelve (12) calendar months. To the extent you use a third-party representative to conduct the Audit, you will ensure that such third-party representative is bound by obligations of confidentiality no less protective than those contained in this DPA and the Agreement. You will provide Tailscale with at least thirty (30) days prior written notice of its intention to conduct an Audit. Before any Audit, the parties will mutually agree upon the scope, timing, and duration of the Audit, as well as the Tailscale reimbursement rate for which you will be responsible. All reimbursement rates will be reasonable, taking into account the resources expended by or on behalf of Tailscale. You and your third-party representatives will conduct Audits: (i) acting reasonably, in good faith, and in a proportional manner, taking into account the nature and complexity of the Tailscale Solution; and (ii) in a manner that will result in minimal disruption to Tailscale’s business operations and during Tailscale’s normal business hours. Neither you nor your third-party representatives will be entitled to receive data or information of other Tailscale customers or any other Tailscale Confidential Information that is not directly relevant for the authorized purposes of the Audit in accordance with this provision. You will promptly provide us with the Audit results upon completion of the Audit. All Audit related materials will be considered “Confidential Information” subject to the confidentiality provisions of the Agreement. 9. **Retention; Return or Destruction.** Tailscale will retain Personal Data in accordance with its standard data retention policies and procedures (“**Retention Procedures**”). Upon your written request, Tailscale will make available to you those portions of its Retention Procedures, redacted as necessary to protect Tailscale Confidential Information, relevant to our Processing of your Personal Data. Except to the extent required otherwise by Data Privacy Laws, Tailscale will, at your choice and upon your written request, return to you or securely destroy all Personal Data upon such request or at termination or expiration of the Agreement. Tailscale will provide you with a certificate of destruction only upon your written request. In case of local laws applicable to Tailscale that prohibit the return or deletion of Personal Data, we warrant that we will continue to ensure compliance with this DPA and will only process the Personal Data to the extent and for as long as required under such local laws. -10. **Updates to this DPA.** We may need to update this DPA from time to time as laws, regulations and industry standards evolve, or as we make changes to our business or the Tailscale Solution. For example, if we release a new feature, product or service, we may need to update the information in the Schedules. If that happens, we will promptly post the revised DPA and update the “last updated” date. If we make changes that materially change the parties’ rights or obligations under this DPA, we will provide additional notice in accordance with applicable legal requirements, such as via email, on our website, or through the Tailscale Solution. For the sake of clarity: updating this DPA to include a newly released feature, product or service does not by default constitute such a material change; and we will only make updates for features, products or services that are generally released (not for any that are in Research). By continuing to access and use the Tailscale Solution after the “last updated” date of the revised DPA, you agree to be bound by the revised DPA. If you do not agree with the revised DPA, do not use the Tailscale Solution. +10. **Updates to this DPA.** We may need to update this DPA from time to time as laws, regulations and industry standards evolve, or as we make changes to our business or the Tailscale Solution. For example, if we release a new feature, product or service, we may need to update the information in the Schedules. If that happens, we will promptly post the revised DPA and update the “last updated” date. Unless otherwise specified by Tailscale, changes become effective for Customer: upon the next payment period (for Self-Serve customers); upon renewal of Customer’s then-current Order Term; or upon the effective date of a new Order Form; in each case as applicable to Customer and after the updated version goes into effect. Tailscale will use reasonable efforts to notify Customer of material changes through communications via Customer’s account, email or other means, and Customer may be required to click to accept or otherwise agree to the updated DPA. For the sake of clarity: updating this DPA to include a newly released feature, product or service does not by default constitute such a material change; and we will only make updates for features, products or services that are generally released (not for any that are in Research). Continued use of the Tailscale Solution after the updated DPA goes into effect as set forth herein will constitute Customer’s acceptance of such updated version. -11. **Miscellaneous.** The effective date of this DPA shall be the same as that for the Agreement. Each party represents, warrants, and covenants that it understands and will comply with the restrictions and obligations set forth in this DPA. Each party further represents, warrants, and covenants that it will comply with all Data Privacy Laws applicable to such party in its role as data controller, business, data processor, service provider, or subprocessor (as applicable under Data Privacy Laws). If applicable to Customer, Customer represents and warrants that it is authorized to enter into this DPA, issue instructions, and make and receive any communications or notifications in relation to this DPA on behalf of Customer Affiliates. The parties acknowledge and agree that the exchange of Personal Data between the parties does not constitute a “sale” of Personal Data under any US Data Privacy Laws, and does not form part of any monetary or other valuable consideration exchange between the parties with respect to the Agreement or this DPA. Each party's liability arising out of or related to this DPA is subject to the “Limitations of Liability” section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party under the Agreement and this DPA together. The provisions of this DPA survive the termination or expiration of the Agreement for so long as Tailscale or its Subprocessors Process the Personal Data. +11. **Miscellaneous.** Each party represents, warrants, and covenants that it understands and will comply with the restrictions and obligations set forth in this DPA. Each party further represents, warrants, and covenants that it will comply with all Data Privacy Laws applicable to such party in its role as data controller, business, data processor, service provider, or subprocessor (as applicable under Data Privacy Laws). If applicable to Customer, Customer represents and warrants that it is authorized to enter into this DPA, issue instructions, and make and receive any communications or notifications in relation to this DPA on behalf of Customer Affiliates. The parties acknowledge and agree that the exchange of Personal Data between the parties does not constitute a “sale” of Personal Data under any US Data Privacy Laws, and does not form part of any monetary or other valuable consideration exchange between the parties with respect to the Agreement or this DPA. Each party's liability arising out of or related to this DPA is subject to the “Limitations of Liability” section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party under the Agreement and this DPA together. The provisions of this DPA survive the termination or expiration of the Agreement for so long as Tailscale or its Subprocessors Process the Personal Data. # SCHEDULE A @@ -142,7 +143,7 @@ The competent supervisory authority will be in accordance with the provision app As provided in Schedule D to this DPA. ### Annex III: List of Subprocessors -Not applicable; Customer has given general written authorization in accordance with Section 6 of the DPA. Tailscale’s current list of Subprocessors as of the effective date, for which Customer grants general written authorization by signing this DPA, is available at the Subprocessor List. +Not applicable; Customer has given general written authorization in accordance with Section 6 of the DPA. Tailscale’s current list of Subprocessors as of the effective date, for which Customer grants general written authorization by signing this DPA, is available at the Subprocessor Page. # SCHEDULE B @@ -205,4 +206,3 @@ The following provides an overview of some of Tailscale’s key Security Measure | Vendor Selection | All of our vendors offer industry-leading products and go through an exhaustive security review as a standard part of our vendor management policy, to ensure their practices meet our security and compliance standards.‍ | | Personnel | Level of access is determined by role. Logical access reviews are performed periodically and access is immediately removed when no longer necessary. Multi-factor authentication is enforced for all personnel. Personnel devices have security features enabled, such as antivirus, disk encryption, automatic device blocking, and security patches. We run background checks and sign confidentiality agreements with personnel in accordance with applicable laws. We regularly provide security training for personnel. | | Policies & Procedures | Among other company policies and plans, Tailscale has a Business Continuity Plan / Disaster Recovery policy that is routinely tested to maximize availability, and an incident response policy and plan. | -