Dune Data Processing Agreement
Last updated on May 14, 2024
1. Scope and purpose of Data Processing Agreement
This Data Processing Agreement (the "DPA") delineates the respective rights and responsibilities of Dune Analytics AS (“Dune” or “Data Processor”) and the legal entity that have sign-up to the Services (“Customer” or “Data Controller”), as further described in Section 3 below when the Data Processor processes personal data on behalf of the Data Controller (together “the Parties”), as part of the services offered under the Terms of Service and/or any other agreement entered into between the Parties regarding Services rendered by Dune to the Customer (the “Terms”).
For processing not covered by the Terms, each Party is considered separate controllers under the Applicable Privacy Law, unless otherwise agreed in writing between the Parties.
The DPA consists of this document and its accompanying Terms. In cases of conflict between the Terms and this DPA, the latter shall prevail for matters specifically pertaining to processing of personal data.
2. Definitions
"Applicable Privacy Law" refers to the relevant versions of the EU's General Data Protection Regulation (2016/679) ("GDPR"), the Norwegian Act on the Processing of Personal Data of June 15, 2018 (the Personal Data Act), and any additional applicable legislation concerning the processing and protection of personal data.
“Data” means the personal data processed under this Agreement.
“Data Controller” refers to the Customer, when the processing of personal data pertains to the provision of the Services, as described in the Terms. For avoidance of doubt, the Controller is the user that uploads the data to the Dune Data Hub and the Team that owns the namespace to which this Data is uploaded.
“Dune Data Hub Service” means the Dune Data Hub Service as defined in the Terms.
“Data Processor” refers to Dune, when Dune processes personal data on behalf of the Customer in connection with the provision of the Services, as described in the Terms.
“Data Transfer” refers to a processing operation that satisfies the following cumulative requirements, as defined by the European Data Protection Board (EDPB):
- A controller or a processor (“Exporter”) is subject to the GDPR for the given processing.
- The exporter discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“Importer”).
- The importer is in a third country, irrespective of whether or not this importer is subject to the GDPR for the given processing in accordance with Article 3, or is an international organisation.
“Services” as defined in the Terms.
"Sub-processor" refers to an entity or individual engaged by the Data Processor as a subcontractor to process personal data under the Terms.
Terms not explicitly defined herein shall be interpreted in accordance with Article 4 of the GDPR or the Terms.
3. Scope of processing
3.1 Processing operations and controllership
Dune will process personal data on behalf of the Customer in connection with providing the Services, as set forth in the Terms. The Customer acknowledges that the Customer is the Data Controller, and that Dune is the Data Processor for the upload of personal data by the Controller in the Dune Data Hub for the processing of such data by the creation by the Data Controller of dashboards that provide analyses, trends, and statistics of the Data.
The Controller uploads the Data to the Dune Data Hub Service and shall indicate that such Data is personal data. All other users that participate in the same Team (as defined in Dune’s Terms of Service) may have access and use the data as provided in the Dune Data Hub Services Addendum. Controller and other users in the Team are solely responsible for the exposure of the Data in public dashboards. Dune has no control as to how the Controller and the Team users use the Data.
For any activity not covered by the Services or the DPA, each Party shall be considered an individual data controller.
3.2 Categories of personal data
The nature, purpose, and categories of personal data subject to this DPA shall be defined by the Controller as it uploads the personal data to the Processor’s systems. The Parties agree that no special categories of data (as regulated in GDPR Article 9 and 10) will be processed under this Agreement.
4. Rights and Responsibilities of the Data Controller
The Data Controller bears the responsibility for processing personal data in compliance with the Applicable Privacy Law. Specifically, the Data Controller must ensure that:
- Processing of personal data has a legal basis,
- Data subjects have been adequately informed about how their personal data will be processed,
- Where appropriate, risk assessments are performed,
- It will only upload and provide personal data if it is using the non-public version of the services (i.e., private dashboards); and
- the Data Processor is provided with unambiguous instructions and sufficient information to fulfil its obligations under this DPA and the Applicable Privacy Law.
5. Instructions from the Data Controller to the Data Processor
The Data Processor shall adhere to the Applicable Privacy Law and the Data Controller's documented instructions, including with regard to transfers of personal data to a third country or an international organisation, unless the Processor is required to make such transfer under EU member stat law. The Data Controller's instructions are detailed in the Terms and this DPA, along with written correspondence between the Parties. Should the Data Processor perceive a conflict between these instructions and the Applicable Privacy Law, the Data Processor shall immediately notify the Data Controller.
Changes to these instructions must be documented in writing between the Parties. Dune may request reimbursement for documented costs incurred due to the implementation of such changes, or a proportional adjustment of the remuneration under the Terms if the amended instructions result in additional costs.
6. Confidentiality and Duty of Secrecy
The Data Processor must ensure that only authorized personnel have access to the personal data. Authorization should cease immediately if it expires or is revoked.
Access to personal data must be granted solely to those who require it to fulfil their duties under the Terms, this DPA, and any other necessary processing obligations under applicable law.
Individuals authorized by Dune to process personal data shall be legally bound by a duty to preserve confidentiality, either contractually or through applicable law. These obligations shall persist beyond the termination of this DPA and/or employment relationship.
Upon request from the Data Controller, the Data Processor must provide documentation verifying that relevant personnel are bound by confidentiality obligations.
Following the termination of this DPA, the Data Processor must immediately cease all access to personal data processed under this DPA. However, the Parties acknowledge that Dune shall continue to process personal data as a controller for personal data collected in connection with this DPA and Terms, but which will be processed outside the scope and purposes set forth in this DPA and the Terms.
7. Assistance to the Data Controller
Upon request, the Data Processor shall assist the Data Controller in fulfilling the rights of data subjects under Chapter III of the GDPR. This obligation only applies to the extent that it is possible, appropriate, and necessary, considering the nature and scope of data processing under the Terms.
The Data Processor must promptly forward all inquiries from data subjects regarding their rights under this DPA and Applicable Privacy Law to the Data Controller. Responses to such inquiries can only be provided by the Data Processor upon written approval from the Data Controller.
The Data Processor is also required to assist the Data Controller in ensuring compliance with Articles 32-36 of the GDPR, taking into account the nature of processing and the information available to the processor. This includes aiding in data impact assessments and prior consultations with the Norwegian Data Protection Authority.
Should the Data Processor provide assistance beyond what is required to fulfil its obligations under this DPA and Applicable Privacy Law, the Data Processor may claim reimbursement for all documented costs related to such assistance. These costs will be reimbursed according to the pricing provisions of the Terms.
8. Security of Processing
The Data Processor is obligated to implement appropriate technical and organizational measures to secure a level of safety commensurate with the risk. These measures should be aligned with the current state of technology, the cost of implementation, and the type, scope, and purpose of processing, in addition to the risk and severity it poses to the rights and freedoms of natural persons. At a minimum, the Data Processor must adhere to the following principles and measures:
- Access Controls: Dune personnel are required to authenticate using multi-factor authentication to access the platform powering Dune (PaaS) and running on AWS.
- Dune personnel access customer data only as necessary to provide theServices under the Agreement, to provide customer support upon a customer’s request, or to comply with the law or a binding order of a governmental body.
- Separation of environments: Dune logically separates its endpoints and end user environment from its PaaS environment.
- Monitoring and Logging: Dune monitors its PaaS environment and centralizes its logs.
- Security Incident Reporting: If Dune becomes aware of a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data, Dune will notify impacted customers without undue delay and in accordance with its contractual obligations and commitments in this DPA.
- Investigation: In the event of a security incident, Dune shall promptly take reasonable steps to contain, investigate, and mitigate any security incident.
The Data Processor must conduct risk assessments to ensure a consistent level of security. The Data Processor shall perform regular testing, assessment, and evaluation of these security measures, particularly to ensure enduring confidentiality, integrity, availability, and robustness in the data processing systems and the services.
The Data Processor is required to document these risk assessments and security measures, and make them available to the Data Controller upon request. This also includes allowing for audits as agreed between the Parties, as per section 12 of this DPA.
9. Notification of Personal Data Security Breach
In the event of a personal data breach, the Data Processor must without undue delay notify the Data Controller. This notification should provide all necessary information and assistance for the Data Controller to report the breach to supervisory authorities in compliance with the Applicable Privacy Law.
Such notifications must include:
- A description of the nature of the data breach, including the categories and approximate number of data subjects and data records affected.
- Contact details for further information.
- An assessment of the likely consequences of the breach.
- Proposed measures to address and mitigate the breach.
If required, information can be submitted in phases, provided it is without undue delay.
The Data Processor must implement all reasonable measures to rectify and prevent similar data breaches in the future.
The Data Controller bears the responsibility for notifying both the Data Protection Authority and the affected data subjects. The Data Processor is prohibited from informing third parties about the breach, unless mandated by applicable law or expressly instructed in writing by the Data Controller.
10. Use of Sub-processor
The Data Processor is hereby granted general authorization from the Data Controller to use Sub-Processors, as further described in Dune’s Privacy Policy.
The same data protection obligations outlined in this DPA must be imposed on the Sub-processor through a written contract. The Data Processor can only engage Sub-Processors that have implemented adequate technical and organizational measures to ensure compliance with the Applicable Privacy Law. The Data Processor is obligated to assess and confirm that satisfactory measures have been implemented by the Sub-Processors and must be able to provide assessment reports to the Data Controller upon request.
Should the Data Controller object to a new Sub-Processor, both Parties must negotiate in good faith to reach a reasonable solution, including the apportionment of any costs between them. An agreement must be reached before any changes in Sub-Processor usage can be made.
If a Sub-Processor fails to meet its data protection obligations, the Data Processor remains liable to the Data Controller as if the Data Processor itself were responsible for the processing.
Upon request, the Data Processor must disclose agreements with Sub-Processors to the Data Controller. This applies only to portions relevant to data processing and is subject to statutory or regulatory limitations. Commercial terms are not required to be disclosed.
11. Transfer of Personal Data to Countries Outside the EEA
The transfer of personal data to countries outside the European Economic Area (EEA), or to international organizations, requires written approval from the Data Controller. The Data Controller hereby grants the Data Processor authorization to transfer personal data to Sub-Processors already granted general authorization under section 10, provided that the Transfer complies with Applicable Privacy Law and especially GDPR chapter 5.
The Data Controller acknowledges and authorizes that the Data Processor may use AWS as a sub-processor.
12. Audit
Upon request, the Data Processor must provide the Data Controller with all necessary information to demonstrate compliance with Article 28 of the GDPR and this DPA.
The Data Processor must facilitate and contribute to inspections and audits conducted by or on behalf of the Data Controller and by relevant supervisory authorities. Audits of any Sub-Processors shall be carried out by the Data Processor unless otherwise specifically agreed.
If an audit reveals a breach of obligations under the Applicable Privacy Law or this DPA, the Data Processor is required to rectify the breach promptly. The Data Controller may demand that the Data Processor temporarily halt all or part of the data processing activities until the breach is rectified and approved by the Data Controller.
The Customer shall bear the costs for annual audits. However, if the audit uncovers significant breaches of obligations under the Applicable Privacy Law or this DPA, Dune shall bear the Customer’s reasonable audit-related costs.
13. Erasure and Return of Information
The Parties acknowledge that Dune shall continue to process personal data as a controller for personal data collected in connection with this DPA and Terms, but which will be processed outside the scope and purposes set forth in this DPA and the Terms.
Upon the termination of this DPA, the Data Processor is obligated to, at the choice of the Data Controller, delete or return all personal data processed on behalf of the Data Controller, within the scope of this DPA and Terms. The Data Controller will specify the format in which the data return should occur. The Data Processor's documented costs related to the data return shall be borne by the Data Controller, unless covered by the remuneration under the Terms.
The Data Processor must confirm in writing to the Data Controller that personal data, processed for purposes set forth in this DPA and Terms, has been deleted, rendered inaccessible or has ceased.
14. Breach and Suspension Orders
In case of a breach of this DPA or the Applicable Privacy Law, the Data Controller and relevant supervisory authorities may instruct the Data Processor to immediately cease all or part of the data processing activities, subject to this DPA and Terms.
Failure to comply with the terms of this DPA or the Applicable Privacy Law shall be considered a breach of the Terms. The obligations, deadlines, sanctions, and limitations of liability outlined in the Terms shall apply, unless otherwise explicitly agreed.
15. Duration and Expiry
This DPA becomes effective upon the date of acceptance and creation of the User. It remains in effect for as long as the Data Processor processes personal data on behalf of the Data Controller.
Termination rules specified in the Terms shall also apply to this DPA, where relevant. This DPA may not be terminated as long as the Terms remain in effect, unless replaced by a new DPA.
16. Miscellaneous
Sections on “User Content”, “Deletion of data” and “Deletion of your account” in the General Terms and Conditions applies insofar as these provisions are compatible with this DPA and Applicable Privacy Law.
This DPA shall be governed by, and construed in accordance with, the provisions relating to Governing Law and Dispute Resolution as stipulated in the Terms.