Data Processing Addendum​

Last updated: May 7, 2024

THIS DATA PROCESSING ADDENDUM (“DPA”) APPLIES BETWEEN WEIGHTS AND BIASES, INC., A DELAWARE CORPORATION WITH A PRINCIPAL PLACE OF BUSINESS LOCATED AT 400 ALABAMA STREET, SUITE 202, SAN FRANCISCO, CA 94110 (“W&B”), AND CUSTOMER (DEFINED BELOW) WHERE CUSTOMER CLICKS A BOX INDICATING ACCEPTANCE, TRANSFERS PERSONAL DATA TO W&B FOR PROCESSING BY MEANS OF A W&B ASSET, OR OTHERWISE AFFIRMATIVELY INDICATES ACCEPTANCE OF THIS DPA. BY DOING SO, YOU: (A) AGREE TO THIS DPA (INCLUDING FOR CLARITY THE STANDARD CONTRACTUAL CLAUSES) EITHER ON BEHALF OF YOURSELF, OR THE ORGANIZATION, COMPANY, OR OTHER LEGAL ENTITY FOR WHICH YOU ACT (EACH, A “CUSTOMER”); AND (B) REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND CUSTOMER AND ITS AFFILIATES TO THIS DPA. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THIS DPA, YOU MAY NOT DIRECTLY OR INDIRECTLY TRANSFER PERSONAL DATA TO W&B. W&B RESERVES THE RIGHT TO MODIFY OR UPDATE THE TERMS OF THIS DPA IN ITS DISCRETION, THE EFFECTIVE DATE OF WHICH WILL BE THE EARLIER OF (I) 30 DAYS FROM THE DATE OF SUCH UPDATE OR MODIFICATION AND (II) CUSTOMER’S CONTINUED TRANSFER OF PERSONAL DATA.

This DPA forms part of W&B’s Master Service Agreement (available at: https://wandb.ai/site/terms), unless W&B and Customer have entered into a separate written agreement for the use of the Service whereby such other agreement will control (“Agreement”) between the parties under which W&B will provide the W&B Assets to Customer which involves the Processing of Personal Data subject to Applicable Data Protection Laws. The purpose of this DPA is to set forth the terms under which W&B Processes Personal Data on behalf of Customer.

This DPA consists of the main body and Schedules 1 through 4. Acceptance of this DPA shall include acceptance of the Standard Contractual Clauses (defined below) and its Annexes (see Schedule 2 below).

1. Definitions

Capitalized terms used but not defined in this DPA have the meanings set forth in the Agreement. The terms controller, data subject, processor and supervisory authority have the meanings set forth in the Applicable Data Protection Laws.

  1. Applicable Data Protection Laws” means the privacy, data protection and data security laws and regulations of any jurisdiction applicable to the Processing of Personal Data under the Agreement, including, without limitation, European Data Protection Laws, UK GDPR and the CCPA.

  2. CCPA” means the California Consumer Privacy Act of 2018 and any regulations promulgated thereunder, in each case, as amended from time to time, including the California Privacy Rights Act of 2020, and any regulations promulgated thereunder.

  3. EEA” means the European Economic Area.

  4. European Data Protection Laws” means the GDPR and other data protection laws and regulations of the EEA and European Union, and the Member States of each of the foregoing, to the extent applicable to the Processing of Personal Data under the Agreement.
  5. GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

  6. Information Security Incident” means a confirmed breach of Company’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in Company’s possession, custody or control. Information Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.

  7. Personal Data” means Customer Data that constitutes “personal data,” “personal information,” or “personally identifiable information” defined in Applicable Data Protection Laws, or information of a similar character regulated thereby,” provided that such data is electronic data and information submitted by or for Customer to the Services.

  8. Public Authority” means a government agency or law enforcement authority, including judicial authorities.

  9. Processing” or “Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

  10. Security Measures” are Company’s security measures implemented and maintained as administrative, technical and physical safeguards designed to protect the security and integrity of Personal Data and prevent Information Security Incidents, further described in Schedule 2 Annex III hereto and any other measures required by Applicable Data Protection Laws.

  11. Standard Contractual Clauses” means Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, currently located here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.

  12. Subprocessors” or “Sub-processor” means any third party processor that Company engages to Process Personal Data in relation to the Services.

  13. UK GDPR” means the UK Data Protection Act 2018 as supplemented by Schedule 21, the Keeling Schedule.

2. Duration and Scope of DPA

This DPA will remain in effect so long as Company Processes Personal Data, notwithstanding the expiration or termination of the Agreement. Schedules 1 and 2 to this DPA apply solely to Processing subject to European Data Protection Laws. Schedule 3 to this DPA applies solely to Processing subject to the UK GDPR. Schedule 4 to this DPA applies solely to Processing subject to the CCPA to the extent Customer is a “business” (as defined in CCPA) with respect to such Processing.

3. Customer Instructions

Company will Process Personal Data only in accordance with Customer’s instructions to Company. This DPA is a complete expression of such instructions, and Customer’s additional instructions will be binding on Company only pursuant to an amendment to this DPA signed by both parties. Customer instructs Company to Process Personal Data via the Services and as authorized by the Agreement. Company shall inform Customer immediately: (a) if, in its opinion, an instruction from Customer constitutes a breach of any Applicable Data Protection Laws; (b) if Company is unable to follow Customer’s instructions for the Processing of Personal Data; or (c) if Company has reason to believe that Company is subject to changes in Applicable Data Protection Laws contrary to any Customer instructions or terms or requirements of this DPA.

4. Security of Personal Data

  1. Company Security Measures. Company may update the Security Measures from time to time, so long as the updated measures do not materially decrease the overall protection of Personal Data.

  2. Information Security Incidents. Company will notify Customer without undue delay of any Information Security Incident of which Company becomes aware. Such notifications will describe available details of the Information Security Incident, including steps taken to mitigate the potential risks and steps Company recommends the Customer take to address the Information Security Incident. Company’s notification of or response to an Information Security Incident will not be construed as Company’s acknowledgement of any fault or liability with respect to the Information Security Incident.

  3. Audits of Compliance & DPIAs.

    1. Customer may audit Company’s compliance with its obligations under this DPA no more than once per calendar year, and on such other occasions as may be required by European Data Protection Laws, including if mandated by Customer’s supervisory authority, at Customer’s sole cost, on no less than 15 days advanced written notice. Such audit must be conducted at Company’s principal place of business, during regular business hours, and may not unreasonably interfere with Company’s business activities.

    2. Company will contribute to each audit by providing Customer or Customer’s supervisory authority with the information and assistance reasonably necessary to conduct the audit. If a third party is to conduct the audit, Company may object to the auditor if the auditor is, in Company’s reasonable opinion, not independent, a competitor of Company, or otherwise manifestly unsuitable. Such objection by Company will require the Customer to appoint another auditor or conduct the audit itself.

    3. If the controls or measures to be assessed in the requested audit are addressed in a Company SOC 2 Type 2, ISO, NIST or similar audit report, performed by a qualified third party auditor within twelve (12) months of Customer’s audit request and Company has confirmed there have been no known material changes in the controls audited since the date of such report, Customer agrees to accept such report in lieu of requesting an audit of such controls or measures.

    4. Customer will promptly notify Company of any non-compliance discovered during the course of an audit and provide Company any audit reports generated in connection with any audit under this Section 4(c), unless prohibited by European Data Protection Laws or otherwise instructed by a supervisory authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this DPA.

    5. Customer shall reimburse Company for any time expended by Company and any third parties in connection with any audits or inspections under this Section 4(c) at Company’s then-current professional services rates, which shall be made available to Customer upon request. For clarity, Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit.

  4. Data Protection Impact Assessments (DPIAs). Upon Customer’s written request, Company will provide Customer with reasonable cooperation and assistance needed to fulfil Customer’s obligation under Applicable Data Protection Laws to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Company.

5. Customer’s Responsibilities

  1. Customer Obligations. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Customer specifically acknowledges and agrees that its use of the Services will not violate the rights of any data subject, including those that have opted-out from sales or other disclosures of personal data, to the extent applicable under Applicable Data Protection Laws. Without limitation of Customer’s obligations under the Agreement, Customer: (a) agrees that Customer is solely responsible for its use of the Services, including (1) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Personal Data, (2) securing the account authentication credentials, systems and devices Customer uses to access the Services, (3) securing Customer’s systems and devices that Company uses to provide the Services, and (4) backing up Personal Data; and (b) has given all notices to, and has obtained all consents from, including where the Customer is a processor by ensuring that the ultimate controller does so, individuals to whom Personal Data pertains and all other parties as required by applicable laws or regulations for Company to Process Personal Data as contemplated by the Agreement.

  2. Prohibited Data. Customer represents and warrants to Company that Customer Data does not and will not, without Company’s prior written consent, contain any social security numbers or other government-issued identification numbers, protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; health insurance information; biometric information; passwords for online accounts; credentials to any financial accounts; tax return data; credit reports or consumer reports; any payment card information subject to the Payment Card Industry Data Security Standard; information subject to the Gramm-Leach-Bliley Act, Fair Credit Reporting Act or the regulations promulgated under either such law; information subject to restrictions under Applicable Data Protection Laws governing Personal Data of children, including, without limitation, all information about children under 16 years of age; or any information that falls within any special categories of data (as defined in GDPR).

6. Compliance with Laws & Data Subject Rights

  1. Compliance with Laws. Each party will comply with all Applicable Data Protection Laws. In particular, Customer will comply with its obligations as controller (or on behalf of controller) and Company will comply with its obligations as processor.

  2. Personal Data Disclosures & Government Requests. Company will not disclose Personal Data to any third party, including any Public Authority, except: (i) as otherwise permitted under the Agreement including this DPA; or (ii) as necessary to comply with Applicable Data Protection Laws including with respect to any valid and/or binding Public Authority court order (e.g., a law enforcement subpoena). If Company receives a binding order from a Public Authority requesting access to or disclosure of Personal Data, Company will notify Customer of the request unless otherwise legally prohibited.

  3. Data Subject Request Assistance. Company will (taking into account the nature of the Processing of Personal Data) provide Customer with assistance reasonably necessary for Customer to perform its obligations under Applicable Data Protection Laws to fulfill requests by data subjects to exercise their rights under Applicable Data Protection Laws (“Data Subject Requests”) with respect to Personal Data in Company’s possession or control. Where permitted under Applicable Data Protection Laws, Customer will compensate Company for any such assistance at Company’s then-current professional services rates, which will be made available to Customer upon request.

  4. Customer’s Responsibility for Requests. Company will not respond to a Data Subject Request itself, except where Customer authorizes Company to redirect the Data Subject Request as necessary to allow Customer to respond directly. If Company receives a Data Subject Request, Company will advise the data subject to submit the request to Customer and Customer will be responsible for responding to the request.

7. European & UK Data Protection Laws Specific Provisions; Changes in Laws.

  1. GDPR. Company will Process Personal Data in accordance with GDPR directly applicable to Company’s provision of its Services and as provided for in Schedules 1 and 2 hereto.

  2. UK GDPR. Company will Process Personal Data in accordance with UK GDPR directly applicable to Company’s provision of its Services and as provided for in Schedule 3 hereto.

8. Subprocessors

  1. Consent to Subprocessor Engagement. Customer authorizes the following Subprocessors to Process Personal Data: (i) Company’s Affiliates; and (ii) the Subprocessors set forth in Schedule 2 Annex III hereto (also located here: https://security.wandb.ai/?itemUid=e3fae2ca-94a9-416b-b577-5c90e382df57) as updated by Company from time to time, or such other website address as Company may provide to Customer from time to time) (“Subprocessor Site”).

  2. Requirements for Subprocessor Engagement. When engaging any Subprocessor, Company will enter into a written contract with such Subprocessor containing data protection obligations not less protective than those in this DPA with respect to Personal Data to the extent applicable to the nature of the services provided by such Subprocessor. Company shall be liable for all obligations under the Agreement subcontracted to, the Subprocessor or its actions and omissions related thereto.

  3. Subprocessor Changes. When Company engages any new Subprocessor after the Effective Date of the Agreement, Company will update the Subprocessor Site (including the name and location of the relevant Subprocessor and the activities it will perform). This Section 8(c) will not apply with respect to GDPR but instead will be replaced by the requirements of the Standard Contractual Clauses set forth in Section 4(g) and 4(h) of Schedule 1 hereto.

  4. Opportunity to Object to Subprocessor Changes. If Customer objects to such engagement in a written notice to Company on reasonable grounds relating to the protection of Personal Data, Customer and Company will work together in good faith to find a mutually acceptable resolution to address such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Customer may, as its sole and exclusive remedy, terminate the Agreement by providing written notice to Company.

9. Return or Deletion of Personal Data

Upon written request by Customer, or upon termination or expiration of the Agreement, Company will delete or return Personal Data in accordance with the Agreement. This requirement shall not apply to the extent Company is required by any applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on back-up systems, which Personal Data Company shall securely isolate and protect from any further processing and eventually delete in accordance with Company’s deletion policies. After termination or expiration of the Agreement, Customer acknowledges and agrees that Company may automatically initiate deletion of all Personal Data in its possession or control in accordance with Company’s standard policies.

10. Miscellaneous

Except as expressly modified by the DPA, the terms of the Agreement remain in full force and effect. In the event of any conflict or inconsistency between this DPA and the other terms of the Agreement, this DPA will govern. Notwithstanding anything in the Agreement or any order form entered in connection therewith to the contrary, the parties acknowledge and agree that Company’s access to Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement. Notwithstanding anything to the contrary in the Agreement, any notices required or permitted to be given by Company to Customer under this DPA may be given: (a) in accordance with any notice clause of the Agreement; (b) to Company’s primary points of contact with Customer; or (c) to any email provided by Customer for the purpose of providing it with Services-related communications or alerts. Customer is solely responsible for ensuring that such email addresses are valid.

Schedule 1 - Transfer Mechanisms for Standard Contractual Clauses data Transfers

1. Definitions

For the purposes of this Schedules 1 and 2, these terms shall be defined as follows:

  1. EU C-to-P Transfer Clauses” means Standard Contractual Clauses sections I, II, III and IV (as applicable) to the extent they reference Module Two (Controller-to-Processor).

  2. EU P-to-P Transfer Clauses” means Standard Contractual Clauses sections I, II III and IV (as applicable) to the extent they reference Module Three (Processor-to-Processor).

2. International Transfer Mechanisms

  1. The EU C-to-P Transfer Clauses. Where Customer and/or its Affiliate is a Controller and a data exporter of Personal Data and Company is a Processor and data importer in respect of that Personal Data, then the parties shall comply with the EU C-to-P Transfer Clauses, subject to the additional terms in Schedule 1; and/or

  2. The EU P-to-P Transfer Clauses. Where Customer and/or its Affiliate is a Processor acting on behalf of a Controller and a data exporter of Personal Data and Company is a Processor and data importer in respect of that Personal Data, the parties shall comply with the terms of the EU P-to-P Transfer Clauses, subject to the additional terms in Schedule 1.If, in the performance of the Services, Personal Data that is subject to GDPR, or any other law relating to the protection or privacy of individuals under European Data Protection Laws, is transferred to countries which do not ensure an adequate level of data protection within the meaning of the European Data Protection Laws, the transfer mechanisms listed below shall apply to such transfers and can be directly enforced by the parties to the extent such transfers are subject to the European Data Protection Laws.

3. Roles

For the purposes of the EU C-to-P Transfer Clauses and the EU P-to-P Transfer Clauses, Customer is the data exporter and Company is the data importer and the parties agree to the following. If and to the extent an Affiliate relies on the EU C-to-P Transfer Clauses or the EU P-to-P Transfer Clauses for the transfer of Personal Data, any references to Customer in this Schedule includes such Affiliate. Where this Schedule 1 does not explicitly mention EU C-to-P Transfer Clauses or EU P-to-P Transfer Clauses it applies to both of them.

4. Standard Contractual Clauses Operative Provisions and Additional Terms

  1. Reference to the Standard Contractual Clauses. The relevant provisions contained in the Standard Contractual Clauses are incorporated by reference and are an integral part of this DPA. The information required for the purposes of the Annexes to the Standard Contractual Clauses are set out in Schedule 2.

  2. Docking Clause. The option under clause 7 shall not apply.

  3. Instructions. This DPA and the Agreement are Customer’s complete and final documented instructions at the time of signature of the Agreement to Company for the Processing of Personal Data. Any additional or alternate instructions must be consistent with the terms of this DPA and the Agreement. For the purposes of clause 8.1(a), the instructions by Customer to Process Personal Data include onward transfers to a third party located outside the EEA for the purpose of the performance of the Services.

  4. Certification of Deletion. The parties agree that the certification of deletion of Personal Data that is described in clauses 8.5 and 16(d) of the Standard Contractual Clauses shall be provided by Company to Customer only upon Customer’s written request.

  5. Security of Processing. For the purposes of clause 8.6(a), Customer is solely responsible for making an independent determination as to whether the technical and organisational measures set forth herein meet Customer’s requirements and agrees that (taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing of its Personal Data as well as the risks to individuals) the security measures and policies implemented and maintained by Company provide a level of security appropriate to the risk with respect to its Personal Data. For the purposes of clause 8.6(c), personal data breaches (i.e., Information Security Incidents) will be handled in accordance with Section 4(b) of this DPA.

  6. Audits of the SCCs. The parties agree that the audits described in clause 8.9 of the Standard Contractual Clauses shall be carried out in accordance with Section 4(c) of this DPA.

  7. General Authorization for Use of Subprocessors. Option 2 under clause 9 shall apply. The data importer has the data exporter’s general authorization for the engagement of Subprocessor(s) from those set forth in Annex III (see Schedule 2 below). The data importer shall inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors. The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.Where Company enters into the EU P-to-P Transfer Clauses with a Subprocessor in connection with the provision of the Services, Customer hereby grants Company and Company’s Affiliates authority to provide a general authorization on Controller’s behalf for the engagement of subprocessors by Subprocessors engaged in the provision of the Services, as well as decision making and approval authority for the addition or replacement of any such subprocessors.

  8. Notification of New Subprocessors and Objection Right. Pursuant to clause 9(a), Customer acknowledges and expressly agrees that Company may engage new Subprocessors as described in Section 4(g) above. Company shall inform Customer of any changes to Subprocessors following the procedure provided for in Section 4(g) above. Customer may object to new Subprocessors as described in Section 8(d) of the DPA.

  9. Redress. The option under clause 11 shall not apply. Company shall inform Customer if it receives a Data Subject Request with respect to Personal Data and shall without undue delay communicate the complaint or dispute to Customer. Company shall not otherwise have any obligation to handle the request (unless otherwise agreed with Customer).

  10. Liability. Company’s liability under clause 12(b) shall be limited to any damage caused by its Processing where Company has not complied with its obligations under the GDPR specifically directed to Processors, or where it has acted outside of or contrary to lawful instructions of Customer, as specified in Article 82 GDPR.

  11. Supervision. Clause 13 shall apply as follows:

    1. Where Customer is established in an EU Member State, the supervisory authority with responsibility for ensuring compliance by Customer with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.

    2. Where Customer is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679, the supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as competent supervisory authority.

    3. Where Customer is established in the United Kingdom or falls within the territorial scope of application of UK GDPR, the Information Commissioner’s Office shall act as competent supervisory authority.

  12. Notification of Government Access Requests. For the purposes of clause 15(1)(a), Company shall notify Customer (only) and not the Data Subject(s) in case of government access requests. Customer shall be solely responsible for promptly notifying the Data Subject as necessary. 

  13. Governing Law. The governing law for the purposes of clause 17 shall be the law that is designated in the section of the Agreement. If the Agreement is not governed by an EU Member State law, the Standard Contractual Clauses will be governed by either: (i) the laws of Ireland; or (ii) where the Agreement is governed by the laws of the United Kingdom, the laws of the United Kingdom.

  14. Choice of Forum and Jurisdiction. The courts under clause 18 shall be those designated in the Agreement. If the Agreement does not designate an EU Member State court as having exclusive jurisdiction to resolve any dispute or lawsuit arising out of or in connection with this Agreement, the parties agree that the courts of either: (i) Ireland; or (ii) where the Agreement designates the United Kingdom as having exclusive jurisdiction, the United Kingdom, shall have exclusive jurisdiction to resolve any dispute arising from the Standard Contractual Clauses.

  15. Data Exports from the United Kingdom under the Standard Contractual Clauses. In case of any transfers of Personal Data from the United Kingdom subject exclusively to the UK GDRP, except where such Processing is subject to Schedule 3 hereto: (i) general and specific references in the Standard Contractual Clauses to GDPR or EU or Member State Law shall have the same meaning as the equivalent reference in the Applicable Data Protection Laws of the United Kingdom (i.e., UK GDPR); and (ii) any other obligation in the Standard Contractual Clauses determined by the Member State in which the data exporter or Data Subject is established shall refer to an obligation under UK GDPR.

  16. Conflict. The Standard Contractual Clauses are subject to this DPA and the additional safeguards set out hereunder. The rights and obligations afforded by the Standard Contractual Clauses will be exercised in accordance with this DPA, unless stated otherwise. In the event of any conflict or inconsistency between the body of this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

5. Additional Terms for the EU P-to-P Transfer Clauses.

For the purposes of the EU P-to-P Transfer Clauses (only), the parties agree to the following:

  1. Instructions and notifications. For the purposes of clause 8.1(a), Customer hereby informs Company that it acts as Processor under the instructions of the relevant Controller in respect of Personal Data. Customer warrants that its Processing instructions as set out in the Agreement and this DPA, including its authorizations to Company for the appointment of Subprocessors in accordance with this DPA, have been authorized by the relevant Controller. Customer shall be solely responsible for forwarding any notifications received from Company to the relevant Controller where appropriate.

  2. Security of Processing. For the purposes of clause 8.6(c) and (d), Company shall provide notification of a personal data breach (i.e., an Information Security Incident) concerning Personal Data Processed by Company to Customer.

  3. Documentation and Compliance. For the purposes of clause 8.9, all enquiries from the relevant Controller shall be provided to Company by Customer. If Company receives an enquiry directly from a Controller, it shall forward the enquiry to Customer and Customer shall be solely responsible for responding to any such enquiry from the relevant Controller where appropriate.

  4. Data Subject Rights. For the purposes of clause 10 and subject to section 3 of this DPA, Company shall notify Customer about any request it has received directly from a Data Subject without obligation to handle it (unless otherwise agreed) but shall not notify the relevant Controller. Customer shall be solely responsible for cooperating with the relevant Controller in fulfilling the relevant obligations to respond to any such request.

Schedule 2 - Annex I Through III to the Standard Contractual Clauses

This Schedule 2 contains Annex I through III to the Standard Contractual Clauses and must be completed and signed by each party below where indicated.

Annex I

A. List of Parties

Data exporter(s) / controller: Customer
Data importer(s):

Name: Weights and Biases, Inc.
Address: 400 Alabama Street, Suite 202, San Francisco, CA 94110
Contact person’s name, position and contact details: Cameron Kinloch, CFO
Role: Processor (or Subprocessor as the case may be)
Activities relevant to the data transferred under these Clauses: Processing of personal data in accordance with the Agreement and this DPA

B. Description of the Transfer

The Processing activities carried out by Company under the Agreement may be described as follows:

Categories of data subjects whose personal data is transferred

‍Personal data of end users of the processor’s Software and Services, including controller end-customer data subjects’ personal data submitted to processor by controller

Categories of personal data transferred

‍As chosen by the controller from time to time

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

‍Solely to the extent controller chooses to transmit any such data via the Software or Services

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous   basis).

‍For processor’s “Multi-Tenant Cloud” and “W&B Dedicated Cloud” Software and Service offerings, on a continuous basis as determined by a controller as permitted under the Agreement

For processor’s “Customer-Managed Single-Tenant Cloud,” “On-Premise” and/or “W&B Dedicated Cloud” (BYOB, where controller turns off continuous basis sharing) software offerings, only when controller configures the Software and/or Services in a way that transmits personal data to processor during the provision of technical Support as requested by controller

Nature of the processing

For processor’s “Multi-Tenant Cloud” and “W&B Dedicated Cloud” Software and Service offerings, processing of personal data for the Software and Services as described under the Agreement

For processor’s “Customer-Managed Single-Tenant Cloud,” “On-Premise” and/or “W&B Dedicated Cloud” (BYOB, where controller turns off continuous basis sharing) software offerings, during the provision of technical Support as requested by controller but solely to the extent controller configures the Software and/or Services in a way that transmits personal data to processor

Purpose(s) of the data transfer and further processing

For processor’s “Multi-Tenant Cloud” and “W&B Dedicated Cloud” Software and Service offerings, for processor to provide the Services to a controller as required under the Agreement

For processor’s “Customer-Managed Single-Tenant Cloud,” “On-Premise” and/or “W&B Dedicated Cloud” (BYOB, where controller turns off continuous basis sharing) software offerings, during the provision of technical Support as requested by controller but solely to the extent controller configures the Software and/or Services in a way that transmits personal data to processor

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

‍For the term of the Agreement

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

‍For the term of the Agreement

C. Competent Supervisory Authority

The competent supervisory authority in accordance with Clause 13 of the Standard Contractual Clauses as identified in Schedule 1 Section 4(k) of this DPA.

Annex II - Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of the Data

Company processes all Personal Data received from Controller under this DPA in conformity with the following technical and organizational measures:

Weights and Biases, Inc. has taken and will maintain the appropriate administrative, technical, physical and procedural security measures, for the protection of the Personal Data, including the measures set forth below or those otherwise made reasonably available by Weights and Biases, Inc.

Operational Security

  • Weights and Biases, Inc.’s Information Security Policy establishes a framework of internal standards.

  • Designated security team is responsible for the design, implementation and management of policies, standards, baselines, procedures, guidelines, and training programs for privacy and information security for personnel.

  • Weights and Biases, Inc. authorizes access to information resources, including production systems and customer data, on the principle of least privilege and conducts annual access control reviews.

  • Weights and Biases, Inc. requires two factor authentication to access sensitive systems and applications including user ID, password, OTP and/or certificate, for authentication, version control systems and infrastructure console, and requires context-aware access control for administrative access.

  • Personnel must accept policies addressing security, including Weights and Biases, Inc.’s Code of Conduct and Acceptable Use Policy, and must pass a background check prior to commencing employment.

  • Weights and Biases, Inc. has established formal guidelines for employee passwords to govern the management and use of authentication mechanisms, and requires use of password managers, automatic screensaver locks, hard disk encryption, and other endpoint security measures

  • A version control system helps manage source code, documentation, release labeling, and other change management tasks. Access to the system must be approved by a system administrator.

  • Weights and Biases, Inc. has in place business continuity and incident response plans to effectively respond to a business interruption or security incident to minimize impact to customers.

  • Formal risk management processes specify risk tolerances and the process for evaluating risks based on identified threats and the specified tolerances. Weights and Biases, Inc. engages a third-party to conduct a risk assessment at least annually.

  • Weights and Biases, Inc. performs backups daily and retains them in accordance with a predefined schedule in the Backup Policy.


Infrastructure Security

  • Encryption

    • Weights and Biases, Inc. ensures that all connections to its web application from its users are encrypted using certificated SSL and TLS configurations. Both website and application are reachable exclusively over HTTPS.

    • Weights and Biases, Inc. stores customer/partner data in databases that are encrypted at rest.

    • A key management process (currently via Google Cloud Platform) supports the organization’s use of cryptographic techniques.

  • Network security

    • Production environments run in an isolated Virtual Private Cloud network with only necessary services enabled. External administrative access is mediated through context-aware access control proxies.

    • Weights and Biases, Inc. uses a load balancer to automatically distribute incoming application traffic across multiple instances and availability zones.

    • Weights and Biases, Inc. uses configurations that ensure only approved networking ports and protocols are implemented. A Web Application Firewall protects application from outside threats.

    • Weights and Biases, Inc. tools monitor server CPU use, free storage space, message age and read I/O in Weights and Biases, Inc.’s databases, servers and messaging queues and notify appropriate personnel of any events or incidents based on predetermined criteria. Incidents are escalated per policy.


Product Security

  • Weights and Biases, Inc. employs enterprise-grade Role-Based Access Control (RBAC), Single-Sign-On (SSO) authentication, and in-product data protection.

  • Weights and Biases, Inc. deletes customer data within 30 days of a customer requesting deletion.

Continuous Innovation

  • Security team continuously evaluates controls and monitors employee devices, cloud environments, and networks for malicious activity.

  • At least annually, the Weights and Biases, Inc. conducts a third party vulnerability scan of the production environment. – Weights and Biases, Inc. provides processes for external users and employees to report failures, incidents, and concerns.

  • Weights and Biases, Inc. is AICPA SOC 2 Type II compliant and a copy of our most recent SOC 2 Audit can be made available upon request.

Annex III - List of Sub-Processors

The Controller has authorized the use of the following Subprocessors: https://wandb.ai/site/wb-subprocessors

Schedule 3 - Transfer Mechanisms for UK GDPR

A. Definitions

  1. UK GDPR IDTA” means the terms of the “International Data Transfer Agreement” (located here: https://ico.org.uk/media/for-organisations/documents/4019538/international-data-transfer-agreement.pdf) and issued pursuant to Section 119A of the Data Protection Act 2018.

  2. UK GDPR Addendum” or “UK Addendum” means the terms of the “International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses for International Data Transfers” (located here: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf) and issued pursuant to Section 119A of the Data Protection Act 2018.

B. International Transfer Mechanisms

For the purposes of this Schedule 3, these terms shall be defined as follows:

If, in the performance of the Services, Personal Data that is subject to UK GDPR or any other law relating to the protection or privacy of individuals that applies in the United Kingdom is transferred out of the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of the European Data Protection Laws, the UK GDPR IDTA and/or UK Addendum shall apply to such transfers and can be directly enforced by the Parties to the extent such transfers are subject to the UK GDPR.

C. Appendix Information

Annex I through III, set forth in Schedule 2 to this DPA, contain Appendix Information for the UK IDTA and UK Addendum and are incorporated therein by reference.

Schedule 4 - California Schedule


A. For purposes of this Schedule 4, the terms “business,” “business purpose,” “sell”, “share”, and “service provider” shall have the respective meanings given thereto in the CCPA, and “personal information” shall mean Personal Data that constitutes personal information, the Processing of which is governed by the CCPA.

B. It is the parties’ intent that with respect to any personal information, Company is a service provider. Company shall not: (i) “sell” or “share” (as defined in the CCPA) personal information; (ii) not retain, use or disclose any personal information for any purpose other than for the specific business purpose of providing the Services specified in the Agreement; (iii) retain, use or disclose personal information outside of the direct business relationship between Company and Customer, except as permitted by Applicable Data Protection Laws; or (iv) combine the personal information received from Customer with personal information that it collects or receives from or on behalf of any third party except as permitted by Applicable Data Protection Laws.

C. The parties acknowledge that Company’s retention, use and disclosure of personal information authorized by Customer’s instructions documented in the DPA are integral to Company’s provision of the Services and the business relationship between the parties.