Infracost Data Processing Addendum

1. Definitions and Interpretation

Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:

"Applicable Data Protection Laws" means any applicable privacy or data protection legislation or regulations, including but not limited to European Data Protection Laws and the California Consumer Privacy Act, as amended by the California Privacy Rights Act and its implementing regulations as amended or superseded from time to time ("CCPA") as well as similar laws adopted in other states. In the event of a conflict in the meanings of defined terms in the Applicable Data Protection Laws, the meaning from the law applicable to the region of residence of the relevant Data Subject applies.
"Controller" shall be interpreted consistent with Applicable Data Protection Laws and includes, at a minimum and where applicable, "controller" as that term is defined under European Data Protection Laws and Applicable Data Protection Laws in the United States and "business" as the term is defined under the CCPA.
"Customer" means a corporate client that hires Infracost services and will have its team members' Personal Data under Processing.
"Customer Personal Data" means any Personal Data Processed by Infracost as a Processor on behalf of Customer (the Controller) or a Third-Party Controller pursuant to the Agreement.
"Data Subject" shall be interpreted consistent with Applicable Data Protection Laws and includes, at a minimum and where applicable, "data subject" as that term is defined under European Data Protection Laws and "consumer" as the term is defined under the CCPA and Applicable Data Protection Laws in the United States.
"Data Subject Rights" means all rights granted to Data Subjects under Applicable Data Protection Laws, which may include, as applicable, rights to information, access, rectification, erasure, restriction, portability, objection, the right to withdraw consent, and the right not to be subject to automated individual decision-making in accordance with Applicable Data Protection Laws.
"Data Transfer" means a disclosure of Customer Personal Data by an organization subject to European Data Protection Laws to another organization located outside the EEA, the UK, or Switzerland.
"DPA" means this Data Processing Agreement.
"EEA" means the European Economic Area.
"European Data Protection Laws" means the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), their national implementations in the EEA, including the European Union, and all other data protection laws of the EEA, the United Kingdom ("UK"), and Switzerland, each as applicable, and as may be amended or replaced from time to time.
"EU-US Data Privacy Framework" means the adequacy decision laid down in the Commission Implementing Decision of July 10, 2023, pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework, C(2023) 4745 final.
"Personal Data" shall be interpreted consistent with Applicable Data Protection Laws and includes, at a minimum and where applicable, "personal data" as that term is defined under European Data Protection Laws and "personal information" as the term is defined under the CCPA.
"Process" and "Processing" shall be interpreted consistent with Applicable Data Protection Laws.
"Processor" shall be interpreted consistent with Applicable Data Protection Laws and includes, at a minimum and where applicable, a "processor" as the term is defined under European Data Protection Laws and "service provider" or "contractor" as those terms are defined under the CCPA.
"SCCs" means the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council as amended or replaced from time to time.
"Services" means the services provided by Infracost to the Customer under the Agreement.
"Subprocessor" means any person appointed by Infracost to Process Personal Data on behalf of the Customer in connection with the Agreement.
"Third-Party Controller" means a Controller for which the Customer is a Processor.
"UK Addendum" means the addendum to the SCCs issued by the UK Information Commissioner under Section 119A(1) of the UK Data Protection Act 2018 (version B1.0, in force March 21, 2022).

The terms "Commission", "Member State", "Personal Data Breach" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

The terms "Business Purpose", "Share", and "Shared" shall have the same meaning given to them under the CCPA. The terms "Sell" and "Selling" shall have the meaning defined in Applicable Data Protection Laws in the United States.

2. Scope

2.1. This DPA applies to the Processing of Customer Personal Data by Infracost. The subject matter, nature, and purposes of the Processing, the types of Customer Personal Data, and the categories of Data Subjects are set out in Annex I, which is an integral part of this DPA.

2.2. Customer is a Controller of Customer Personal Data and appoints Infracost as a Processor of such data. Customer is responsible for compliance with the requirements of Applicable Data Protection Laws applicable to Controllers. In particular, and where applicable, Customer acknowledges and agrees that it will provide notice to Data Subjects about the Processing of Personal Data by Infracost as described in this DPA and obtain Data Subjects' consent to such Processing by Infracost as necessary to comply with Applicable Data Protection Law. Infracost shall comply with the obligations of Applicable Data Protection Laws and, as applicable, shall provide the level of privacy protection to Customer Personal Data required by such Applicable Data Protection Laws.

2.3. If Customer is a Processor on behalf of a Third-Party Controller, then Customer: is the single point of contact for Infracost; must obtain all necessary authorizations from such Third-Party Controller; will ensure that the Third-Party Controller provided notice and obtained any consents necessary for Processing by Infracost as set forth in section 2.2; and undertakes to issue all instructions and exercise all rights on behalf of such other Third-Party Controller.

3. Processing of Customer Personal Data

3.1. Infracost shall not Process Customer Personal Data other than on the relevant Customer's documented instructions.

3.2. The Customer's instructions are documented in this DPA, the Agreement, and any applicable statement of work, and Infracost shall process Customer Personal Data for the limited and specific purposes of carrying out these documented instructions or as otherwise expressly permitted by Applicable Data Protection Laws. Where permitted by Applicable Data Protection Laws, Customer has the right to take reasonable and appropriate steps to ensure that Infracost uses Customer Personal Data consistent with Customer's obligations under Applicable Data Protection Laws.

3.3. Solely for the purposes of the CCPA, and except as expressly permitted by the CCPA, Infracost is prohibited from: (i) Selling or Sharing Customer Personal Data, (ii) retaining, using, or disclosing Customer Personal Data for any purpose other than for the specific purpose of performing the Services, (iii) retaining, using, or disclosing Customer Personal Data with Personal Data obtained from, or on behalf of, sources other than Customer, except as expressly permitted under the CCPA. The Parties acknowledge and agree that the exchange of Personal Data between the Parties does not form part of any monetary or other valuable consideration exchanged between the Parties with respect to the Agreement or this DPA.

3.4. Unless prohibited by applicable law, Infracost will inform Customer if Infracost is subject to a legal obligation that requires Infracost to Process Customer Personal Data in contravention of Customer's documented instructions.

3.5. It is the responsibility of the Customer (acting as Controller) to ensure that all Data Subjects are fully informed and aware of the Personal Data Processing Activities to be carried out by Infracost and that it has a valid documented Legal Basis to share Customer Personal Data with Infracost.

4. Personnel

Infracost shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know or access the relevant Customer Personal Data, as strictly necessary for the purposes of the Agreement, and ensuring that all such individuals are subject to contractual confidentiality obligations or professional or statutory obligations of confidentiality.

5. Security

5.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Infracost shall in relation to the Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures listed in Annex II.

5.2. In assessing the appropriate level of security, Infracost shall take into account in particular the risks that are presented by Processing, in particular from a Personal Data Breach.

6. Subprocessing

6.1. Customer hereby authorizes Infracost to engage Subprocessors.

6.2. Infracost will enter into a written agreement with Subprocessors which imposes the same obligations as required by Applicable Data Protection Laws.

6.3. Infracost will notify Customer prior to any intended change to Subprocessors. Customer may object to the addition of a Subprocessor by providing written notice detailing the grounds of such objection within thirty (30) days following Infracost's notification of the intended change. Customer and Infracost will work together in good faith to address Customer's objection. If Infracost chooses to retain the Subprocessor, Infracost will inform Customer at least thirty (30) days before authorizing the Subprocessor to Process Customer Personal Data, and either party may immediately discontinue providing or using the relevant parts of the Services, as applicable, and may terminate the relevant parts of the Services within thirty (30) days.

7. Data Subject Rights

7.1. Taking into account the nature of the Processing and the information available to Infracost, Infracost shall assist the Customer by implementing appropriate technical and organizational measures, as appropriate, for the fulfillment of the Customer's obligations to respond to requests to exercise Data Subject Rights.

7.2. Infracost shall:

7.2.1. promptly notify Customer if it receives a request from a Data Subject under any Applicable Data Protection Laws in respect of Customer Personal Data; and

7.2.2. Ensure that it does not respond to that request except on the documented instructions of the Customer or as required by applicable laws.

8. Personal Data Breach

8.1. Infracost shall notify Customer without undue delay upon becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Applicable Data Protection Laws.

8.2. Infracost shall cooperate with the Customer and take reasonable commercial steps as directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

9. Data Protection Impact Assessment and Prior Consultation

Infracost shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervisory Authorities or other competent data privacy authorities, which Customer reasonably considers to be required by Article 35 or 36 of the GDPR or equivalent provisions of any other Applicable Data Protection Laws, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to Infracost.

10. Deletion or Return of Customer Personal Data

10.1. This DPA is terminated upon the termination of the Agreement.

10.2. Promptly following expiration or termination of the Agreement, and at Customer's choice, Infracost will return to Customer and/or delete all Customer Content from the Services, including Customer Personal Data contained in Customer Content, within sixty (60) days of such expiration or termination unless the parties agree, in writing, to retention beyond such period. For clarity, this obligation does not apply to Customer Personal Data contained only in system generated logs, audit trails and backups that are maintained and deleted in accordance with Infracost's standard retention schedules for security, audit and business continuity, provided that such data is no longer processed for the provision of the Services and remains subject to the confidentiality and data security obligations set forth in the Agreement. Infracost may retain Customer Personal Data to the extent required by applicable law, but only to the extent and for such period as required by such law and always provided that Infracost shall continue to adhere to all relevant obligations of confidentiality and data security set forth in the Agreement.

11. Audit Rights and Compliance

11.1. Subject to this Section 11 and upon reasonable request of Customer, Infracost shall make available to Customer all information necessary to demonstrate compliance with Applicable Data Protection Laws in relation to Customer Personal Data. Where permitted by law, Infracost may satisfy this obligation by providing a summary of the results of a relevant third-party audit or certification (for example, SOC 2, ISO 27001 or similar), together with other information reasonably requested by Customer. Customer agrees that, in the absence of reasonable indications to the contrary, such documentation and reports will be the primary means by which Customer verifies Infracost's compliance.

11.2. To the extent required by the SCCs or other Applicable Data Protection Laws, and where the information made available under Section 11.1 is not sufficient to demonstrate compliance, Customer (or Customer's designated auditor, provided such auditor is not a direct competitor of Infracost) may perform audits and inspections of Infracost's processing of Customer Personal Data. Any such audit or inspection shall: (a) be conducted on no less than thirty (30) days' prior written notice, during normal business hours and in a manner designed to minimize disruption to Infracost's business; (b) occur no more than once in any twelve (12) month period, unless (i) required by a competent supervisory authority, (ii) reasonably necessary in light of a Personal Data Breach affecting Customer Personal Data, or (iii) Infracost has notified Customer under Section 11.3 that it can no longer meet its obligations under Applicable Data Protection Laws; (c) be limited in scope to what is reasonably necessary to verify compliance with this DPA and Applicable Data Protection Laws in relation to Customer Personal Data; and (d) be carried out at Customer's expense, without requiring Infracost to disclose information that is confidential or proprietary to Infracost or its other customers, or that would compromise the security of Infracost's systems. Nothing in this Section 11 is intended to limit or exclude any audit or inspection rights that Customer or a Third-Party Controller may have directly under the SCCs or other Applicable Data Protection Laws.

11.3. Solely for the purpose of the CCPA, Infracost shall promptly notify Customer if it determines that it can no longer meet its obligations under the CCPA. Upon receiving notice from Infracost in accordance with this subsection, Customer may direct Infracost to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.

12. Data Transfer

12.1. Customer hereby authorizes Infracost to perform Data Transfers to any country deemed to have an adequate level of data protection by the European Commission or by other competent authorities (including in the UK and Switzerland), as appropriate; on the basis of adequate safeguards in accordance with European Data Protection Laws; or pursuant to the SCCs and the UK Addendum referred to in Sections 12.2 and 12.3 below.

12.2. By entering into this DPA, Customer and Infracost conclude Module 2 (controller-to-processor) of the SCCs and, to the extent Customer is a Processor on behalf of a Third-Party Controller, Module 3 (processor-to-subprocessor) of the SCCs, which are hereby incorporated and completed as follows: the "data exporter" is Customer; the "data importer" is Infracost; the optional docking clause in Clause 7 is implemented; Option 2 of Clause 9(a) is implemented and the time period therein is specified in Section 6.3 above; the optional redress clause in Clause 11(a) is struck; Option 1 in Clause 17 is implemented and the governing law is the law of Ireland; the courts in Clause 18(b) are the courts of Ireland; Annex I and II to Module 2 and 3 of the SCCs are Annex I and II to this DPA respectively. For Data Transfers from Switzerland, Data Subjects who have their habitual residence in Switzerland may bring claims under the SCCs before the courts of Switzerland.

12.3. By entering into this DPA, Customer and Infracost conclude the UK Addendum, which is hereby incorporated and applies to Data Transfers outside the UK. Part 1 of the UK Addendum is completed as follows: (i) in Table 1, the "Exporter" is Customer and the "Importer" is Infracost, their details are set forth in this DPA and the Agreement; (ii) in Table 2, the first option is selected and the "Approved EU SCCs" are the SCCs referred to in Section 12.2 of this DPA; (iii) in Table 3, Annexes 1 (A and B) and II to the "Approved EU SCCs" are Annex I and II respectively; and (iv) in Table 4, both the "Importer" and the "Exporter" can terminate the UK Addendum.

13. Data Residency

13.1. In certain instances, Customer may specifically request that the Customer Personal Data uploaded to or otherwise contained within the Services be hosted in a particular jurisdiction where Infracost offers data storage ("Data Residency"). Availability of this option is subject to Infracost's discretion. Notwithstanding any selected or agreed upon Data Residency or any other term to the contrary, Customer Personal Data may nevertheless be processed outside of such Data Residency location, including, but not limited to, the following instances:

13.1.1. Subprocessors: Infracost may engage Subprocessors (per the process set forth in Section 6 hereof) located outside of the selected Data Residency location. In such instances, Personal Data shall be transferred and processed in accordance with the relevant safeguards as provided in Section 12 hereof, as applicable.

13.1.2. Support Services: At Customer's direction, Infracost support personnel outside of the Data Residency location may access Personal Data of Customer or Customer's personnel (for example, for customer support requests outside of Infracost's standard business hours).

13.1.3. Moderation Team: Infracost's safety team may, in the course of their responsibilities, access Customer Personal Data from outside of the Data Residency location for purposes of reviewing and managing Customer Content.

Annex I

Description of the Transfer

A. List of Parties

Data exporter:
- Customer (as defined above)
- Role (controller/processor): Controller, or Processor on behalf of Third-Party Controller
Data importer:
- Name: Infracost Inc.
- Address: 2261 Market Street STE 85821, San Francisco, California 94114, USA
- Role (controller/processor): Processor

B. Description of International Data Transfer

Categories of Data Subjects whose Personal Data is Transferred:

Individuals who are authorized by Customer or a Third-Party Controller to use the Services, for example: employees, contractors and other staff of Customer or a Third-Party Controller who use Infracost Cloud, the Infracost CLI and related CI/CD integrations in the course of their work.
Individuals whose identity or contact details appear in repository or configuration metadata, pull or merge requests, cost estimates or policy results submitted by or on behalf of Customer, to the extent those contain Personal Data.
Natural persons acting as sole traders or individual professionals using the Services, where applicable.

Categories of Personal Data Transferred:

Customer Personal Data transferred in connection with the Services may include:

Account and profile information for authorized users, such as business email address, name, organization, role or similar identifiers required to create and manage user accounts.
Authentication and integration identifiers, such as usernames, single sign-on identifiers, and integration tokens, needed to connect to source control, CI/CD, and cloud platforms, on Customer's instructions.
Source control, configuration and cost-related data submitted by or on behalf of Customer, including repository identifiers, pull or merge request metadata, infrastructure as code and cloud configuration attributes, cost estimates and policy evaluation results, to the extent they contain or are linked to Personal Data.
Operational and security telemetry related to use of the Services, such as user activity logs, error logs, IP address, browser and operating system information, timestamps and similar diagnostic information.

Sensitive Data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as, for instance, strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:

The Services are not designed to require special categories of Personal Data as defined in European Data Protection Laws, nor data relating to criminal convictions or offenses, and Customers are instructed not to include such data in code, configuration or other content they submit to the Services.

To the extent Customers nonetheless include such data in Customer Content, it is processed only in accordance with their documented instructions in a B2B context and is protected by appropriate technical and organizational measures as described in Annex II, including strict access controls, logging, and encryption.

The frequency of the transfer:

The transfer is performed on a continuous basis for the duration of the Agreement.

Main Subprocessors

Please refer to the list of subprocessors in section 12 of the Privacy Policy.

Nature of the processing:

Customer Personal Data is collected, used, stored, transmitted, and otherwise processed strictly in accordance with Customer's documented instructions to provide, secure, monitor, and support the Services in a B2B context. This includes operating Infracost Cloud and related tools, running ephemeral jobs that fetch code and configuration from Customer systems, computing and storing cloud cost estimates and policy results, maintaining logs and telemetry, and sending notifications and other outputs to authorized users, all on behalf of Customer or a Third-Party Controller.

Purpose(s) of the International Data Transfer and further Processing:

Customer Personal Data is transferred and further processed solely for the purposes of providing the Services to Customer under the Agreement, including enabling authorized users to access and use the Services, generating and delivering cost estimates and related outputs, operating and securing the Services, providing customer support on Customer's instructions, and complying with applicable legal obligations that arise from providing the Services to Customer in a B2B context.

The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:

Customer Personal Data is retained for as long as necessary to provide the Services to Customer under the Agreement, to maintain appropriate security and audit logs, to resolve disputes, and to comply with legal obligations and applicable limitation periods. In general:

Account and profile data for authorized users is retained for the life of the Customer account and for a limited period after closure, in line with defined deprovisioning and backup schedules.
Logs and telemetry (including security and audit logs relating to authorized users) are retained for a limited period consistent with security and operations needs.
Ephemeral job data, such as code and configuration fetched into runners or containers to compute cost estimates, is retained only for the duration of the job and is deleted after completion, subject to standard backup and logging practices.

All such retention is in the capacity of Processor or Subprocessor for Customer or a Third-Party Controller.

For International Data Transfers to (Sub)Processors, also specify subject matter, nature and duration of the Processing:

For the subject matter and nature of the Processing, reference is made to the Agreement and this DPA. The Processing will take place for the duration of the Agreement.

C. Competent Supervisory Authority

The competent authority for the Processing of Personal Data relating to Data Subjects located in the EEA is the Supervisory Authority of the EU Member State in which the data exporter is established.

The competent authority for the Processing of Personal Data relating to Data Subjects located in the UK is the UK Information Commissioner.

The competent authority for the Processing of Personal Data relating to Data Subjects located in Switzerland is the Swiss Federal Data Protection and Information Commissioner.

Annex II

Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of the Data

Infracost will, at a minimum, implement the following types of security measures when Processing Customer Personal Data:

1. Physical access control

Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where Customer Personal Data is processed, include:

Establishing security areas and restricting access paths
Establishing access authorizations for employees and third parties
Securing decentralized data processing equipment and personal computers

2. Virtual access control

Technical and organizational measures to prevent data processing systems from being used by unauthorized persons include:

User identification and authentication procedures
ID/password security procedures (special characters, minimum length, complexity requirements)
Automatic blocking (for example, password or timeout)
Multi Factor Authentication (MFA)
Monitoring of break-in attempts and automatic turn-off of the user ID upon several erroneous password attempts
Creation of one master record per user and user-master data procedures per data processing environment
Encryption of archived data media

3. Data access control

Technical and organizational measures to ensure confidentiality and that persons entitled to use a data processing system gain access only to such Customer Personal Data in accordance with their access rights, and that Customer Personal Data cannot be read, copied, modified or deleted without authorization, include:

Internal policies and procedures
Control authorization schemes
Default configuration
Differentiated access rights (profiles, roles, transactions and objects)
Disciplinary action against employees who access Personal Data without authorization
Reports of access
Access procedures
Change procedures
Deletion procedures
Encryption

4. Disclosure control

Technical and organizational measures to ensure that Customer Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Customer Personal Data are disclosed, include:

Encryption, pseudonymization or tunnelling
Logging
Transport security

5. Entry control

Technical and organizational measures to monitor whether Customer Personal Data has been entered, changed or removed (deleted), and by whom, from data processing systems, include:

Logging and reporting systems
Audit trails and documentation

6. Control of instructions

Technical and organizational measures to ensure that Customer Personal Data is processed solely in accordance with the instructions of the Controller include:

Unambiguous wording of the contract
Formal commissioning (request form)
Criteria for selecting the Processor

7. Availability control

Technical and organizational measures to ensure the integrity, availability and resilience of the processing systems, and that Customer Personal Data are protected against accidental destruction or loss (physical or logical), include:

Backup procedures
Mirroring of hard disks
Uninterruptible power supply (UPS)
Remote storage
Anti-virus and firewall systems
Disaster recovery plan in the event of a physical or technical incident

8. Separation control

Technical and organizational measures to ensure that Customer Personal Data collected for different purposes can be processed separately include:

Logical separation of databases
"Internal client" concept and limitation of use
Segregation of functions (production and testing)
Procedures for storage, amendment, deletion and transmission of data for different purposes

9. Testing controls

Technical and organizational measures to test, assess and evaluate the effectiveness of the technical and organizational measures implemented in order to ensure the security of the processing include:

Periodic review and test of the disaster recovery plan
Testing and evaluation of software updates before they are installed
Authenticated (with elevated rights) vulnerability scanning
Test environments for specific penetration tests

10. IT governance

Technical and organizational measures to improve the overall management of IT and ensure that the activities associated with information and technology are aligned with the compliance efforts include:

Processes for data minimization
Processes for data quality
Processes for limited data retention
Processes for ensuring accountability
Data subject rights handling policies

The measures in this Annex apply to all transfers described in this DPA.

1. Definitions and Interpretation​

2. Scope​

3. Processing of Customer Personal Data​

4. Personnel​

5. Security​

6. Subprocessing​

7. Data Subject Rights​

8. Personal Data Breach​

9. Data Protection Impact Assessment and Prior Consultation​

10. Deletion or Return of Customer Personal Data​

11. Audit Rights and Compliance​

12. Data Transfer​

13. Data Residency​

Annex I​

A. List of Parties​

B. Description of International Data Transfer​

Main Subprocessors​

C. Competent Supervisory Authority​

Annex II​

1. Physical access control​

2. Virtual access control​

3. Data access control​

4. Disclosure control​

5. Entry control​

6. Control of instructions​

7. Availability control​

8. Separation control​

9. Testing controls​

10. IT governance​