Last updated: May 7, 2024
THIS DATA PROCESSING ADDENDUM (“DPA”) APPLIES BETWEEN WEIGHTS AND BIASES, INC., A DELAWARE CORPORATION WITH A PRINCIPAL PLACE OF BUSINESS LOCATED AT 400 ALABAMA STREET, SUITE 202, SAN FRANCISCO, CA 94110 (“W&B”), AND CUSTOMER (DEFINED BELOW) WHERE CUSTOMER CLICKS A BOX INDICATING ACCEPTANCE, TRANSFERS PERSONAL DATA TO W&B FOR PROCESSING BY MEANS OF A W&B ASSET, OR OTHERWISE AFFIRMATIVELY INDICATES ACCEPTANCE OF THIS DPA. BY DOING SO, YOU: (A) AGREE TO THIS DPA (INCLUDING FOR CLARITY THE STANDARD CONTRACTUAL CLAUSES) EITHER ON BEHALF OF YOURSELF, OR THE ORGANIZATION, COMPANY, OR OTHER LEGAL ENTITY FOR WHICH YOU ACT (EACH, A “CUSTOMER”); AND (B) REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND CUSTOMER AND ITS AFFILIATES TO THIS DPA. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THIS DPA, YOU MAY NOT DIRECTLY OR INDIRECTLY TRANSFER PERSONAL DATA TO W&B. W&B RESERVES THE RIGHT TO MODIFY OR UPDATE THE TERMS OF THIS DPA IN ITS DISCRETION, THE EFFECTIVE DATE OF WHICH WILL BE THE EARLIER OF (I) 30 DAYS FROM THE DATE OF SUCH UPDATE OR MODIFICATION AND (II) CUSTOMER’S CONTINUED TRANSFER OF PERSONAL DATA.
This DPA forms part of W&B’s Master Service Agreement (available at: https://wandb.ai/site/terms), unless W&B and Customer have entered into a separate written agreement for the use of the Service whereby such other agreement will control (“Agreement”) between the parties under which W&B will provide the W&B Assets to Customer which involves the Processing of Personal Data subject to Applicable Data Protection Laws. The purpose of this DPA is to set forth the terms under which W&B Processes Personal Data on behalf of Customer.
This DPA consists of the main body and Schedules 1 through 4. Acceptance of this DPA shall include acceptance of the Standard Contractual Clauses (defined below) and its Annexes (see Schedule 2 below).
Capitalized terms used but not defined in this DPA have the meanings set forth in the Agreement. The terms controller, data subject, processor and supervisory authority have the meanings set forth in the Applicable Data Protection Laws.
This DPA will remain in effect so long as Company Processes Personal Data, notwithstanding the expiration or termination of the Agreement. Schedules 1 and 2 to this DPA apply solely to Processing subject to European Data Protection Laws. Schedule 3 to this DPA applies solely to Processing subject to the UK GDPR. Schedule 4 to this DPA applies solely to Processing subject to the CCPA to the extent Customer is a “business” (as defined in CCPA) with respect to such Processing.
Company will Process Personal Data only in accordance with Customer’s instructions to Company. This DPA is a complete expression of such instructions, and Customer’s additional instructions will be binding on Company only pursuant to an amendment to this DPA signed by both parties. Customer instructs Company to Process Personal Data via the Services and as authorized by the Agreement. Company shall inform Customer immediately: (a) if, in its opinion, an instruction from Customer constitutes a breach of any Applicable Data Protection Laws; (b) if Company is unable to follow Customer’s instructions for the Processing of Personal Data; or (c) if Company has reason to believe that Company is subject to changes in Applicable Data Protection Laws contrary to any Customer instructions or terms or requirements of this DPA.
Upon written request by Customer, or upon termination or expiration of the Agreement, Company will delete or return Personal Data in accordance with the Agreement. This requirement shall not apply to the extent Company is required by any applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on back-up systems, which Personal Data Company shall securely isolate and protect from any further processing and eventually delete in accordance with Company’s deletion policies. After termination or expiration of the Agreement, Customer acknowledges and agrees that Company may automatically initiate deletion of all Personal Data in its possession or control in accordance with Company’s standard policies.
Except as expressly modified by the DPA, the terms of the Agreement remain in full force and effect. In the event of any conflict or inconsistency between this DPA and the other terms of the Agreement, this DPA will govern. Notwithstanding anything in the Agreement or any order form entered in connection therewith to the contrary, the parties acknowledge and agree that Company’s access to Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement. Notwithstanding anything to the contrary in the Agreement, any notices required or permitted to be given by Company to Customer under this DPA may be given: (a) in accordance with any notice clause of the Agreement; (b) to Company’s primary points of contact with Customer; or (c) to any email provided by Customer for the purpose of providing it with Services-related communications or alerts. Customer is solely responsible for ensuring that such email addresses are valid.
For the purposes of this Schedules 1 and 2, these terms shall be defined as follows:
For the purposes of the EU C-to-P Transfer Clauses and the EU P-to-P Transfer Clauses, Customer is the data exporter and Company is the data importer and the parties agree to the following. If and to the extent an Affiliate relies on the EU C-to-P Transfer Clauses or the EU P-to-P Transfer Clauses for the transfer of Personal Data, any references to Customer in this Schedule includes such Affiliate. Where this Schedule 1 does not explicitly mention EU C-to-P Transfer Clauses or EU P-to-P Transfer Clauses it applies to both of them.
For the purposes of the EU P-to-P Transfer Clauses (only), the parties agree to the following:
This Schedule 2 contains Annex I through III to the Standard Contractual Clauses and must be completed and signed by each party below where indicated.
Data exporter(s) / controller: Customer
Data importer(s):
Name: Weights and Biases, Inc.
Address: 400 Alabama Street, Suite 202, San Francisco, CA 94110
Contact person’s name, position and contact details: Cameron Kinloch, CFO
Role: Processor (or Subprocessor as the case may be)
Activities relevant to the data transferred under these Clauses: Processing of personal data in accordance with the Agreement and this DPA
The Processing activities carried out by Company under the Agreement may be described as follows:
Categories of data subjects whose personal data is transferred
Personal data of end users of the processor’s Software and Services, including controller end-customer data subjects’ personal data submitted to processor by controller
Categories of personal data transferred
As chosen by the controller from time to time
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
Solely to the extent controller chooses to transmit any such data via the Software or Services
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
For processor’s “Multi-Tenant Cloud” and “W&B Dedicated Cloud” Software and Service offerings, on a continuous basis as determined by a controller as permitted under the Agreement
For processor’s “Customer-Managed Single-Tenant Cloud,” “On-Premise” and/or “W&B Dedicated Cloud” (BYOB, where controller turns off continuous basis sharing) software offerings, only when controller configures the Software and/or Services in a way that transmits personal data to processor during the provision of technical Support as requested by controller
Nature of the processing
For processor’s “Multi-Tenant Cloud” and “W&B Dedicated Cloud” Software and Service offerings, processing of personal data for the Software and Services as described under the Agreement
For processor’s “Customer-Managed Single-Tenant Cloud,” “On-Premise” and/or “W&B Dedicated Cloud” (BYOB, where controller turns off continuous basis sharing) software offerings, during the provision of technical Support as requested by controller but solely to the extent controller configures the Software and/or Services in a way that transmits personal data to processor
Purpose(s) of the data transfer and further processing
For processor’s “Multi-Tenant Cloud” and “W&B Dedicated Cloud” Software and Service offerings, for processor to provide the Services to a controller as required under the Agreement
For processor’s “Customer-Managed Single-Tenant Cloud,” “On-Premise” and/or “W&B Dedicated Cloud” (BYOB, where controller turns off continuous basis sharing) software offerings, during the provision of technical Support as requested by controller but solely to the extent controller configures the Software and/or Services in a way that transmits personal data to processor
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
For the term of the Agreement
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
For the term of the Agreement
Company processes all Personal Data received from Controller under this DPA in conformity with the following technical and organizational measures:
Weights and Biases, Inc. has taken and will maintain the appropriate administrative, technical, physical and procedural security measures, for the protection of the Personal Data, including the measures set forth below or those otherwise made reasonably available by Weights and Biases, Inc.
Operational Security
Infrastructure Security
Product Security
Continuous Innovation
The Controller has authorized the use of the following Subprocessors: https://wandb.ai/site/wb-subprocessors
For the purposes of this Schedule 3, these terms shall be defined as follows:
If, in the performance of the Services, Personal Data that is subject to UK GDPR or any other law relating to the protection or privacy of individuals that applies in the United Kingdom is transferred out of the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of the European Data Protection Laws, the UK GDPR IDTA and/or UK Addendum shall apply to such transfers and can be directly enforced by the Parties to the extent such transfers are subject to the UK GDPR.
Annex I through III, set forth in Schedule 2 to this DPA, contain Appendix Information for the UK IDTA and UK Addendum and are incorporated therein by reference.
A. For purposes of this Schedule 4, the terms “business,” “business purpose,” “sell”, “share”, and “service provider” shall have the respective meanings given thereto in the CCPA, and “personal information” shall mean Personal Data that constitutes personal information, the Processing of which is governed by the CCPA.
B. It is the parties’ intent that with respect to any personal information, Company is a service provider. Company shall not: (i) “sell” or “share” (as defined in the CCPA) personal information; (ii) not retain, use or disclose any personal information for any purpose other than for the specific business purpose of providing the Services specified in the Agreement; (iii) retain, use or disclose personal information outside of the direct business relationship between Company and Customer, except as permitted by Applicable Data Protection Laws; or (iv) combine the personal information received from Customer with personal information that it collects or receives from or on behalf of any third party except as permitted by Applicable Data Protection Laws.
C. The parties acknowledge that Company’s retention, use and disclosure of personal information authorized by Customer’s instructions documented in the DPA are integral to Company’s provision of the Services and the business relationship between the parties.
Copyright © Weights & Biases. All rights reserved.