Introduction to Uber’s Data Processing Agreement

Uber requires that its suppliers agree to terms set forth in its Data Processing Agreement (“DPA”) governing the processing of Uber Confidential Information, including Uber Personal Data.

These terms are intended to protect the confidentiality and security of Uber’s Confidential Information, and enable Uber to meet its requirements under global data protection laws, including as applicable (based on suppliers’ processing of Uber Personal Data) the European Union’s General Data Protection Regulation (“GDPR”), Brazil’s Lei Geral de Proteção de Dados Pessoais (“LGPD”), Australia’s Privacy Act, India’s Digital Personal Data Protection Act and U.S. state privacy laws, including the California Consumer Privacy Act (“CCPA”).

The DPA specifically addresses:

1. General requirements and limitations regarding suppliers’ processing of Uber Confidential Information, including as regarding data security, data security incidents, risk assessments and audits, data retention and deletion, and use of sub-processors.
   
2. Designation of the roles played by Uber and suppliers as regards the processing of Uber Personal Data.
   1. The DPA specifically requires that the parties designate whether each is acting as:
      1. a “Controller” or “Processor”
      2. a “Business,” “Service Provider,” “Contractor” or “Third Party” as those terms are defined under the CCPA.
   2. The DPA also specifies the responsibilities of each party based on the above designations.

Please notify your Uber contact if you have questions regarding Uber’s DPA.

UBER DATA PROCESSING AGREEMENT

This Data Processing Agreement (”Agreement”) sets forth the requirements applicable to Supplier’s Processing of: (1) Uber Confidential Information, including Uber Personal Data (see Section 2 below); and (2) Uber Personal Data (see Section 3 below).

This Agreement forms part of the main agreement(s) between Uber and the company or entity (“Supplier”) (each individually a Party and collectively the “Parties”) and all further agreements executed under it (collectively, the “Main Agreement”).

SECTION 1: DEFINITIONS

In addition to the terms defined below, “Business,” “Contractor,” “Sale”, “Sell”, “Service Provider” and “Share” shall have the meanings set forth under the CCPA / CPRA.

1. Controller: a natural or legal person that, alone or jointly with others, determines the purpose and means of Processing Personal Data.
2. Data Protection Laws: all laws and regulations applicable to the Processing of Uber Personal Data under this DPA.
   
3. Data Subject: a natural personal to whom Personal Data relates.
4. Data Security Incident: any actual or reasonably suspected unauthorized access to, or acquisition or unlawful Processing of, Uber Confidential Information, or compromise of the security or integrity of such Uber Confidential Information or any System used by Supplier, or its Sub-processors, to Process such data.
   
5. Delete: to physically or logically destroy Uber Confidential Information so that it cannot be recovered.
   
6. Discovery: any instance in which Supplier discovers a Data Security Incident, is notified of a Data Security Incident, or would have discovered a Data Security Incident had it exercised reasonable diligence.
   
7. Personal Data: any information that relates to an identified or identifiable Data Subject.
   
8. Process: any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
   
9. Processor: a natural or legal entity that processes personal data on behalf of a Controller.
   
10. Sub-processor: a Processor engaged by Supplier to Process Uber Confidential Information.
    
11. System: any file system, computing system, database, device, equipment, server, website, application, software, storage media, network, infrastructure, networked environment or domain, including, without limitation, all development, quality assurance, staging and production environments.
    
12. Uber: Uber Technologies, Inc. and any subsidiary or affiliate of Uber.
    
13. Uber Data Subject: Any Data Subject whose Uber Personal Data is, or will be, Processed by Supplier.
    
14. Uber Personal Data: Uber Data Subject Personal Data that is Processed by Supplier for the purposes of the Agreement.
    
    For purposes of this Agreement, Uber Personal Data does not include the name and contact information of those Uber employees who are responsible for interacting with Supplier as relates to the Main Agreement, and any Personal Data incidentally received by Supplier as a result of those interactions.
    
15. Uber Confidential Information: all data, records, or information, including Uber Personal Data, that is owned or controlled by Uber and disclosed, provided, or made available to Supplier by or on behalf of Uber, or collected, created, maintained, or used by Supplier on behalf of Uber, in connection with the Services, as may be further described in the Agreement.
    
16. Uber System: any System that is owned, licensed, operated or controlled by Uber or to which Uber has granted Supplier access.

SECTION 2: REQUIREMENTS: UBER CONFIDENTIAL INFORMATION

1. Data Security: Supplier shall maintain appropriate physical, administrative, organizational, and technical safeguards and other security measures to maintain the integrity, security and confidentiality of Uber Confidential Information, which measures shall include at a minimum those set forth in Appendix 1 to this Agreement.
2. Security Manager: Supplier shall designate an individual responsible for managing and coordinating the performance of Supplier's obligations under this Agreement, and making them available to Uber throughout the term of the Main Agreement
3. Data Security Incidents
   1. Investigation. Supplier shall take all reasonable steps upon Discovery of a Data Security Incident to fully and thoroughly investigate the cause, nature, and scope of compromise of such Data Security Incident at Supplier's expense; remediate and mitigate the effects of the Data Security Incident; and provide to Uber all information required or requested for Uber to comply with applicable laws and internal Data Security Incident response processes. Upon Uber’s request, Supplier shall provide in-depth supplementary reports regarding its investigation and findings. Supplier shall, at its own expense, fully cooperate with Uber in investigating and responding to each Data Security Incident, including by allowing prompt access to its Systems and/or facilities by Uber and/or Uber’s investigator.
      
   2. Notice to Uber. Supplier shall notify Uber within forty-eight (48) hours of Discovery via the Uber persons or team designated to receive notices under the Main Agreement, and via email to vendorsecurity@uber.com. Supplier shall include in such notice, and supplement thereafter as necessary:
      1. a description of the Data Security Incident, including the cause (if identifiable), location, date/time and the Data Security Incident and its Discovery;
         
      2. a description of the steps Supplier has taken or will take to investigate, and mitigate the impact of, the Data Security Incident;
         
      3. the types and volume of affected Uber Confidential Information, including whether the data was encrypted or redacted;
         
      4. the number, location (state/country), and identities of all affected Uber Data Subjects (if applicable), including where required by applicable Data Protection Laws the number of affected children, adolescents, or elderly Uber Data Subjects;
         
      5. the expected consequences of the Data Security Incident;
         
      6. a description of the measures Supplier has taken, or plans to take, to mitigate such consequences and further secure Uber Confidential Information; and
         
      7. Supplier’s plans for corrective action in response to the Data Security Incident.
   3. Third Party Notices. Supplier shall assist Uber to provide any notices required by law to any data subject, regulator or other third party (“Required Notice”). In such case, (i) Uber shall have sole control over the content, timing and method of distribution of such notice, unless otherwise required by law; (ii) Supplier may communicate a Required Notice only upon Uber’s prior written approval and instructions, unless otherwise required by applicable law (in which case Supplier shall provide Uber with a copy of such notice as soon as possible and in all events prior to communicating it, unless otherwise required by law); and (iii) Supplier shall reimburse Uber all reasonable expenses incurred by Uber in connection with any such notice where Supplier is wholly or partially responsible for the Data Security Incident.
      
   4. Non-Disclosure. Supplier shall refrain from disclosing the existence of or information about the Data Security Incident as relates to Uber or any Uber Confidential Information, Uber Data Subject or Uber System, including to any governmental authority, without Uber’s prior written consent.
      
   5. Mitigation and Remediation. Supplier shall promptly and without unreasonable delay (i) contain all vulnerabilities, activities and other circumstances that caused or gave rise to the Data Security Incident; (ii) take all necessary and appropriate corrective actions, and will reasonably cooperate with Uber, to mitigate, and rectify such Data Security Incident.
      
   6. Public Inquiries. Supplier shall be responsible for managing and responding to inquiries, questions, or other requests from the media, press or other members of the public (“Public Inquiries”) relating to a Data Security Incident. Supplier shall designate one or more persons responsible for managing and responding to Public Inquiries and provide all such persons’ names and contact information to Uber upon request.
      
4. Data Retention and Deletion: Supplier shall promptly Delete or return to Uber (at Uber’s election) all Uber Confidential Information in its possession, custody and control: (i) upon termination or expiration of the Main Agreement; (ii) upon the winding down or insolvency of the Supplier's business; (iii) once no longer necessary to perform its obligations under the Main Agreement; or (iv) upon request by Uber.
   
5. Risk Assessments
   1. Supplier shall complete and pass an information security risk assessment (“Risk Assessment”) conducted by Uber before the Effective Date.
      
      After the initial Risk Assessment, Supplier shall complete Risk Assessments as requested by Uber not more than once per year, or in the event that (i) Supplier begins providing additional products or services to Uber, or processing additional Uber Confidential Information, that were not in scope during the initial or latest assessment; (ii) the nature of or purposes for Processing Uber Confidential Information change(s); (iii) Supplier begins transferring Uber Personal Data of Uber Data Subjects in the European Economic Area (“EEA”) outside the EEA, or begins transferring Uber Personal Data to a different third country that was not in scope during the initial or latest assessment; (iv) Supplier makes a material change to the Processing of Uber Confidential Information that might impact the security of that data or Supplier's ability to comply with this Agreement; (v) an assessment is reasonably necessary for Uber to comply with Data Protection Laws or other data security compliance obligations; (vi) an assessment is reasonably necessary for Uber to comply with a request, order, or settlement with a supervisory or other legal obligation; or (vii) a Data Security Incident occurs.
      
   2. Requirements. Supplier shall provide to Uber all information reasonably necessary to complete the Risk Assessment. Such information may include, but is not limited to, risk assessment questionnaires; information security policies and procedures; data classification and handling policies and procedures; data security compliance or audit reports that assess the effectiveness of Supplier's information security program, system(s), internal controls, and procedures relating to the Processing of Uber Personal Data against an industry-accepted framework such as ISO, SSAE16, SOC, or NIST; and other information requested by Uber to assess Supplier's information security program, controls, and Processing of Uber Confidential Information. Such information also includes details regarding Supplier’s Processing of Uber Personal Data, including the data types, purposes of processing, type and number of Uber Data Subjects, location of Processing, Sub-Processors, and data retention. Copies of Supplier's policies, procedures, or other documents may be provided to Uber, or presented over a mutually agreed-upon screen-sharing application.
      
   3. Audit Logs. Supplier shall maintain information Systems audit logs and records including, application logs, access logs, authentication logs, network logs, end user device logs, and security system logs to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate System activity and ensure that the actions of individual information System users can be uniquely traced to those users so they can be held accountable for their actions and to enable appropriate investigations of Data Security Incidents.
6. Audits.
   1. Audits. Supplier shall permit Uber, with reasonable advance written notice and during working business hours, to at its own expense audit Supplier's facilities, networks, systems, procedures, Processing of Uber Confidential Information and compliance with this Agreement. Uber may exercise this right no more than once per year, except where a Data Security Incident has occurred or when required to comply with Data Protection Laws or other legal obligation.
   2. Audit Requirements. Supplier shall reasonably cooperate with the audits described in the prior paragraph by providing access to knowledgeable personnel, physical premises as applicable, documentation, infrastructure, and any application software that Processes Uber Confidential Information or otherwise has access to Uber’s facilities, networks, systems, procedures. Uber shall be responsible for its costs and expenses of such audit (or the fees and costs of the third party performing the audit), unless such audit reveals, or is initiated because of, a material breach of the Main Agreement including this Agreement, in which case Supplier will reimburse Uber for such costs and expenses. Supplier will promptly address and correct all deficiencies identified in any such audit.
7. Subprocessors
   1. Permitted Sub-Processors. Supplier shall NOT permit any Sub-processor to Process Uber Confidential Information, except those identified during a Risk Assessment. If Supplier seeks to engage any other Sub-processor, it shall notify Uber, including regarding the purposes for which it will Process Uber Confidential Information, at least 30 days prior to any such Processing. If Uber does not object to such engagement, Uber will be deemed to have approved such engagement.
      
   2. Sub-processor obligations. Supplier shall enter into an agreement with each Sub-processor prior to its Processing of Uber Confidential Information that imposes obligations that are no less restrictive and at least equally protective of Uber Confidential Information than those imposed on Supplier under this Agreement. Uber may request a copy of such agreement, and may withhold consent to the use of such Sub-Processor if Supplier does not provide such agreement or such agreement does not contain sufficient protection of Uber Confidential Information. Supplier may redact such agreement prior to sharing with Uber to the extent necessary to protect its trade secrets or confidential information.
      
   3. Sub-processor compliance with Data Protection Laws. Supplier is responsible for ensuring the compliance of Sub-processors with applicable Data Protection Laws as relates to Sub-processors’ Processing of Uber Personal Data.
      
   4. Liability. Supplier's use of Sub-processors does not affect or limit Supplier's liability under this Agreement.
8. Indemnification: Unless otherwise set forth in the Main Agreement, Company agrees to fully indemnify, defend and hold harmless Uber, its directors, officers, employees and agents from and against any and all losses, damages, fees and expenses arising from any claims due to, arising out of, or relating in any way to Company’s loss, alteration, or misuse of Uber Personal Data, unauthorized access to or destruction or disclosure of Uber Personal Data, or the Company’s violation of Section 4 of this DPA.
9. Restriction of transfer of Bulk U.S. Sensitive Personal Data
   1. Definitions: For purposes of this Section 2.8:
      1. the terms “Access,” “Bulk,” “Bulk U.S. Sensitive Personal Data,” “Country of Concern,” “Covered Data Transaction,” “Covered Person,” “Data Brokerage,” “Government-related Data,” “Sensitive Personal Data,” and “U.S. person” shall have the meanings ascribed to them in the U.S. Department of Justice’s Sensitive Data Rule, 28 C.F.R. part 202;
         
      2. “Covered Data” shall refer to “Bulk U.S. Sensitive Personal Data” and/or “Government-Related Data.”
         
      3. “Covered Entity” shall refer to any “Covered Person” or “Country of Concern.”
   2. In the event that Supplier is provided Access to Covered Data in connection with the Main Agreement, Supplier represents and warrants that it:
      1. is not a Covered Entity.
         
      2. will not engage in any Covered Data Transaction involving Data Brokerage of such data with a Covered Entity.
         
      3. unless expressly permitted by Uber or otherwise permitted by 28 C.F.R. part 202, (A) will not permit any Covered Entity to Access such Covered Data; and (B) will prohibit any Sub-processor from providing Access to Covered Data to any Covered Entity.
         
      4. shall not circumvent, or attempt to circumvent, any encryption, masking, de-identification, or privacy-enhancing strategies or security controls deployed by Uber in connection with 28 C.F.R. part 202.
         
      5. will provide Uber any information reasonably requested by Uber in connection with compliance with this Section 2.8, or 28 C.F.R. part 202, including in connection with any investigation undertaken by Uber.
         

SECTION 3: REQUIREMENTS: UBER PERSONAL DATA

1. Role of the Parties: Unless otherwise set forth in the Main Agreement, the Parties acknowledge and agree that Uber is Controller of the Uber Personal Data Processed in connection with the Main Agreement^[1], and that Supplier is a Processor and/or Service Provider in connection with such processing.
2. General Requirements: Supplier acknowledges and agrees that it:
   1. Understands and shall comply with all requirements under applicable Data Protection Laws as relates to their Processing of Uber Personal Data.
   2. Will notify Uber if it determines that it can no longer meet its obligations under applicable Data Protection Laws, unless otherwise required by law. Upon receiving such notice, Uber may take reasonable and appropriate steps to cease Supplier’s Processing of Uber Personal Data and remediate any risks to Uber Data Subjects resulting from such Processing, and Supplier will reasonably assist Uber in connection with such steps (including, as applicable, ceasing such Processing).
      
   3. Will not rent, sell, share, disclose, combine with other data, or otherwise Process Uber Personal Data for any purpose except as necessary to perform its obligations under the Main Agreement, unless otherwise agreed by the Parties in writing.
      
   4. Will not attempt to re-identify any Uber Data Subject using any deidentified data provided to or collected by Supplier.
      
   5. Will not permit any employee of Supplier to Process Uber Personal Data, except where such employee has agreed to maintain the confidentiality of the Uber Personal Data, or where such employees are required by law to maintain the confidentiality of Uber Personal Data.
3. Processor / Service Provider / Contractor Requirements: If Supplier is designated as a Processor, Service Provider, or Contractor in the Main Agreement, it shall in connection with any Uber Personal Data Processed in accordance with that designation:
   
   1. If designated Processor and/or Service Provider, (a) only process Uber Personal Data in such capacities pursuant to Uber’s written instructions, except as otherwise required by law; and (b) not copy or reproduce Uber Personal Data for its own purposes or those of any Sub-processor or other third party, including for the purpose of training, developing, or refining machine learning models, artificial intelligence systems, or similar technologies.
      
   2. Assist Uber as reasonable and appropriate, in the context of Supplier’s Processing of Personal Data, to:
      1. meet Uber’s obligations under Articles 32 to 36 of the GDPR as applicable, or analogous obligations under other applicable Data Protection Laws; and
         
      2. demonstrate compliance with applicable Data Protection Laws, including as applicable Article 28 of the GDPR.
         
   3. Permit Uber to take reasonable and appropriate steps to ensure that Supplier uses Uber Personal Data in a manner consistent with its obligations under applicable Data Protection Laws, and to stop and remediate unauthorized use of Uber Personal Data.
      
   4. Unless otherwise required by law, promptly notify Uber of any request by an Uber Data Subject, or a governmental or regulatory body with authority over Supplier or Uber, relating to Supplier’s Processing of Uber Personal Data, and cooperate with Uber in connection with any response to such request or demand.
4. Controller Requirements: if Supplier is designated as a Controller in the Main Agreement, it acknowledges and agrees that it:
   1. Is an independent Controller of Uber Personal Data under the Data Protection Laws.
      
   2. Will determine the purposes and means of its Processing of Uber Personal Data.
      
   3. Is responsible for its own compliance with applicable Data Protection Laws, including as relates to notifying Data Subjects of its Processing of their Personal Data and how they may exercise their rights, and obtaining any required consents.
      
   4. Will comply with the obligations applicable to it under the Data Protection Laws with respect to the Processing of Uber Personal Data.
5. Cross-border Transfers: If Supplier’s Processing of Personal Data involves the transfer of Personal Data of Uber Data Subjects:
   1. It shall comply with all applicable Data Protection Laws applicable to such transfers.
      
   2. To the extent applicable based on the location of the Uber Data Subjects whose Personal Data will be transferred, comply with the requirements set forth in Annex 2 to this Agreement.

SECTION 4: MISCELLANEOUS

1. Effective Date: This Agreement is effective as of the execution date of the Main Agreement.
2. Termination and Survival: Notwithstanding anything to the contrary in the Main Agreement, this Agreement and all provisions herein shall survive so long as, and to the extent that, Supplier Processes or retains Uber Confidential Information.
   
3. Non-compliance. Supplier shall promptly inform Uber if it is unable to comply with this Agreement. If Supplier cannot comply within a reasonable period of time, or the Supplier is in substantial or persistent breach of this Agreement or its obligations under this Agreement, Uber shall be entitled to terminate this Agreement and the Main Agreement insofar as it concerns processing of Uber Confidential Information; provided, however, that any violation of Section 2.9 shall constitute a material breach and Uber shall have the right to immediately terminate the Main Agreement.
4. Ineffective clause. If individual provisions of this Agreement are or become ineffective, the effectiveness of the remaining provisions shall not be affected. The Parties shall replace the ineffective clause with a legally allowed clause, which will accomplish the intended commercial intention as closely as possible.
   
5. Conflicts. In the event of a conflict, between this Agreement: (i) and the Main Agreement, this Agreement shall prevail; and (b) a Business Associate Agreement (“BAA”) pursuant to HIPAA between Uber and Supplier, the BAA shall prevail.
   
6. Applicable law and jurisdiction. The applicable law and jurisdiction as set forth in the Main Agreement apply to this Agreement.

APPENDIX 1
Organizational/Administrative, Physical and Technical Measures

1. Organizational/Administrative Security Measures: Supplier has implemented, and will maintain and update as appropriate throughout its Processing of Uber Confidential Information (provided that such updates not lessen or degrade the safeguards used to protect Uber Confidential Information):
   1. A comprehensive information and network security program, consisting of policies, practices and procedures that govern the Services (collectively, the “Data Security Program”) that (i) meets current best practices; (ii) complies with all applicable Data Protection Laws; (iii) to the extent applicable, complies with the Payment Card Industry Data Security Standards (PCI DSS); (iv) complies with or aligns to ISO 27000, NIST 800-53, CIS top 20 or HITRUST security standard; and (v) to the extent applicable, complies with the U.S. Department of Justice Sensitive Data Rule, 28 C.F.R. part 202. Supplier shall make documentation of its Data Security Program available to Uber upon request.
   2. A documented data loss prevention program designed to detect, prevent, and mitigate the risk of Data Security Incidents, which shall include, at a minimum:
      1. appropriate policies and technical controls designed to prevent loss of Uber Confidential Information; and
      2. a disaster recovery/business continuity plan that addresses ongoing access, maintenance and storage of Uber Confidential Information as well as security needs for back-up sites and alternate communication networks.
   3. Policies and procedures to limit access to Uber Confidential Information to those who require such access to perform their roles and responsibilities as relates to the Main Agreement.
   4. Procedures to verify all access rights through effective authentication methods.
   5. A process to perform information security risk assessments at least once every two years of any Supplier Processors or Sub-processors with access to Uber Confidential Information. Such Processors / Sub-processors shall have information security controls no less protective of Uber Confidential Information than the requirements in this Agreement. Uber may request a copy of such risk assessment Supplier performed on any Sub-processor, and may withhold consent to the use of such Sub-processor if the assessment reveals the Sub-processor does not have sufficient information security controls to protect Uber Confidential Information.
   6. A security awareness program for Supplier's workforce, which includes regular training on information security topics such as secure data handling, safeguarding passwords and credentials, social engineering, and how to identify and report potential security incidents.
   7. A continuous vulnerability management program utilizing an industry standard risk-rating process to prioritize the remediation of discovered vulnerabilities. If a vulnerability is detected that could impact the confidentiality, availability, or integrity of Uber Confidential Information, upon request, Supplier shall provide sufficient evidence to demonstrate that the vulnerability has been remediated and to enable Uber to determine if a Data Security Incident has occurred.
   8. A secure asset management program that enforces an industry standard security baseline, including asset classification and inventory of devices/Systems where Uber Confidential Information is Processed.
   9. Formal, written processes to detect, identify, report, respond to, mitigate and remediate Data Security Incidents in a timely manner, which shall include processes for Supplier's workforce, including System administrators, to report anomalous events to the incident handling team and Supplier to notify impacted individuals and entities, regulators, and other members of the public when needed or required.
   10. Incident simulations such as tabletop or red team exercises that are planned and conducted on a routine basis.
   11. An established program for penetration tests that include a full scope of blended attacks, such as client-based and web-application.
   12. A governance and risk management program for cloud services so that baseline security configurations and protections are enabled.
   13. Secure coding practices appropriate to the programming language in use and provide all personnel with training in writing secure code.
   14. A government agency data access policy that refuses government access to data, except where such access is required by law, or where there is imminent risk of serious harm to individuals.
   15. Policies and procedures for assessing legal basis for, and responding to, government agency requests for data.
   16. Specific training of personnel responsible for managing government agency requests for access to data, which may include requirements under applicable Data Protection Laws.
   17. Processes to document and record government agency requests for data, the response provided, and the government authorities involved.
   18. Procedures to notify Uber about any request or requirement for government agency access to data, unless legally prohibited.
2. Physical Security Measures
   1. Supplier has implemented, and will maintain and update as appropriate throughout its Processing of Uber Confidential Information, appropriate physical security measures for any facility used to Process Uber Confidential Information and continually monitor any changes to the physical infrastructure, business, and known threats.
3. Technical Security Measures: Supplier shall throughout its Processing of Uber Confidential Information:
   1. perform vulnerability scanning and assessments on applications and infrastructure used to Process Uber Confidential Information.
   2. secure its computer networks using multiple layers of access controls, including multi-factor authentication, to protect against unauthorized access.
   3. restrict access through mechanisms such as, but not limited to, management approvals, robust controls, logging, and monitoring access events and subsequent audits.
   4. implement and maintain event logs on all Systems that Process Uber Confidential Information that are sufficiently detailed to enable Supplier to determine whether a Data Security Incident has occurred and the likely consequences of the Data Security Incident including, but not limited to, whether Uber Confidential Information was accessed, acquired, modified, or deleted. These event logs must be maintained for at least thirteen (13) months and made available to Uber upon request within seven (7) calendar days of the request. If logs contain event information related to other entities or customers, Supplier must be able to segregate Uber event log data when requested.
   5. identify other computer Systems and applications that warrant security event monitoring and logging, and reasonably maintain log files.
   6. review and analyze event logs using continuous, automated monitoring and alerting processes to detect and respond to and investigate anomalous events and activities.
   7. use up-to-date, industry standard, commercial virus/malware scanning software that identifies malicious code on all of its Systems that Process Uber Confidential Information.
   8. enforce network boundary and inter-network protections.
   9. encrypt Uber Confidential Information in transit.
   10. encrypt Uber Confidential Information at rest and solely manage and secure all encryption keys (i.e. no other third party shall have access to these encryption keys, including Processors or Sub-processors).

APPENDIX 2
Cross-border Transfers

Unless otherwise agreed by the parties, this Appendix 2 defines the mechanisms that the Parties will use to enable cross-border transfers of Personal Data where required by Data Protection Laws. Specifically, to the extent the Services require the transfer of Personal Data of Uber Data Subjects in the following countries, and Parties agree to the following:

1. EEA or Switzerland. If Supplier’s services involve transfers of the Personal Data of Uber Data Subjects in the EEA or Switzerland to a country or territory outside of those regions that has not been recognized by the European Commission as providing an adequate level of data protection, the Parties will incorporate into this Agreement, and agree to comply with, the Standard Contractual Clauses of June 4, 2021 (“SCCs”) approved by the European Commission, unless otherwise agreed by the parties in this Agreement. If the SCCs are so incorporated:
   1. Module 1 (Controller to Controller) shall apply if Supplier is designated as a Controller;
   2. Module 2 (Controller to Processor) shall apply if Supplier is designated as a Processor;
   3. The optional Docking clause (Clause 7) shall not apply;
   4. The optional language contained in Clause 11 (Redress) shall not apply;
   5. The governing law for the purposes of Clause 17 (Governing law) shall be the law of the Netherlands;
   6. The courts under Clause 18 (Choice of forum and jurisdiction) shall be the courts of the Netherlands, unless otherwise agreed by the parties in the Main Agreement; and
   7. The competent supervisory authority for purposes of Clause 13 (Supervision) of the SCCs is the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), unless otherwise agreed by the parties in the Main Agreement.
   8. The Parties represent that they do not believe the laws and practices in any country to which Uber Personal Data is transferred for purposes of the Main Agreement will prevent Supplier from fulfilling its obligations under the SCCs.
   9. In lieu of the Annex 1 to the SCCs, the Parties agree that:
      1. The identity and contact details of Uber, as data exporter, and Supplier, as data importer, are as specified in the Main Agreement and this Agreement.
         
      2. The nature and purpose(s) of the processing are for the Services or as otherwise specified in the Main Agreement or this Agreement.
      3. The Uber Personal Data transferred will be retained by Supplier as specified in the Main Agreement or this Agreement.
      4. The categories of Uber Data Subjects, and of the Uber Personal Data transferred, are those documented in the Risk Assessment performed prior to Processing Uber Personal Data.
      5. In lieu of the Annex 2 to the SCCs, the Parties agree to comply with Appendix 1 to this Agreement.
      6. In lieu of the Annex 3 to the SCCs (if applicable), the Parties agree that the authorized Sub-processors of Uber Personal Data are those identified in the Risk Assessment performed prior to Processing Uber Personal Data, or as otherwise specified in this Agreement or the Main Agreement.
2. United Kingdom: If Supplier’s services involve transfers of the Personal Data of Uber Data Subjects in the United Kingdom to a jurisdiction not recognized as providing an adequate level of data protection, the SCCs shall apply subject to the terms of the “UK Addendum to the EU Standard Contractual Clauses” issued by the Information Commissioner’s Office under s.119A of the United Kingdom Data Protection Act 2018 (“UK Addendum”). Such UK Addendum shall be deemed executed between Supplier and Uber subject to Section 3.5(b) of this Agreement as appropriate.
3. Brazil: If Supplier’s Processing of Personal Data involves the cross-border transfer of Uber Personal Data of Uber Data Subjects in Brazil, whether between the Parties or to third parties, the Supplier shall ensure compliance with all applicable Data Protection Laws, including the adoption of appropriate legal mechanisms, such as Standard Contractual Clauses or other legally required instruments, and shall ensure that the Processing provides, at a minimum, the same level of protection and safeguards for the Personal Data as set forth in this Agreement.
   1. Cross-border Transfers between the Parties of Personal Data of Uber Data Subjects in Brazil. If the Processing of Personal Data involves the cross-border transfer between the Parties of Uber Personal Data of Uber Data Subjects in Brazil to a country or territory that has not been recognized by the competent authority as providing an adequate level of data protection, the Parties hereby incorporate, as if fully set forth herein, and agree to comply with the Brazilian Standard Contractual Clauses contained in Annex II of Resolution No. 19 of 2024 issued by the Brazilian Data Protection Authority (“Brazil SCCs”), available at: Brazilian Standard Contractual Clauses. In such cases:
      1. For the purposes of any cross-border transfer of Personal Data, Uber or any of its Affiliates shall be considered the Data Processing Agent.
      2. The informational tables contained in Clause 1.1 of the Brazil SCCs shall be replaced with the qualification and contact information of Uber and the Supplier, as set forth in the Main Agreement, this Agreement, and each Party’s Privacy Notice.
      3. For the purposes of the checkboxes set forth in Clause 1.1 of the Brazil SCCs, regarding the roles of the Parties, the “Exporter/Controller” checkbox shall be deemed selected for Uber. For the Supplier, the “Importer” checkbox that corresponds to the classification of the Supplier under Clause 3.1 of this Agreement ("Role of the Parties") or as set forth in the Main Agreement shall be deemed selected.
      4. The Parties agree that: (i) the primary purpose of the cross-border transfer of Uber Personal Data is the performance of the services as specified in the Main Agreement or this Agreement; (ii) the Uber Personal Data transferred will be retained as specified in the Main Agreement or this Agreement, in accordance with applicable Data Protection Law and each Party’s Privacy Notice; and (iii) the categories of Uber Data Subjects and the respective Uber Personal Data transferred are those documented in the Risk Assessment carried out prior to the Processing of such Personal Data. This information replaces the data transfer description table contained in Clause 2.1 of the Brazil SCCs.
      5. For the purposes of Clause 3.1 of the Brazil SCCs, which addresses Onward Transfers, the Parties agree that Option A shall apply in cases where both Parties act as Controllers. Where the Supplier acts as a Processor, Option B shall apply, and the descriptive table set forth in Clause 3.1 is replaced by the Risk Assessment conducted prior to the Processing of Uber Personal Data by the Supplier or as set forth in the Main Agreement.
      6. For the purposes of Clause 4.1 of the Brazil SCCs, which addresses Responsibilities of the Parties, the Parties agree that Option A shall apply, and that both the Exporter and Importer are responsible for fulfilling the obligations set forth in items “a,” “b,” and “c,” where both Parties act as Controllers. Where the Supplier acts as a Processor, such obligations shall be the sole responsibility of Uber.
      7. The table contained in Section III of the Brazil SCCs is replaced by Appendix 1 of this Agreement.
   2. Saudi Arabia. If Supplier's Processing of Personal Data involves the transfer of Uber Personal Data of Uber Data Subjects in Saudi Arabia to a country or territory that has not been recognized by the competent authority as providing an adequate level of data protection, the Parties hereby incorporate and agree to comply with the Standard Contractual Clauses For The Transfer Of Personal Data, version 1.0 of September 2024 (“KSA SCCs”) approved by the Saudi Data & AI Authority (SDAIA), unless otherwise agreed by the parties in this Agreement. If the SCCs are so incorporated:
      1. Template 1: (Controller to Controller) shall apply if Supplier is designated as a Controller;
      2. Template 2: (Controller to Processor) shall apply if Supplier is designated as a Processor;
      3. The governing law for the purposes of Clause 8 (Governing Law and Jurisdiction) shall be the law of the Kingdom of Saudi Arabia. Any dispute arising from the application of the provisions of these Clauses shall fall under the jurisdiction of the Kingdom and be vested in its courts;
      4. The competent authority for purposes of Clause 9 (Compliance with the Requests of the Competent Authority) is the Saudi Data & AI Authority (SDAIA);
      5. The Parties represent that they do not believe the laws and practices in any country to which Uber Personal Data is transferred for purposes of the Main Agreement will prevent Supplier “the Personal Data Importer” from complying and fulfilling its obligations under the KSA SCCs;
      6. For purposes of Annex 1, the information of the Parties are as set forth in this Agreement and the Main Agreement. Uber is designated as the Personal Data Exporter and Controller of the Personal Data of Uber Data Subjects, while the Supplier is designated as the Personal Data Importer of the Personal Data of Uber Data Subjects, performing the role specified in Clause 3.1 ‘Role of the Parties’ of this Agreement;
      7. For purposes of Annex 2, the Parties agree that;
         1. The categories of Uber Data Subjects, and of the Uber Personal Data transferred, are those documented in the Risk Assessment performed prior to Processing Uber Personal Data.
         2. The purpose(s) of transfer are for the Services or otherwise specified in the Main Agreement or this Agreement.
         3. The Uber Personal Data transferred will be retained by the Supplier as specified in the Main Agreement or this Agreement.
         4. In Lieu of Annex 3 of the KSA SCCs, the Parties agree to comply with Appendix 1 to this Agreement.

1. Please refer to Uber’s Privacy Notice for a determination of Uber Confidential Information controllers in your region. Where an entity other than the designated controller enters into this Agreement on behalf of Uber, it is authorized to do so by the relevant data controller(s). Uber reserves the right to designate another Uber affiliate as Data Controller for purposes of this Agreement. ↑