Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Wiz Master Subscription Agreement (the “Agreement”) between Wiz (“Wiz”, “Us”, “We”, “Our”) and Customer (collectively, “You”, “Your”, or “Customer”) pursuant to the Agreement. Both parties shall be referred to as the “Parties” and each, a “Party”.  This DPA forms a binding legal agreement to reflect the Parties’ agreement with regard to the Processing of Personal Data (as such terms are defined below). 

This DPA forms a binding legal agreement to reflect the Parties’ agreement with regard to the Processing of Personal Data (as such terms are defined below). 

WHEREAS, Wiz shall provide the services set forth in the Agreement (collectively, the “Services”) to Customer, as described in the Agreement; and

WHEREAS, the Parties wish to set forth the arrangements concerning the Processing of Personal Data within the context of the Services and agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.

NOW THEREFORE, in consideration of the mutual promises set forth herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged by the Parties, the parties, intending to be legally bound, agree as follows:


1. INTERPRETATION AND DEFINITIONS

1.1 The headings contained in this DPA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this DPA. References to clauses or sections are references to the clauses or sections of this DPA unless otherwise stated. Words used in the singular include the plural and vice versa, as the context may require. Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement. 

1.2 Definitions: 

(a) “Account Personal Data” means any Personal Data contained within Account Data (as such term is defined in the Agreement) including that Customer provides to Wiz in connection with the creation or administration of its Wiz accounts, such as first and last name, business email address and role of a Permitted User, as further described in Appendix 1. 

(b) “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

(c) “Authorized Affiliate” means any of Customer’s Affiliate(s) which (a) is subject to the Data Protection Laws, and (b) is permitted to use the Services pursuant to the Agreement between Customer and Wiz, but has not signed its own agreement with Wiz and is not a “Customer” as defined under the Agreement. For the purposes of the DPA, the term Customer includes Customer Authorized Affiliates to the extent applicable. 

(d) “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq., as amended, and its associated regulations.

(e) “Controller” means the entity which determines the purposes and means of the Processing of Personal Data or such equivalent term under Data Protection Laws. 

(f) “Customer Personal Data” means any Personal Data which is Processed by Wiz on behalf of Customer in order to provide the Services under the Agreement. Customer Personal Data does not include Account Personal Data.

(g) “Data Protection Laws” means all laws and regulations of the European Union, the EEA and their Member States, Switzerland, the United Kingdom, and United States, each to the extent applicable to the Processing of Personal Data under the Agreement.  

(h) “Data Subject” means the identified or identifiable person to whom the Customer Personal Data relates.

(i) “EEA” means the European Economic Area.

(j) “EU Data Protection Law” means the GDPR, and the UK GDPR. 

(k) “Extended EEA Country” means a country within the EEA, Switzerland or the United Kingdom, and Extended EEA Countries means the foregoing countries collectively.

(l) “Member State(s)” means a country that belongs to the European Union and/or the EEA. 

(m) “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

(n) “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier. 

(o) “Process(ing)” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

(p) “Processor” means the entity which Processes Personal Data on behalf of the Controller or such equivalent term under Data Protection Laws.

(q) “Security Documentation” means Wiz’s security documentation that is applicable to the specific Services purchased by Customer, as updated from time to time, and as made reasonably available by Wiz. 

(r) “Standard Contractual Clauses” means the “standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission decision of 4 June 2021” and published under document number C (2021) 3972 available via https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en, as may be updated, amended or superseded from time to time. 

(s) “Sub-processor” means any Processor engaged by Wiz and/or Wiz Affiliate to Process Customer Personal Data.

(t) “Supervisory Authority” means the competent supervisory authority pursuant to the applicable Data Protection Laws.

(u) “Third Country” has the meaning given in clause 8.2 below. 

(v) “UK GDPR” means the GDPR as incorporated into United Kingdom domestic law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR").

2. CUSTOMER’S PROCESSING OF PERSONAL DATA. Customer shall, in its use of the Services, Process Customer Personal Data in accordance with the requirements of Data Protection Laws and comply at all times with the obligations applicable to Controllers.  For the avoidance of doubt, Customer’s instructions for the Processing of Customer Personal Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the means by which Customer acquired Customer Personal Data. Without limitation, Customer shall comply with any and all transparency-related obligations (including, without limitation, displaying any and all relevant and required privacy notices or policies) and shall have any and all required legal basis in order to collect, Process and transfer to Wiz the Customer Personal Data and to authorize the Processing by Wiz of the Customer Personal Data which is authorized in this DPA. 

3. WIZ’S PROCESSING OF PERSONAL DATA

3.1 Application. As used in clauses 3 – 8 herein, Customer Personal Data refers to Customer Personal Data that is subject to Data Protection Laws.

3.2 Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data, (i) Customer is the Controller, (ii) Wiz is the Processor and (iii) Wiz or its Affiliates may engage Sub-processors pursuant to the requirements set forth in clause 6 below. Notwithstanding the foregoing, the parties acknowledge and agree that Wiz shall be an independent Controller in respect of any Account Personal Data and shall Process such data in accordance with its then current Privacy Policy and Data Protection Laws. 

3.3 Wiz and its Affiliates (as applicable) shall Process Customer Personal Data only in accordance with Customer’s documented instructions, including as set out in the Agreement, as necessary for the performance of the Services and for the performance of the Agreement and this DPA, unless required to otherwise by any applicable law, court of competent jurisdiction or other Supervisory Authority to which Wiz and its Affiliates are subject, in which case, Wiz shall inform Customer of the legal requirement before processing, unless that law prohibits such information. The duration of the Processing, the nature and purposes of the Processing, as well as the types of Customer Personal Data Processed and categories of Data Subjects under this DPA are further specified in Schedule 1 to this DPA. 

3.4 To the extent that Wiz or its Affiliates cannot comply with an instruction from Customer and/or its authorized users relating to Processing of Customer Personal Data or where Wiz considers such instruction to be unlawful, Wiz (i) shall inform Customer, providing relevant details of the problem, (ii) may, without any kind of liability towards Customer, temporarily cease all Processing of the affected Customer Personal Data (other than securely storing those data), and (iii) if the Parties do not agree on a resolution to the issue in question and the costs thereof, each Party may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected Processing, and Customer shall pay to Wiz all the amounts owed to Wiz or due before the date of termination. Customer will have no further claims against Wiz (including, without limitation, requesting refunds for Services) due to the termination of the Agreement and/or the DPA in the situation described in this clause (excluding the obligations relating to the termination of this DPA set forth at clause 12 below).

4. RIGHTS OF DATA SUBJECTS. If Wiz receives a request from a Data Subject to exercise its rights under Data Protection Laws (“Data Subject Request”), Wiz shall, to the extent legally permitted, promptly notify and forward such Data Subject Request to Customer. Taking into account the nature of the Processing, Wiz shall use commercially reasonable efforts to assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws. 

5. WIZ PERSONNEL 

5.1 Confidentiality. Wiz shall grant access to the Customer Personal Data to persons under its authority (including, without limitation, its personnel) only on a need to know basis and ensure that such persons engaged in the Processing of Customer Personal Data have committed themselves to confidentiality.

6. AUTHORIZATION REGARDING SUB-PROCESSORS 

6.1 Customer hereby grants general written authorization to Wiz to appoint Sub-processors to perform specific Processing activities on Customer Personal Data on its behalf. Wiz’s current list of Sub-processors is included at https://www.wiz.io/sub-processor-list (“Sub-Processor List”) and is hereby approved by Customer.  

6.2 Objection Right for Sub-Processors. To the extent required under Data Protection Laws, Wiz shall notify Customer of any intended changes concerning the addition or replacement of other Sub-processor(s) thereby giving Customer the opportunity to object. Notification may be provided by updating the Sub-processor page in Services and/or the Sub-Processor List. Customer may reasonably object to Wiz’s use of a Sub-processor for reasons related to the Data Protection Laws by notifying Wiz in writing within ten (10) days after receipt of Wiz’s notice including the reasons for objecting to Wiz’s use of such Sub-processor. Failure to object to such Sub-Processor in writing within ten (10) days following Wiz’s notice shall be deemed as acceptance of the Sub-Processor. In the event Customer reasonably objects to a Sub-processor, Wiz will use reasonable efforts to make available to Customer a change in the Services to avoid Processing of Customer Personal Data by the objected-to Sub-processor without unreasonably burdening Customer. If Wiz is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may, as a sole remedy, terminate the Agreement and this DPA by providing written notice to Wiz provided that all amounts due under the Agreement before the termination date shall be duly paid to Wiz. Until a decision is made regarding the Sub-processor, Wiz may temporarily suspend the Processing of the affected Customer Personal Data. Customer will have no further claims against Wiz due to the termination of the Agreement and/or the DPA in the situation described in this clause.

6.3 Where Wiz engages a Sub-processor, we shall do so by way of a written contract which imposes on the Sub-processor substantially the same data protection obligations as in this DPA. 

7. SECURITY

7.1 Controls for the Protection of Customer Personal Data. Taking into account the state of the art, Wiz shall maintain industry-standard technical and organizational measures, including as required pursuant to Article 32 of the GDPR, for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Personal Data), confidentiality and integrity of Customer Personal Data, as set forth in the Security Documentation. Upon Customer’s request, Wiz will use commercially reasonable efforts to assist Customer, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the processing, the state of the art, the costs of implementation, the scope, the context, the purposes of the Processing and the information available to Wiz. 

7.2 Third-Party Certifications and Audits. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Wiz shall make available to Customer (or Customer’s independent, third-party auditor that is not reasonably objected to by Wiz and bound by confidentiality obligations) a copy of Wiz’s then most recent third-party audits or certifications, as applicable (provided, however, that any such documentation shall be Wiz’s confidential information and shall only be used by Customer to assess compliance with this DPA, and shall not be used for any other purpose or disclosed to any third party without Wiz’s prior written approval and, upon Wiz’s request, Customer shall return all such documentation in Customer’s possession or control). At Customer’s cost and expense, not more than once per year, Wiz shall allow for and contribute to audits, including inspections, conducted by Customer (or Customer’s independent, third-party auditor that is not reasonably objected to by Wiz and bound by confidentiality obligations) provided that the parties shall agree on the scope, methodology, timing and conditions of such audits and inspections in advance. Notwithstanding anything to the contrary, such audits and/or inspections shall not contain any information, including without limitation, Personal Data that belongs to Wiz’s other customers.

8. TRANSFERS OF DATA

8.1 Transfers to countries that offer adequate level of data protection. Personal Data may be transferred from the Extended EEA Countries to countries that offer adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the Extended EEA Countries (“Adequacy Decisions”), without any further safeguard being necessary.

8.2 Transfers to other countries. If, and to the extent, the Processing of Customer Personal Data or Account Personal Data which is subject to Data Protection Laws of the EEA Extended Countries includes transfers by Customer from the Extended EEA Countries to Wiz in countries outside the Extended EEA Countries which have not been subject to an Adequacy Decision (“Third Countries”), the Parties agree that such transfers shall be undertaken on the basis of the Standard Contractual Clauses which are incorporated herein by reference and construed in accordance with Schedule 2 below, unless another mechanism provided for in the Data Protection Laws of the applicable Extended EEA Country applies.  

8.3  In the event Customer enables integrations with Third Party Services which involve transfers of Customer Personal Data between Wiz and the Third Party Service provider, Customer acknowledges and agrees that (a) such Third Party Service providers are not Sub-processors of Wiz; (b) such transfers are conducted at Customer’s instruction in accordance with an agreement between the Customer and such Third Party Service provider (which Wiz is not a party to); and (c) Customer shall be solely responsible for such transfers and their compliance with Data Protection Laws, including without limitation, executing Standard Contractual Clauses with such Third Party Service providers as required.

8.4 CCPA 

8.4.1 As used in this clause, “Sell” shall have the meaning assigned to it in the CCPA. 

8.4.2 Wiz shall not Sell Customer Personal Data. 

9. PERSONAL DATA INCIDENT MANAGEMENT AND NOTIFICATION. To the extent required under applicable Data Protection Laws, Wiz shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data (a “Personal Data Incident”). Wiz shall make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as Wiz deems necessary, possible and reasonable in order to remediate the cause of such a Personal Data Incident. Customer (or its customers), as the Controller, will be the party responsible for notifying supervisory authorities and/or concerned Data Subjects (where required by Data Protection Laws). 

10. RETURN AND DELETION OF PERSONAL DATA. Subject to the Agreement, upon termination or expiry of the Services, Wiz shall, at the choice of Customer, delete or make available for return the Customer Personal Data within a reasonable market standard timeframe unless applicable law requires storage of the Customer Personal Data. In any event, Customer agrees that Wiz may retain Customer Personal Data in accordance with its standard backup policy, for evidence purposes and/or for the establishment, exercise or defence of legal claims and/or to comply with applicable laws and regulations. Notwithstanding anything to the contrary, Customer hereby agrees and understands that, to the extent Wiz performs cloud scanning on behalf of Customer, if and when Customer wants to delete specific Customer Personal Data, Customer may delete such Customer Personal Data from its own databases, and it will automatically be erased from Wiz’s databases within a reasonable market standard timeframe. If Customer requests return of the Customer Personal Data, it shall be returned in an industry standard format generally available for Wiz’s Customers. 

11. AUTHORIZED AFFILIATES

11.1. Contractual Relationship. The Parties acknowledge and agree that Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate DPA with Wiz. Each Authorized Affiliate agrees to be bound by the obligations under this DPA. All access to and use of the Services by Authorized Affiliates must comply with the terms and conditions of the Agreement and this DPA and any violation of the terms and conditions therein by an Authorized Affiliate shall be deemed a violation by Customer.

11.2. Communication. Customer shall remain responsible for coordinating all communication with Wiz under the Agreement and this DPA and shall be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.

12. TERMINATION. This DPA shall automatically terminate upon the termination or expiration of the Agreement under which the Services are provided. Clauses 2, ‎3.4 and 13 shall survive the termination or expiration of this DPA for any reason. This DPA cannot, in principle, be terminated separately to the Agreement, except where the Processing ends before the termination of the Agreement, in which case, this DPA shall automatically terminate. 

13. RELATIONSHIP WITH AGREEMENT. In the event of any conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement. 

14. MISCELLANEOUS. Any Wiz obligation hereunder may be performed (in whole or in part), and any Wiz right (including invoice and payment rights) or remedy may be exercised (in whole or in part), by an Affiliate of Wiz. This DPA may be amended by Wiz from time to time in its sole discretion.


List of Schedules

SCHEDULE 1 – DETAILS OF THE PROCESSING

SCHEDULE 2 – STANDARD CONTRACTUAL CLAUSES

SCHEDULE 1 – DETAILS OF THE PROCESSING

Subject matter.

Wiz will Process Customer Personal Data as necessary to perform the Services pursuant to the Agreement, as further instructed by Customer in its use of the Services.

Nature and Purpose of Processing.

1. Performing the Agreement, this DPA and/or other contracts executed by the Parties, including, providing the Service(s) and support and technical maintenance to Customer.

2. To comply with documented reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement. 

3. Resolving disputes, enforcing the Agreement, this DPA and/or defending Wiz’s rights.

4. Complying with applicable laws and regulations, including for cooperating with local and foreign tax authorities, preventing fraud, money laundering and terrorist financing.

Duration of Processing. 

Subject to any section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Wiz will Process Customer Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.

Types of Customer Personal Data.

Customer determines the categories of any Customer Personal Data that is made accessible to Wiz, which may include without limitation, Customer Personal Data relating to the following categories: 

  • If Customer uses Wiz for scanning, Personal Data might be temporarily processed by Wiz during the scanning. The type of the Personal Data depends on Customer environment; 
  • Wiz only stores metadata such as CVEs, misconfigurations, list of installed packages, cloud events, local cloud user accounts and cloud object identifiers on its systems. Such metadata does not generally contain Personal Data, however, depending on the Customer’s environment and naming conventions, some limited Personal Data may be included. For example, depending on the naming conventions used by Customer, cloud user account names could include an individual’s name, as well as associated business email address, IP address and logs. 

Customer acknowledges that Wiz does not control which Customer Personal Data Customer shares with it in the context of the Services. 

Categories of Data Subjects.

As part of providing the Services, Wiz may process Customer Personal Data related to Customer’s customers or users, leads, employees and service providers, the extent of which is solely determined by Customer. 



SCHEDULE 2

STANDARD CONTRACTUAL CLAUSES

1 Incorporation and interpretation of the Standard Contractual Clauses 

1.1 In relation to transfers by Customer of Customer Personal Data which are subject to Data Protection Laws of the EEA Extended Countries to Wiz in Third Countries, the parties agree that Module Two (Transfer controller to processor) or Module 3 (Transfer processor to processor) of the Standard Contractual Clauses shall apply, as applicable. 

1.2  In relation to transfers by Customer of Account Personal Data which are subject to to Data Protection Laws of the EEA Extended Countries to Wiz in Third Countries, the parties agree that: Module One (Transfer controller to controller) of the Standard Contractual Clauses shall apply. 

1.3  Where the data exporter is a Customer Authorized Affiliate, the Standard Contractual Clauses shall constitute a separate agreement between such Customer Authorized Affiliate acting as a data exporter and Wiz acting as data importer. 

1.4 The Parties acknowledge that the information required to be provided in the Standard Contractual Clauses, including the appendices, is set out in Appendix 1 below.  

1.5  If there is a conflict between the provisions of this Agreement and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail, provided that, except to the extent prohibited by applicable law, the Standard Contractual Clauses shall be interpreted in accordance with and subject to this DPA and the Agreement, including without limitation, the provisions on limitation of liability, instructions, storage, erasure and return of Personal Data, audits and engagement of Sub-Processors. 

1.6  If any provision or part-provision of this DPA or the Agreement causes the Standard Contractual Clauses to become an invalid export mechanism in the relevant Extended EEA Country, it shall be deemed deleted but that shall not affect the validity and enforceability of the rest of this Agreement and the parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.

1.7 Where requested by Wiz, Customer shall be responsible for issuing such communications to Data Subjects as are required in order for Wiz to comply with its obligations under the Standard Contractual Clauses.

1.8  Where Module Three applies, upon Wiz’s request, Customer shall provide Wiz with reasonable assistance to engage, consult or communicate with the Controller and Data Subjects on Wiz’s behalf.

1.9 For the purpose of Section III, Clause 14 of the Standard Contractual Clauses, the parties acknowledge and agree that, as between the parties, the Customer (acting as data exporter) is responsible for: (i) assessing the laws of the country to which it transfers Personal Data; and (ii) determining whether or not the transfer meets the requirements of Section III, Clause 14(a) of the Standard Contractual Clauses. Where Wiz (as data importer) provides information to the Customer (acting as data exporter) for assisting the Customer in its assessment, such information is provided on an “as is” basis for informational purposes only. Without prejudice to Section III, Clause 14(c) of the Standard Contractual Clauses, Wiz (as data importer) shall not be liable for any losses suffered by the Customer in connection with its assessment. 

1.10. Until such time as Wiz enters into the Standard Contractual Clauses with any third party in a Third Country, Wiz warrants that the third party shall be subject to contracts concluded before 27 September 2021 on the basis of Decision 2010/87/EU.

1.11. Notwithstanding anything to the contrary, where the applicable Extended EEA Country where the data exporter is established or from where the transferred personal data originated is the UK, template Addendum B.1.0 issued by the UK ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses, (the “UK Approved Addendum”) shall amend the Standard Contractual Clauses in respect of such transfers and Part 1 of the UK Approved Addendum shall be populated as set out below:

Table 1. The “start date” will be the date this DPA enters into force. The “Parties” are Customer or Customer Authorized Affiliate as exporter Wiz as importer.

Table 2. The “Addendum EU SCCs” are the modules and clauses of the Standard Contractual Clauses selected in relation to a particular transfer in accordance with paragraphs 1.1 and 1.2 of this Schedule.

Table 3. The “Appendix Information” is as set out in Appendix 1 to this Schedule.

Table 4. Neither party may end the UK Approved Addendum in accordance with its Section 19.

1.12. Except where paragraph 1.11 above applies, but notwithstanding anything else to the contrary, where the applicable Extended EEA Country where the data exporter is established or from where the transferred personal data originated is not a Member State of the European Union, references in the Standard Contractual Clauses to:

(a) “Member States of the European Union” shall refer to the applicable Extended EEA Country in which the data exporter is established or from where the transferred Personal Data originated (as applicable); 

(b). “the GDPR” shall refer to the Data Protection Laws of the Extended EEA Country in which the data exporter is established or from where the Personal Data originated; and

(c) “supervisory authority” shall refer to the data protection authority in the Extended EEA Country as determined in Annex I(C) below.


Appendix 1 – Completion of the Standard Contractual Clauses

ANNEX I

A. LIST OF THE PARTIES

Data Exporter:

Name and address: Customer or Customer Authorized Affiliate, as set out in the Agreement

Contact details: As set out in the Agreement

Activities relevant to the data transferred under these Clauses: Receipt of Wiz Services, as set out in the Agreement and this DPA

Data Importer:

Name and address: Customer or Customer Authorized Affiliate, as set out in the Agreement

Contact details: As set out in the Agreement

Activities relevant to the data transferred under these Clauses: Receipt of Wiz Services, as set out in the Agreement and this DPA

B. DETAILS OF PROCESSING/TRANSFER

CATEGORIES OF DATA SUBJECTS

Module 1: Permitted Users (generally employees or other workers of Customer) who access and use the Wiz platform

Modules 2 and 3: As described in Schedule 1

CATEGORIES OF PERSONAL DATA

Module 1: Name, business email address, role

Modules 2 and 3: As described in Schedule 1

SPECIAL CATEGORIES OF DATA (IF APPLICABLE)

Module 1: Not applicable

Modules 2 and 3: Wiz generally does not Process any special categories of Personal Data, however, Wiz does not control which Personal Data Customer shares with it in the context of the Services

FREQUENCY OF THE TRANSFER

Module 1:Infrequently, typically at commencement of the Services and when new users are added

Modules 2 and 3: As regular as is required to provide the Services

NATURE AND PURPOSE OF THE PROCESSING

Module 1:To enable Wiz to: give the users access to the platform, verify user identity, communicate with, and provide updates to users, manage Customer accounts and billing, provide support, monitor access to and use of the platform, investigate and prevent system abuse or bugs, maintain and improve the Services and fulfill legal obligations

Modules 2 and 3: As described in Schedule 1

RETENTION

Module 1:For such period as Wiz has a need to retain it for the purposes mentioned above and in accordance with its legal obligations and Wiz’s Privacy Policy

Modules 2 and 3: As described in Schedule 1

TRANSFER TO (SUB)PROCESSORS

Module 2 and 3:As set out in Wiz’s Sub-Processor List.

C. COMPETENT SUPERVISORY AUTHORITY

The competent supervisory authority shall be determined in accordance with Clause 13 of the Standard Contractual Clauses. Where an EU Representative has not been appointed by data exporter, the competent supervisory authority shall be the supervisory authority of the Netherlands. Where the data exporter is established outside of the EU, but within an Extended EEA Country, the competent supervisory authority shall be the supervisory authority of the Extended EEA Country in which the Transferring Client Entity is established. Where the data exporter is established outside an Extended EEA Country and the personal data originates from an Extended EEA Country which is not in the EU, the supervisory authority shall be the supervisory authority of the Extended EEA Country from which the Personal Data originated.

D. GOVERNING LAW AND CHOICE OF FORUM

GOVERNING LAW

For the purposes of Clause 17 of the Standard Contractual Clauses the Parties select OPTION 1:

a) (a) where the data exporter is established in the EU or otherwise if the personal data originates from the EU, the Parties select the laws of the Netherlands

(b) where the data exporter is established outside the EU but within an Extended EEA Country, the Parties select the laws of the Extended EEA Country where the data exporter is established

(c) subject to (a) above, where the data exporter is established outside an Extended EEA Country, the parties select the laws of the Extended EEA Country where the personal data originates from

CHOICE OF FORUM

For the purposes of Clause 18 of the SCCs:

(a) where the data exporter is established in the EU or otherwise if the personal data originates from the EU, the Parties select the courts of the Netherlands

(b) where the data exporter is established outside the EU but within an Extended EEA Country, the Parties select the courts of the Extended EEA Country in which the data exporter is established

(c) subject to (a) above, where the data exporter is established outside an Extended EEA Country, the parties select the courts of the Extended EEA Country where the personal data originates from

E. OTHER

Where the Standard Contractual Clauses identify optional provisions (or provisions with multiple options) the following will apply:

For Clause 7 (Docking Clause), the optional provision will apply.

For Clause 9(a) of Modules 2 and 3, option 2 will apply and the time period for prior notice of Sub-processor changes shall be as set out in this DPA.

For Clause 11(a) (Redress) – the optional provision will not apply.



ANNEX II – WIZ SECURITY MEASURES

The technical and organizational measures including technical and organizational measures to support the security of Personal Data incorporated into Annex II of the Standard Contractual Clauses shall be the technical and organizational security measures as described in Wiz’s Security Documentation.