Dune Data Processing Agreement

This Data Processing Agreement (the "DPA") delineates the respective rights and responsibilities of Dune Analytics AS (“Dune” or “Data Processor”) and the legal entity that has signed up to the Services (“Customer” or “Data Controller”), as further described in Section 3 below when the Data Processor processes personal data on behalf of the Data Controller (together “the Parties”), as part of the services offered under the Terms of Service and/or any other agreement entered into between the Parties regarding Services rendered by Dune to the Customer (the “Terms”).

For processing not covered by the Terms, each Party is considered separate controllers under the Applicable Privacy Law, unless otherwise agreed in writing between the Parties.

The DPA consists of this document and its accompanying Terms. In cases of conflict between the Terms and this DPA, the latter shall prevail for matters specifically pertaining to processing of personal data.

"Applicable Privacy Law" refers to the relevant versions of the EU's General Data Protection Regulation (2016/679) ("GDPR"), the Norwegian Act on the Processing of Personal Data of June 15, 2018 (the Personal Data Act), and any additional applicable legislation concerning the processing and protection of personal data.

“Data” means the personal data processed by Dune on behalf of Customer under this DPA.

“Data Controller” means the Customer that determines the purposes and means of processing personal data submitted to the Services. Where a user uploads Data on behalf of a Team or legal entity, that Team or legal entity is the Data Controller, and the uploading user represents that it is authorized to provide instructions on its behalf.

“Data Processor” refers to Dune, when Dune processes personal data on behalf of the Customer in connection with the provision of the Services, as described in the Terms.

“Data Transfer” refers to a processing operation that satisfies the following cumulative requirements, as defined by the European Data Protection Board (EDPB):

1. A controller or a processor (“Exporter”) is subject to the GDPR for the given processing.
2. The exporter discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“Importer”).
3. The importer is in a third country, irrespective of whether or not this importer is subject to the GDPR for the given processing in accordance with Article 3, or is an international organisation.

“Services” as defined in the Terms.

"Sub-processor" refers to an entity or individual engaged by the Data Processor as a subcontractor to process personal data under the Terms.

Terms not explicitly defined herein shall be interpreted in accordance with Article 4 of the GDPR or the Terms.

Dune processes Data on behalf of Customer only to provide, secure, support, and improve the Services in accordance with Customer’s documented instructions, the Terms, this DPA, and applicable law. Customer is the Data Controller and Dune is the Data Processor for Private Uploaded Data containing personal data.

Customer may upload or otherwise provide Data through the Services and shall indicate that such Data is personal data. All other users that participate in the same Team (as defined in Dune’s Terms of Service) may have access to and use the data as provided in the Terms and applicable Service Addenda. Customer and other users in the Team are solely responsible for the exposure of the Data in public dashboards. Dune has no control as to how Customer and the Team users use or disclose the Data.

For any activity not covered by the Services or the DPA, each Party shall be considered an individual data controller.

The nature, purpose, categories of data subjects, and categories of personal data subject to this DPA are described in Appendix 1. Customer shall not submit special categories of personal data under GDPR Article 9, criminal offence data under GDPR Article 10, government identifiers, or other highly sensitive regulated data to the Services unless expressly agreed in writing by Dune. If Customer submits such data without Dune’s prior written agreement, Customer remains solely responsible for the legality of such submission and Dune may suspend processing or require deletion.

The Data Controller bears the responsibility for processing personal data in compliance with the Applicable Privacy Law. Specifically, the Data Controller must ensure that:

1. Processing of personal data has a legal basis,
2. Data subjects have been adequately informed about how their personal data will be processed,
3. Where appropriate, risk assessments are performed,
4. It will only upload and provide personal data if it is using the non-public functionality of the Services; and
5. the Data Processor is provided with unambiguous instructions and sufficient information to fulfil its obligations under this DPA and the Applicable Privacy Law.

The Data Processor shall adhere to the Applicable Privacy Law and the Data Controller's documented instructions, including with regard to transfers of personal data to a third country or an international organisation, unless the Processor is required to make such transfer under EU member state law. The Data Controller's instructions are detailed in the Terms and this DPA, along with written correspondence between the Parties. Should the Data Processor perceive a conflict between these instructions and the Applicable Privacy Law, the Data Processor shall immediately notify the Data Controller.

Customer’s instructions are limited to processing necessary to provide the Services and as otherwise documented in the Terms, this DPA, the applicable order, or written correspondence accepted by Dune.

Changes to these instructions must be documented in writing between the Parties. Dune may request reimbursement for documented costs incurred due to the implementation of such changes, or a proportional adjustment of the remuneration under the Terms if the amended instructions result in additional costs.

The Data Processor must ensure that only authorized personnel have access to the personal data. Authorization should cease immediately if it expires or is revoked.

Access to personal data must be granted solely to those who require it to fulfil their duties under the Terms, this DPA, and any other necessary processing obligations under applicable law.

Individuals authorized by Dune to process personal data shall be legally bound by a duty to preserve confidentiality, either contractually or through applicable law. These obligations shall persist beyond the termination of this DPA and/or employment relationship.

Upon request from the Data Controller, the Data Processor must provide documentation verifying that relevant personnel are bound by confidentiality obligations.

Following the termination of this DPA, the Data Processor shall cease processing Data except as necessary for deletion, return, backup expiry, legal retention, security, dispute resolution, or compliance purposes. This section does not restrict Dune from processing account, billing, security, usage, support, or business contact data as an independent controller where described in Dune’s Privacy Policy.

Upon request, the Data Processor shall assist the Data Controller in fulfilling the rights of data subjects under Chapter III of the GDPR. This obligation only applies to the extent that it is possible, appropriate, and necessary, considering the nature and scope of data processing under the Terms.

The Data Processor must promptly forward all inquiries from data subjects regarding their rights under this DPA and Applicable Privacy Law to the Data Controller. Responses to such inquiries can only be provided by the Data Processor upon written approval from the Data Controller.

The Data Processor is also required to assist the Data Controller in ensuring compliance with Articles 32-36 of the GDPR, taking into account the nature of processing and the information available to the processor. This includes aiding in data impact assessments and prior consultations with the Norwegian Data Protection Authority.

Should the Data Processor provide assistance beyond what is required to fulfil its obligations under this DPA and Applicable Privacy Law, the Data Processor may claim reimbursement for all documented costs related to such assistance. These costs will be reimbursed according to the pricing provisions of the Terms.

The Data Processor is obligated to implement appropriate technical and organizational measures to secure a level of security appropriate to the risk. These measures should be aligned with the current state of technology, the cost of implementation, and the type, scope, and purpose of processing, in addition to the risk and severity it poses to the rights and freedoms of natural persons. At a minimum, the Data Processor must adhere to the following principles and measures:

1. Access Controls: Dune personnel are required to authenticate using multi-factor authentication to access the platform powering Dune (PaaS) and running on AWS.
2. Dune personnel access customer data only as necessary to provide the Services under the agreement, to provide customer support upon a customer’s request, or to comply with the law or a binding order of a governmental body.
3. Separation of environments: Dune logically separates its endpoints and end user environment from its PaaS environment.
4. Monitoring and Logging: Dune monitors its PaaS environment and centralizes its logs.
5. Security Incident Reporting: If Dune becomes aware of a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data, Dune will notify impacted customers without undue delay and in accordance with its contractual obligations and commitments in this DPA.
6. Investigation: In the event of a security incident, Dune shall promptly take reasonable steps to contain, investigate, and mitigate any security incident.

Dune may update its technical and organizational measures from time to time, provided that such updates do not materially reduce the overall level of security for the Services.

The Data Processor must conduct risk assessments to ensure a consistent level of security. The Data Processor shall perform regular testing, assessment, and evaluation of these security measures, particularly to ensure ongoing confidentiality, integrity, availability, and robustness in the data processing systems and the services.

The Data Processor is required to document these risk assessments and security measures, and make them available to the Data Controller upon request. This also includes allowing for audits as agreed between the Parties, as per section 12 of this DPA.

If Dune becomes aware of a confirmed personal data breach affecting Data processed on behalf of Customer, Dune will notify Customer without undue delay. This notification should provide reasonably necessary information and assistance for the Data Controller to report the breach to supervisory authorities in compliance with the Applicable Privacy Law.

Such notifications must include:

1. A description of the nature of the data breach, including the categories and approximate number of data subjects and data records affected.
2. Contact details for further information.
3. An assessment of the likely consequences of the breach.
4. Proposed measures to address and mitigate the breach.

If required, information can be submitted in phases, provided it is without undue delay.

The Data Processor must implement all reasonable measures to rectify and prevent similar data breaches in the future.

The Data Controller bears the responsibility for notifying both the Data Protection Authority and the affected data subjects. The Data Processor is prohibited from informing third parties about the breach, unless mandated by applicable law or expressly instructed in writing by the Data Controller.

Customer grants Dune general authorization to engage Sub-processors. Dune will maintain a list of Sub-processors in its Privacy Policy, Trust Center, or other online location made available to Customers.

The same data protection obligations outlined in this DPA must be imposed on the Sub-processor through a written contract. The Data Processor can only engage Sub-Processors that have implemented adequate technical and organizational measures to ensure compliance with the Applicable Privacy Law. The Data Processor is obligated to assess that satisfactory measures have been implemented by the Sub-Processors and must be able to provide relevant information regarding such assessments to the Data Controller upon request, subject to confidentiality and security restrictions.

Dune will provide reasonable notice of any intended addition or replacement of Sub-processors. Customer may object on reasonable data protection grounds within the notice period specified by Dune. If the Parties cannot resolve the objection, Customer may stop using the affected Service or terminate the affected Subscription Plan in accordance with the Terms. Dune may proceed with the Sub-processor if necessary to provide the Services, provided that Dune remains responsible for the Sub-processor’s performance of data protection obligations.

If a Sub-Processor fails to meet its data protection obligations, the Data Processor remains liable to the Data Controller as if the Data Processor itself were responsible for the processing.

Upon request, the Data Processor must disclose agreements with Sub-Processors to the Data Controller. This applies only to portions relevant to data processing and is subject to statutory or regulatory limitations. Commercial terms are not required to be disclosed.

Dune may transfer Data outside the EEA where necessary to provide the Services, including through authorized Sub-processors, provided that such transfer complies with Chapter V of the GDPR, including by relying on an adequacy decision, EU Standard Contractual Clauses, or another valid transfer mechanism. Where required, Dune will implement supplementary measures as appropriate.

Upon request, the Data Processor must provide the Data Controller with all necessary information to demonstrate compliance with Article 28 of the GDPR and this DPA.

Dune may satisfy audit and information requests by providing relevant certifications, audit reports, security summaries, Trust Center materials, or completed security questionnaires, where reasonably sufficient to demonstrate compliance. On-site or intrusive audit measures may be subject to reasonable confidentiality, security, timing, and scope restrictions and may not unreasonably interfere with Dune’s operations.

The Data Processor must facilitate and contribute to inspections and audits conducted by or on behalf of the Data Controller and by relevant supervisory authorities. Audits of any Sub-Processors shall be carried out by the Data Processor unless otherwise specifically agreed.

If an audit reveals a breach of obligations under the Applicable Privacy Law or this DPA, the Data Processor is required to rectify the breach promptly. The Data Controller may demand that the Data Processor temporarily halt all or part of the data processing activities until the breach is rectified and approved by the Data Controller.

The Customer shall bear the costs for annual audits. However, if the audit uncovers significant breaches of obligations under the Applicable Privacy Law or this DPA, Dune shall bear the Customer’s reasonable audit-related costs.

Upon the termination of this DPA, the Data Processor is obligated to, at the choice of the Data Controller, delete or return all personal data processed on behalf of the Data Controller, within the scope of this DPA and Terms. The Data Controller will specify the format in which the data return should occur. The Data Processor's documented costs related to the data return shall be borne by the Data Controller, unless covered by the remuneration under the Terms.

Dune will delete or return Data in accordance with the Terms, this DPA, and Dune’s deletion procedures, unless continued retention is required by applicable law. Data stored in backups will be deleted in accordance with Dune’s ordinary backup lifecycle, provided that such backup data remains protected and is not actively processed except for restoration, security, legal, or continuity purposes.

In case of a breach of this DPA or the Applicable Privacy Law, the Data Controller and relevant supervisory authorities may instruct the Data Processor to immediately cease all or part of the data processing activities, subject to this DPA and Terms.

Failure to comply with the terms of this DPA or the Applicable Privacy Law shall be considered a breach of the Terms. The obligations, deadlines, sanctions, and limitations of liability outlined in the Terms shall apply, unless otherwise explicitly agreed.

This DPA becomes effective upon Customer’s acceptance of the Terms or other agreement incorporating this DPA . It remains in effect for as long as the Data Processor processes personal data on behalf of the Data Controller.

Termination rules specified in the Terms shall also apply to this DPA, where relevant. This DPA may not be terminated as long as the Terms remain in effect, unless replaced by a new DPA.

Sections on “User Content”, “Deletion of data” and “Deletion of your account” in the General Terms and Conditions apply insofar as those provisions are compatible with this DPA and Applicable Privacy Law.

This DPA shall be governed by, and construed in accordance with, the provisions relating to Governing Law and Dispute Resolution as stipulated in the Terms.

Subject matter: Dune’s processing of personal data uploaded or otherwise made available by Customer through the Services, including private dashboards, queries, APIs, support, security, and operational functions.

Duration: For the term of the Customer’s use of the relevant Services and thereafter only as necessary for deletion, return, backup expiry, legal retention, dispute resolution, security, or compliance purposes.

Nature and purpose of processing: Hosting, storage, retrieval, querying, transformation, visualization, access control, transmission, support, troubleshooting, security monitoring, logging, backup, deletion, and other processing necessary to provide and secure the Services.

Categories of data subjects: As determined by Customer, which may include Customer’s users, personnel, customers, wallet users, transaction participants, or other individuals whose data is included in Uploaded Data.

Categories of personal data: As determined by Customer. Customer may not upload special categories of personal data under GDPR Article 9, criminal offence data under GDPR Article 10, payment card data, health data, children’s data, government-issued identifiers, or other highly sensitive regulated data unless expressly agreed in writing by Dune.

Customer obligations and rights: Customer is responsible for ensuring that it has all necessary rights, notices, lawful bases, consents where applicable, and instructions for the processing of personal data under this DPA.