Effective Starting March 18, 2024

This Data Processing Addendum (“DPA”) forms part of an agreement for the provision of the Services that references this Addendum between PagerDuty, Inc. (“PagerDuty”) and Customer (as defined in that agreement) (the “Agreement”). This DPA incorporates the terms of the Agreement and reflects the parties’ agreement with respect to the Processing of Customer Personal Data in accordance with the requirements of the Data Privacy Laws. To the extent the terms and conditions of this DPA are inconsistent with the Agreement or applicable Order Form, this DPA shall control as it relates to the Processing of Customer Personal Data. References to the Agreement will be construed as including this DPA. Any capitalized terms not defined herein shall have the respective meanings given to them in the Agreement.

This DPA shall be effective on the effective date of the Agreement, or if the Agreement was effective prior to the publishing of this version of the DPA, then the Effective Starting date published above for this DPA (“Effective Date”). This DPA is not applicable or legally binding for entities who do not have a separate agreement with PagerDuty that expressly incorporates this DPA.

Data Processing Terms

  1. Definitions

    For the purposes of this DPA:

    1. ‘Controller’ and ‘Processor’ have the meanings set forth under applicable Data Privacy Laws.

    2. ‘Customer Personal Data’ means any Customer data that is Personal Data and is Processed by PagerDuty in connection with providing the Services pursuant to the Agreement. Customer Personal Data does not include personal data that relates to Customer’s relationship with PagerDuty, including the names or contact information of individuals authorized by Customer to access Customer’s account and billing information, or Service usage data collected by PagerDuty in connection with the provision of the Services, including without limitation data used to identify the source and destination of a communication, activity logs, data used to optimize and maintain performance of the Services, and to investigate and prevent system abuse.

    3. ‘Data Privacy Laws’ means all laws, regulations, and other legal or self-regulatory requirements in any jurisdiction that are directly applicable to PagerDuty’s Processing of Customer Personal Data under the Agreement, which may include without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”) and its implementing regulations and applicable amendments, the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”), equivalent requirements in the United Kingdom including the UK Data Protection Regulation and the Data Protection Act 2018 (“UK Data Protection Law”), and the Swiss Federal Act on Data Protection (“FADP”).

    4. ‘Data Subject’ means an identified or identifiable natural person about whom Customer Personal Data relates.

    5. ‘Personal Data’ includes “personal data,” “personal information,” “personally identifiable information,” and similar terms, and such terms shall have the same meaning as defined by Data Privacy Laws.

    6. ‘Process’ or ‘Processing’ means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or communication, restriction, erasure or destruction.

    7. ‘Security Breach’ means any breach of security leading to the accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.

    8. ‘Standard Contractual Clauses’ (or “EU SCCs”) refers to the clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj completed as set out below in Section 8.

  2. Scope and Purposes of Processing

    1. Customer and PagerDuty acknowledge and agree that with regard to the processing of Customer Personal Data, Customer may act as either a Controller or a Processor and PagerDuty is a Processor.

    2. Customer directs PagerDuty, and PagerDuty agrees, to Process Customer Personal Data solely: (1) on Customer’s behalf; (2) in accordance with Customer’s written instructions, as may be provided by Customer to PagerDuty from time to time; (3) for the limited and specified business purpose(s) of providing the Services as described in the Agreement, including this Addendum and any Order Form and for no other commercial purpose; or (4) as otherwise permitted by Data Privacy Laws. Customer will ensure that its instructions comply with Data Privacy Laws and that PagerDuty’s processing of Customer Personal Data in accordance with Customer’s instructions will not cause PagerDuty to violate any applicable law or regulation, including Applicable Data Privacy Laws. Customer acknolwedges that PagerDuty is not responsible for determining which laws or regulations are applicable to Customer’s business, nor whether PagerDuty’s provision of the Services meets or will meet the requirements of such laws or regulations. Customer is solely responsible for the accuracy, quality, and legality of the Customer Personal Data provided to PagerDuty by or on behalf of Customer and the means by which Customer acquired any such Customer Personal Data. Customer agrees it will not provide PagerDuty with any sensitive or special categories of Personal Data that impose specific data security or data protection obligations on PagerDuty in addition to or different from those specified in this DPA or Agreement.

    3. If a Data Privacy Law to which PagerDuty is subject requires PagerDuty to Process Customer Personal Data in a manner that conflicts with an instruction provided by Customer, PagerDuty will inform Customer of that legal requirement before Processing, unless that law prohibits PagerDuty from providing such information on important grounds of public interest within the meaning of Data Privacy Laws.

    4. The scope, nature, purposes, and duration of the processing, the types of Customer Personal Data Processed, and the categories of data subjects concerned are set forth in this DPA, including its Schedule A.

  3. Customer Personal Data Processing. PagerDuty will:

    1. Ensure that the persons it authorizes to Process the Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

    2. Taking into account the nature of the Processing, assist Customer by maintaining appropriate technical and organizational measures to assist Customer in complying with Customer’s obligation to respond to a verifiable Data Subject Request under Data Privacy Laws where possible. Upon Customer’s written request, PagerDuty shall use commercially reasonable efforts to assist, or to cause any applicable subprocessor to assist, Customer in complying with Customer’s obligations to respond to such requests, to the extent PagerDuty or the subprocessor is legally permitted to do so and the response to the verifiable request is required under Data Privacy Laws and to the extent Customer does not have the ability to resolve the request through self-service features made available in the Service. To the extent legally permitted, Customer shall be responsible for PagerDuty’s provision of such assistance, including any fees associated with the provision of additional functionality.

    3. Promptly notify Customer of (i) any third-party or Data Subject complaints regarding the Processing of Customer Personal Data; (ii) any Data Subject requests for exercising their rights under Data Privacy Laws; or (iii) any government or Data Subject requests for access to or information about PagerDuty’s Processing of Customer Personal Data on Customer’s behalf, (collectively “Data Subject Requests”), unless prohibited by Data Privacy Laws. If PagerDuty receives a Data Subject Request in relation to Customer's data, PagerDuty will advise the Data Subject to submit their request to Customer and Customer will be responsible for responding to such request, including, where necessary, by using the functionality of the Services. Customer is solely responsible for ensuring that Data Subject Requests for erasure, restriction or cessation of processing, or withdrawal of consent to processing of any Customer Personal Data are communicated to PagerDuty, and, if applicable, for ensuring that a record of consent to processing is maintained with respect to each Data Subject.

    4. Upon Customer’s request, provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligation under Data Privacy Laws to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to PagerDuty.

  4. Subprocessors

    1. PagerDuty’s Subprocessors. A list of subprocessors for the Services is located at https://www.pagerduty.com/subprocessors/ . Customer has instructed or authorized the use of subprocessors to assist PagerDuty with respect to the performance of PagerDuty’s obligations under the Agreement, including without limitation the processing of Customer Personal Data. Customer acknowledges and agrees that PagerDuty may engage third-party subprocessors to assist PagerDuty in providing or maintaining the Services provided under the Agreement. PagerDuty shall maintain an updated list of subprocessors and Customer may receive notification of changes to the published list of subprocessors by subscribing to the published RSS feed. To the extent that Customer objects to any new subprocessor, PagerDuty will address such objection in accordance with applicable law.

    2. Liability for Subprocessors. PagerDuty shall enter into written agreements that include subprocessor obligations to comply with Data Privacy Laws, and will be liable for the acts and omissions of its subprocessors to the same extent PagerDuty would be liable if performing the services of each subprocessor directly under the terms of this DPA, except as otherwise set forth in the Agreement.

    3. Objections to Subprocessors. If PagerDuty processes Customer Personal Data of residents in the European Economic Area, the United Kingdom, or Switzerland on Customer’s behalf, in order to exercise its right to object to PagerDuty’s use of a new subprocessor, Customer shall notify PagerDuty promptly in writing within thirty (30) business days after PagerDuty’s updated list of subprocessors has been made available. In the event Customer objects to a new subprocessor pursuant to this subprovision, and that objection is not unreasonable, PagerDuty will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Customer Personal Data by the objected-to new subprocessor without unreasonably burdening the Customer. If PagerDuty is unable to make available either type of change within a reasonable time period, which shall not exceed thirty (30) days, Customer may terminate the applicable Order Form(s) with respect only to those aspects of the Services which cannot be provided by PagerDuty without the use of the objected-to new subprocessor by providing written notice to PagerDuty.

    4. Copies of Subprocessor Agreements. The parties agree that the copies of the subprocessor agreements that must be sent by PagerDuty to Customer pursuant to the Standard Contractual Clauses (where applicable) may have all commercial information, or clauses unrelated to the Standard Contractual Clauses or their equivalent, removed by PagerDuty beforehand; and, that such copies will be provided by PagerDuty only upon reasonable request by Customer.

  5. Security Measures

    Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, PagerDuty will use appropriate administrative, technical, physical, and organizational measures to maintain a level of security appropriate to the risk of processing Customer Personal Data. Exhibit B sets forth additional information about PagerDuty’s technical and organizational security measures. PagerDuty regularly monitors compliance with these measures. PagerDuty will not materially decrease the overall security of the Services during Customer’s subscription term.

  6. Security Breach Management and Notification

    PagerDuty maintains a security incident management procedure and shall, to the extent required under the applicable Data Privacy Law, notify Customer of any Security Breach by PagerDuty or its subprocessors of which PagerDuty becomes aware without undue delay. Such notification will include the following information, to the extent known by PagerDuty: (i) the nature of the Security Breach, including, where possible, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Customer Personal Data records concerned; and (ii) measures taken or proposed to be taken by PagerDuty to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay. Customer shall be responsible for any notification to Data Subjects affected by a Security Breach unless Customer and PagerDuty make other arrangements. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s Users. PagerDuty’s provision of notice of a matter will not be construed as an acknowledgement by PagerDuty of any fault or liability with respect to the matter.

  7. Deletion of Customer Personal Data

    Upon Customer’s request and subject to the limitations described in the Agreement, PagerDuty shall delete Customer Personal Data in accordance with its security policies and processes, and upon Customer’s request will provide written certification of the deletion.

  8. Data Transfers

    1. PagerDuty shall ensure that international transfers are in compliance with all Data Privacy Laws. Where PagerDuty engages in an onward transfer of Customer Personal Data, PagerDuty shall ensure that a lawful data transfer mechanism is in place prior to transferring Customer Personal Data from one country to another.

    2. European Economic Area. Except as provided in Section 8.2(d) below, with respect to Customer Personal Data transferred from the European Economic Area (“EEA”) for which the GDPR governs the international nature of the transfer, to the extent legally required, Customer and PagerDuty are deemed to have signed the EU SCCs, which form part of this DPA and will be deemed completed as follows:

      1. Module 2 of the EU SCCs applies to transfers of Customer Personal Data from Customer (as a controller) to PagerDuty (as a processor) and Module 3 of the EU SCCs applies to transfers of Customer Personal Data from Customer (as a processor) to PagerDuty (as a subprocessor);

      2. Clause 7 of Modules 2 and 3 (the optional docking clause) is not included;

      3. Under Clause 9 of Modules 2 and 3 (Use of sub-processors), the parties select Option 2 (General written authorization). The initial list of sub-processors is set forth in Exhibit C of this DPA and PagerDuty shall propose an update to that list at least 30 days in advance of any intended additions or replacements of sub-processors in accordance with Section 4.3 of this DPA;

      4. Under Clause 11 of Modules 2 and 3 (Redress), the optional language requiring that data subjects be permitted to lodge a complaint with an independent dispute resolution body shall not be deemed to be included;

      5. Under Clause 17 of Modules 2 and 3 (Governing law), the parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The parties select the law of Ireland;

      6. Under Clause 18 of Modules 2 and 3 (Choice of forum and jurisdiction), the parties select the courts of Ireland;

      7. Annex I(A) and I(B) of Modules 2 and 3 (List of Parties) is completed as set forth in Exhibit A of this DPA;

      8. Under Annex I(C) of Modules 2 and 3 (Competent supervisory authority), the parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission.

      9. Annex II of Modules 2 and 3 (Technical and organizational measures) is completed with Exhibit B of this DPA; and

      10. Annex III of Modules 2 and 3 (List of subprocessors) is intentionally not included as the parties have chosen general authorization under Clause 9.

    3. United Kingdom. With respect to Customer Personal Data transferred from the United Kingdom for which the UK Data Protection Law (and not the law in any EEA jurisdiction or Switzerland) governs the international nature of the transfer, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (available as of the Effective Date at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf ) (“IDTA”) forms part of this DPA and takes precedence over the rest of this DPA as set forth in the IDTA. Undefined capitalized terms used in this provision shall mean the definitions in the IDTA. For purposes of the IDTA, they shall be deemed completed as follows:

      1. Table 1 of the IDTA:

        1. The Parties’ details shall be the Parties and their affiliates to the extent any of them is involved in such transfer, including those set forth in the Agreement.

        2. The Key Contacts shall be the contacts set forth in the Agreement.

      2. Table 2 of the IDTA: The Approved EU SCCs referenced in Table 2 shall be the EU SCCs as executed by the Parties.

      3. Table 3 of the IDTA: Annex 1A, 1B, II, and III shall be set forth in Exhibits A, B, and C of this DPA.

      4. Table 4 of the IDTA: Both parties may end the IDTA as set out in Section 19 of the IDTA.

      5. By entering into this DPA, the Parties are deemed to be signing the IDTA, the Mandatory Clauses in Part 2, and its applicable Tables and Appendix Information.

    4. Switzerland. For transfers of Customer Personal Data that are subject to the FADP, the EU SCCs form part of this DPA as set forth in Section 8.2 of this DPA, but with the following differences to the extent required by the FADP:

      1. References to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR.

      2. The term “member state” in the EU SCCs shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs.

      3. References to Personal Data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope.

      4. Under Annex I(C) of the EU SCCs (Competent supervisory authority):

        1. Where the transfer is subject exclusively to the FADP and not the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner.

        2. Where the transfer is subject to both the FADP and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the FADP, and the supervisory authority is as set forth in Section 8.2(h) of this DPA insofar as the transfer is governed by the GDPR.

      5. To the extent the EU SCCs apply, nothing in this DPA or the Agreement shall be construed to prevail over any conflicting clause of the EU SCCs. Each party acknowledges that it has had the opportunity to review the EU SCCs.

    5. Changes in Laws. If the transfer of Customer Personal Data under the SCCs or other lawful data transfer mechanism, approved by the relevant data protection authority, ceases to be lawful or the additional safeguards are no longer effective, PagerDuty may, at its discretion: (a) cease transfers of the Customer Personal Data to, or access to such Customer Personal Data from, the relevant jurisdictions; or (b) promptly cooperate with Customer to facilitate use of an alternative lawful data transfer mechanism and alternative additional safeguards that will permit Customer to continue to benefit from the Services in compliance with Data Privacy Laws relating to the protection of Customer Personal Data.

  9. CCPA. The following terms apply where PagerDuty Processes Customer Personal Data within the scope of the CCPA:

    1. For the purposes of the CCPA, PagerDuty acts as a CCPA Service Provider for Customer Personal Data.

    2. PagerDuty will not sell or share (as defined in CCPA) Customer Personal Data, or retain, use, or otherwise Process Customer Personal Data outside of the direct business relationship between Customer and PagerDuty.

    3. PagerDuty will not combine Customer Personal Data with any Personal Data that PagerDuty receives from or on behalf of any other party, or collects from PagerDuty’s own interactions with consumers, provided that PagerDuty may combine Customer Personal Data for a purpose permitted under CCPA if directed to do so by Customer, or as otherwise expressly permitted by CCPA.

    4. PagerDuty will enter into written agreements that comply with CCPA when PagerDuty subcontracts with another person in providing the Services to Customer.

    5. If PagerDuty reasonably determines it is unable to comply with any of its obligations under CCPA, it will inform Customer within the time period required under CCPA.

    6. Customer may, upon written notice, take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data made available to PagerDuty by Customer.

  10. Audits and Certifications. The parties agree that any audits required by Data Privacy Laws shall be carried out in accordance with the following specifications:

    1. Upon Customer’s request, and subject to the confidentiality obligations set forth in the Agreement, PagerDuty shall make available to Customer (or Customer’s independent, third-party auditor that is not a competitor of PagerDuty and that has signed a nondisclosure agreement reasonably acceptable to PagerDuty) information regarding PagerDuty’s compliance with the obligations set forth in this DPA and its Subprocessors (to the extent that they make such information generally available to customers).

    2. Following any notice by PagerDuty to Customer of a Security Breach, upon Customer’s reasonable belief that PagerDuty is in breach of its obligations in respect of protection of Customer Personal Data under this DPA, or if such audit is required by Customer’s supervisory authority, Customer may contact PagerDuty in accordance with the notice procedure described in the Agreement to request an on-site audit of PagerDuty’s procedures relevant to the protection of Customer Personal Data, but only to the extent required under Data Privacy Laws. Any such request shall occur no more than once annually. Customer shall reimburse PagerDuty for any time expended for any such on-site audit at PagerDuty’s then-current professional services rates, which shall be made available to Customer upon request. Before the commencement of any such on-site audit, Customer and PagerDuty shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by PagerDuty. Customer shall promptly notify PagerDuty with information regarding any non-compliance discovered during the course of an audit, and PagerDuty shall use commercially reasonable efforts to address any confirmed non-compliance.

  11. Limitation of Liability.

    Any claims brought in connection with this DPA will be subject to the terms and conditions, including but not limited to the exclusions and limitations, set forth in the Agreement. Notwithstanding anything to the contrary in the Agreement or this DPA, each party’s and all of its affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, any Order Form or the Agreement, whether in contract, tort or under any other theory of liability, shall remain subject to any limitations of liability in the Agreement, and any reference in such section or sections to the liability of a party means the aggregate liability of that party and all of its affiliates under the Agreement and this DPA, including all attachments hereto.

  12. Order of Precedence.

    This DPA is incorporated into and forms part of the Agreement. For matters not addressed under this DPA, the terms in the Agreement shall apply. With respect to the rights and obligations of the parties with respect to the Processing of Customer Personal Data, the terms of this DPA will control and the parties agree that this DPA shall replace and supersede any existing data processing addendum, attachment, exhibit, or Standard Contractual Clauses (as applicable) that the parties may have previously entered into regarding the Processing of Customer Personal Data in connection with the PagerDuty Services.

  13. Term and Termination; Duration of Processing.

    Notwithstanding expiration or termination of the Agreement, this DPA and the Standard Contractual Clauses (if applicable) will remain in effect until the deletion of all Customer Personal Data as described in this DPA and will automatically expire upon such deletion.


EXHIBIT A

ANNEX I

A. LIST OF PARTIES

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

Data exporter(s): Customer

The data exporter is a user of the importer’s services pursuant to their underlying commercial agreement. The data exporter acts as a controller with respect to its own Customer Personal Data. To the extent permitted by the commercial agreement, the exporter also is permitted to use the contracted services as a processor on behalf of third parties.

Data importer(s): PagerDuty, Inc.

The data importer is the provider of services to the exporter pursuant to their underlying commercial agreement. The data importer acts as the exporter’s processor.


B. DESCRIPTION OF TRANSFER

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

Categories of data subjects whose personal data is transferred: The data exporter may transfer Customer Personal Data to PagerDuty in connection with the data exporter’s use of the Services. Depending on the data exporter’s or the data exporter’s users’ interactions with and inputs to the Services, the data subjects whose personal data is transferred may include without limitation data exporter’s employees, consultants, contractors, agents, and end users who are residing in the European Economic Area, the United Kingdom and Switzerland.

Categories of personal data transferred: The personal data transferred concern the following categories of data (please specify): The data exporter may transfer Customer Personal Data to PagerDuty in connection with the data exporter’s use of the Services. Depending on the data exporter’s or the data exporter’s users’ interaction with and input to the Services, such Customer Personal Data may include without limitation the following categories of personal data:

  • User browser, app, and device information (e.g., unique identifiers (e.g., cookies), IP address, device/browser characteristics, location at the city, county, and region levels)
  • Coarse user location, including state/province and country
  • User account information (e.g,, login email, first name, last name, display name, user avatar, timezone)
  • Customer employee data (e.g,, organizational charts and employee first name, last name, title, organization, manager, email, employment start date, location at the city and state levels)
  • Contact, role, and communication information for responders designated by Customer’s users (e.g., telephone number, email address, collaboration platform IDs, employer, title, company position, incident role, comments)
  • Personally identifiable incident and participant workflow data (e.g., incident summary, workflow state, creators, recipients, actions)

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: The personal data transferred concerns the following special categories: None.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis) : Continuous.

Nature of the processing: PagerDuty’s Processing activities shall be limited to those discussed in the underlying Agreement and the DPA between the parties.

Purpose(s) of the data transfer and further processing : The objective of the transfer and further processing of personal data by Data Importer is the access and use of PagerDuty services.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period : Data will be retained for the period of time necessary to provide the Services to Customer under the Agreement and/or in accordance with applicable legal requirements.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing : Same as above to the extent such information is provided to subprocessors for purposes of providing the Services.

C. COMPETENT SUPERVISORY AUTHORITY

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

See Section 8.2(h) of the DPA.


ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

EXPLANATORY NOTE:

The technical and organisational measures must be described in specific (and not generic) terms. See also the general comment on the first page of the Appendix, in particular on the need to clearly indicate which measures apply to each transfer/set of transfers.

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

PagerDuty shall comply with Exhibit B to the DPA.

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter:

PagerDuty shall require its subprocessors to take appropriate technical and organizational measures to provide assistance to the controller and/or data exporter that are at least as protective as those identified in Exhibit B.


EXHIBIT B

This Appendix forms part of the SCCs and must be completed by the parties.

Description of the technical and organizational security measures implemented by the data importer in accordance with SCCs (or document/legislation attached):

The applicable PagerDuty Information Security Practices, which may be obtained by following the instructions at https://www.pagerduty.com/data-security-policy, describe the technical and organizational security measures that PagerDuty implements.


EXHIBIT C

Current Subprocessors

A list of Subprocessors for the Services is located at https://www.pagerduty.com/subprocessors/.