This DATA PROCESSING ADDENDUM, including its Schedules and the Standard Contractual Clauses (“DPA”), is incorporated into and forms part of the Main Service Agreement or other applicable service or subscription agreement between Customer and Sigma with respect to Customer’s use of the Services (the “Agreement”) entered into by and between Sigma Computing, Inc., a Delaware corporation with offices at 116 New Montgomery St., #700, San Francisco, CA 94105 (“Sigma”) and the entity or person defined as “Customer” under the Agreement (“Customer”), and applies solely to the extent that Sigma processes any Customer Personal Data (defined below) in connection with the Service. Customer enters into this DPA on behalf of itself and, if applicable and to the extent required under Applicable Data Protection Laws, in the name and on behalf of its Authorized Affiliates. Any capitalized terms not defined in this DPA will have the meanings set forth in the Agreement. In the event of a conflict between the terms of this DPA and the Agreement, the terms of this DPA will supersede and control.
1.1 “ApplicableData Protection Laws” means any data protection and privacy laws and regulations applicable to the respective party in its role in processing Customer Personal Data under the Agreement, including, where applicable, European Data Protection Laws and U.S. Privacy Laws.
1.2 “Authorized Affiliate” means a Customer affiliate that is authorized to use the Service under the Agreement but that has not signed its own separate agreement with Sigma.
1.3 “Customer Personal Data” means any personal data or personal information that Sigma processes on behalf of Customer under the Agreement, as further described in Schedule 1 to this DPA, including, where applicable, Customer Data and Input Data.
1.4 “Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.
1.5 “Europe” means the European Economic Area (“EEA”) and its Member States, Switzerland, and the United Kingdom (“UK”).
1.6 “European Data Protection Laws” means (i) the General Data Protection Regulation 2016/679 (“GDPR”); (ii) the GDPR as it forms part of UK law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018 (together, “UK GDPR”); and (iii) the Swiss Federal Act on Data Protection Act of 2020 and its Ordinance (“Swiss FADP”); as may be amended, superseded, or replaced from time to time.
1.7 “EU Standard Contractual Clauses” means the standard contractual clauses annexed to European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently available at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj.
1.8 “Restricted Transfer” means a transfer of Customer Personal Data originating from Europe to a country that does not provide an adequate level of protection for personal data within the meaning of applicable European Data Protection Laws.
1.9 “Security Incident” means a breach of Sigma's security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data in connection with the Service. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
1.10 “Sub-Processor” means any third-party processor authorized by Sigma to process Customer Personal Data in connection with the Service, as listed on Sigma’s Sub-Processor Page.
1.11 “UK Addendum” means the International Data Transfer Addendum to the European Commission's standard contractual clauses for international data transfers, issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018, as currently available at https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/international-data-transfer-agreement-and-guidance/.
1.12 “U.S. Privacy Laws” means any United States data protection and privacy laws and regulations applicable to the processing of Customer Personal Data, including, where applicable, (i) the California Consumer Privacy Act, as amended by the California Privacy Rights Act (Cal. Civ. Code §§ 1798.100 et seq.), and its implementing regulations (“CCPA”); (ii) the Virginia Consumer Data Protection Act (VA Code Ann. §§ 59.1-575 et seq.) (“VCDPA”); (iii) the Colorado Privacy Act (Colo. Rev. Stat. §§ 6-1-1301 et seq.) and its implementing regulations (“CPA”); (iv) the Connecticut Data Privacy Act (Pub. Act No. 22015) (“CTDPA”); and (v) the Utah Consumer Privacy Act (Utah Code Ann. §§ 13-61-101 et seq.) (“UCPA”); in each case when effective and as may be amended, superseded, or replaced.
1.13 The terms “business,” “consumer,” “controller,” “process,” “processing,” “processor,” “sell,” “service provider,” “share,” and “supervisory authority,” have the meanings given to those terms under Applicable Data Protection Laws.
This DPA only applies to the extent that Sigma processes Customer Personal Data on behalf of Customer in the course of providing the Service under the Agreement. For the purposes of this DPA, Customer is the “controller” or “business” and Sigma is the “processor” or “service provider” of Customer Personal Data, as such terms are defined under Applicable Data Protection Laws.
Customer is solely responsible for its and its Users’ transmission of Customer Personal Data to the Service. As between Customer and Sigma, Customer will be responsible for (i) ensuring the accuracy, quality, and legality of Customer Personal Data provided to Sigma; (ii) using the Service in a manner designed to ensure a level of security appropriate to the particular content of Customer Personal Data; and (iii) obtaining all necessary rights, consents, and authorizations required for Sigma to process Customer Personal Data for the purposes contemplated by the Agreement. Customer will ensure that its processing instructions to Sigma comply with all applicable laws and regulations and that the processing of Customer Personal Data in accordance with Customer’s instructions will not cause Sigma to be in breach of applicable laws and regulations. Notwithstanding the foregoing, Sigma will have no obligation to monitor Customer's compliance with applicable laws and regulations or to assess the content of Customer Personal Data to identify whether the information is subject to specific legal requirements. Customer is responsible for making an independent determination as to whether its use of the Service meets its requirements and obligations under Applicable Data Protection Laws.
Sigma will only process Customer Personal Data in accordance with Customer's documented instructions, as set out in the Agreement (including this DPA), as directed by Customer or Customer’s Users through the Service, or as further documented in any other written instructions given by Customer to Sigma where such instructions are consistent with the terms of the Agreement. Sigma will notify Customer if it becomes aware, and in Sigma’s reasonable opinion, a processing instruction infringes Applicable Data Protection Laws.
The subject matter, duration, nature, and purpose of the processing of Customer Personal Data, and the types of personal data and categories of data subjects, are described in Schedule 1 of this DPA.
Sigma will ensure that any persons authorized by Sigma to process Customer Personal Data will be under an appropriate duty of confidentiality (whether a contractual or statutory duty) in accordance with their obligations in connection with the Service. Sigma will take commercially reasonable steps to ensure the reliability and appropriate training of employees that have access to Customer Personal Data.
Customer provides Sigma with general authorization to engage Sub-processors, as listed at https://www.sigmacomputing.com/legal/subprocessors/ (“Sub-Processor Page”). Sigma will (a) enter into a written agreement with each Sub-processor imposing data protection obligations no less protective of Customer Personal Data as Sigma's obligations under this DPA; and (b) remain liable for any errors or omissions of its Sub-processors to the extent that Sigma would have been liable for such errors or omissions had they been caused by Sigma.
At least forty-five (45) days before enabling any new Sub-Processor to access or process Customer Personal Data, Sigma will provide written notification to Customer. Such notification will be sent to Customers that have signed up to receive updates to the Sub-Processor Page through the Sigma Trust Center. Customer may reasonably object to the engagement of any new Sub-Processor on reasonable grounds relating to data protection by informing Sigma in writing within ten (10) days of receiving written notification from Sigma. In such event, the parties will discuss the objection in good faith with a view to achieving a commercially reasonable resolution. If Sigma cannot provide a commercially reasonable alternative within a reasonable period of time, then Customer may, as its sole and exclusive remedy, terminate the Order Form solely with respect to those aspects of the Service which cannot be provided without the use of the new Sub-processor. Sigma will provide Customer with a pro rata refund of any prepaid but unused Fees following the effective date of such termination. If Sigma does not receive an objection pursuant to this Section 4.2, Customer will be deemed to have authorized the engagement of the new Sub-Processor.
Sigma will maintain appropriate technical and organizational measures designed to protect Customer Personal Data from Security Incidents and ensure the confidentiality, integrity, and availability of Customer Personal Data, as set forth in Sigma's data security policy located at https://www.sigmacomputing.com/legal/security-policy (“Security Policy”). Sigma may update the Security Policy from time to time, provided that any updates will not materially diminish the overall level of security provided for Customer Personal Data.
Sigma will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of any Security Incident impacting Customer. Sigma will make reasonable efforts to investigate, contain, and mitigate any adverse effects resulting from the Security Incident, to the extent such mitigation is within Sigma’s reasonable control. Customer acknowledges that Sigma personnel may not have visibility to the content of Customer Personal Data and, therefore, Sigma may not be able to provide Customer with information as to the particular nature of the information impacted by the Security Incident, including the identities, number, or categories of affected Data Subjects. Any communications by or on behalf of Sigma with respect to a Security Incident will not be construed as an acknowledgment by Sigma of any fault or liability with respect to the Security Incident.
The parties agree that Sigma may transfer Customer Personal Data processed under this DPA outside Europe as necessary to provide the Service. If Sigma transfers Customer Personal Data originating from Europe to a jurisdiction that has not been found to provide an adequate level of protection under Applicable Data Protection Laws, Sigma will ensure that appropriate safeguards have been implemented for the transfer of such Customer Personal Data in accordance with Applicable Data Protection Laws. Customer acknowledges that it is responsible for managing the regions from which its Users access Customer Personal Data.
To the extent that the transfer of Customer Personal Data from Customer to Sigma involves a Restricted Transfer, the EU Standard Contractual Clauses will be incorporated and form part of this DPA as follows:
In relation to Customer Personal Data that is subject to the GDPR: (i) the data exporter is Customer and the data importer is Sigma; (ii) Module Two (Controller to Processor) is selected; (iii) in Clause 7, the parties permit docking; (iii) in Clause 9, the parties select Option 2 and the notice period for Sub-Processor changes is set out in Section 4.2 of this DPA; (iv) in Clause 11, the parties do not select the independent dispute resolution option; (v) in Clauses 17 and 18(b), the parties agree that the governing law and forum for disputes will be the Republic of Ireland; (vi) the Annexes to the EU Standard Contractual Clauses will be deemed completed with the information provided in Schedules 1 and 2 of this DPA.
In relation to Customer Personal Data that is subject to the UK GDPR, the EU Standard Contractual Clauses will apply in accordance with Section 6.2.1 and as modified by the UK Addendum, which will be incorporated and form part of this DPA. Any conflict between the SCCs and the UK Addendum will be resolved in accordance with Sections 10 and 11 of the UK Addendum. Tables 1 to 3 of the UK Addendum will be deemed completed with the information provided in Schedules 1 and 2 of this DPA, and Table 4 will be deemed completed by selecting “neither party”.
In relation to Customer Personal Data that is subject to the Swiss FADP, the EU Standard Contractual Clauses will apply in accordance with Section 6.2.1 and the following modifications: (i) references to “Regulation (EU) 2016/679” and specific articles therein will be replaced with references to the Swiss FADP and the equivalent articles or sections therein; (ii) references to “EU”, “Union” and “Member State” will be replaced with references to “Switzerland”; (iii) the competent supervisory authority will be the Swiss Federal Data Protection Information Commissioner; (iv) references to the “competent supervisory authority” and “competent courts” will be replaced with references to the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland”; and (v) the EU Standard Contractual Clauses will be governed by the laws of Switzerland and disputes will be resolved before the applicable courts of Switzerland.
If and to the extent that a court of competent jurisdiction or supervisory authority with binding authority orders (for whatever reason) that the measures described in this DPA cannot be relied on to lawfully transfer Customer Personal Data from Customer to Sigma, the parties will reasonably cooperate to agree and take any actions that may be required to implement any additional measures or alternative transfer mechanism to enable the lawful transfer of Customer Personal Data. In the event of any conflict between the terms of this DPA and the EU Standard Contractual Clauses, the terms of the EU Standard Contractual Clauses will supersede and control.
Sigma will not retain, use, or disclose any Customer Personal Data that is subject to the CCPA (“CCPA Personal Information”) for any purpose other than for the limited and specific purpose of providing the Service to Customer or as otherwise permitted by the CCPA. Sigma will not (a) “sell” or “share” CCPA Personal Information (as those terms are defined under the CCPA); (b) retain, use, or disclose CCPA Personal Information outside the direct business relationship between Sigma and the Customer, unless expressly permitted by CCPA; or (c) combine CCPA Personal Information received from Customer with personal information that Sigma receives from, or on behalf of, another person or persons, or collects from its own interaction with consumers, unless expressly permitted by CCPA. Sigma will provide the same level of privacy protection for CCPA Personal Information as required under the CCPA and notify Customer if Sigma can no longer meet its obligations under the CCPA. Upon such notice from Sigma, Customer may direct Sigma to take reasonable and appropriate steps to stop and remediate any unauthorized use of CCPA Personal Information by deleting all or the relevant portion of CCPA Personal Information from the Service or by such other means as reasonably agreed between the parties.
Upon written request, and insofar as Customer cannot respond using functionality made available through the Service, Sigma will provide reasonable cooperation and assistance to Customer as necessary to respond to Data Subjects seeking to exercise their rights under Applicable Data Protection Laws (“Data Subject Requests”). Customer will be responsible for any costs and expenses arising from such assistance provided by Sigma. Sigma will notify Customer if it receives a Data Subject Request directly, to the extent permitted by applicable laws and Customer is identified or identifiable from the request. Sigma may advise the Data Subject to submit their request to Customer and Customer will be responsible for responding to Data Subject Requests.
Sigma will provide reasonably requested information regarding the Service to enable Customer to carry out data protection impact assessments or prior consultations with data protection authorities, as required by Applicable Data Protection Laws, so long as Customer does not otherwise have access to the relevant information.
If Sigma receives a subpoena, court order, warrant or other legal demand from any law enforcement or other public or government authority seeking access to Customer Personal Data (“Legal Request”), Sigma will, to the extent legally permitted to do so, take steps to (a) inform the requesting authority that Sigma is a processor of Customer Personal Data and attempt to redirect the Legal Request to Customer; or (b) in the event such redirection is not possible, provide Customer with reasonable notice of the Legal Request to allow Customer to seek a protective order or other appropriate remedy. Customer acknowledges that Sigma may provide information to the requesting authority to the extent reasonably necessary to redirect the Legal Request to Customer. In any event, Sigma will only disclose the minimum information necessary to comply with the Legal Request.
Upon written request, Sigma will provide Customer and/or its appropriately qualified third-party representatives access to reasonably requested documentation evidencing Sigma's compliance with its obligations under this DPA, in the form of summary copies of relevant Third-Party Audits, as described in the Security Policy (“Audit Reports”). Such audits are performed at least once annually by one or more independent third-party auditors (e.g. Sigma's SOC 2 Type II audit report).
Only where the information provided in the Audit Reports is not reasonably sufficient to demonstrate Sigma's compliance with its obligations under this DPA, Customer may, no more than once per calendar year, send a written request to conduct an audit of Sigma’s applicable controls, including an inspection of its facilities. Sigma and Customer will mutually agree in advance on the details of such audit, including the reasonable start date, scope, duration, and confidentiality controls. Any Audit Reports or other information obtained by or on behalf of Customer pursuant to this Section 9 will be subject to Sigma's security and confidentiality terms. For the avoidance of doubt, the Customer's rights under this Section 9 will not require Sigma to disclose to Customer or its third-party representatives (a) any trade secrets; (b) any information that could compromise the security of Sigma's systems; or (c) any information that would cause Sigma to breach any applicable laws or its contractual obligations. Customer will be responsible for the costs of any audits, including without limitation reimbursing Sigma for any time expended.
Following termination or expiration of the Agreement, and upon Customer's written request, Sigma will return or delete any Customer Personal Data in its possession or control, unless further processing of Customer Personal Data is required by applicable laws. To the extent that the return or destruction of Customer Personal Data is impracticable or prohibited by applicable laws, Sigma will take reasonable measures to prevent any further processing of Customer Personal Data except to the extent necessary to comply with applicable laws, and Sigma will continue to protect the security of Customer Personal Data in accordance with this DPA.
Except as provided by this DPA, the Agreement remains unchanged and in full force and effect. The parties agree that this DPA will replace and supersede any existing data processing addendum, attachment, exhibit, or standard contractual clauses that Sigma and Customer may have previously entered into in connection with the Service. This DPA will continue in force until termination or expiration of the Agreement and so long as Sigma continues to process Customer Personal Data on behalf of Customer.
If applicable, Customer will act as a single point of contact for any Authorized Affiliates with respect to compliance with this DPA. The parties acknowledge and agree that any claims in connection with this DPA will be brought solely by Customer, whether acting for itself or on behalf of an Authorized Affiliate.
Notwithstanding anything to the contrary in the Agreement or this DPA, the total liability of each of Customer and Sigma (and their respective employees, directors, officers, affiliates, successors, and assigns), arising out of or related to this DPA, whether in contract, tort, or other theory of liability, will not, when taken together in the aggregate, exceed the limitation of liability set forth in the Agreement.
Customer acknowledges that Sigma may disclose this DPA and any relevant privacy provisions of the Agreement to a supervisory authority or other judicial or regulatory body upon request.
This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless otherwise required by this DPA or Applicable Data Protection Laws.
Data Exporter:
Name
The entity identified as the “Customer” in the applicable Order Form, or the entity that signs up to use the Service through Sigma’s “free trial” page.
Address
The Customer's address as set out in the applicable Order Form.
Contact Person’s Name, Position, and Contact Details
The contact person(s) indicated on the applicable Order Form, or such contact information as provided by Customer to Sigma from time to time in writing.
Activities relevant to the data transferred
Using the Service provided by Sigma.
Role (controller / processor)
Controller.
Signature
By signing the Agreement, the EU Standard Contract Clauses and UK Addendum will be deemed executed by the parties.
Data Importer:
Name
Sigma Computing, Inc.
Address
116 New Montgomery St. #700, San Francisco, CA 94105.
Contact Person’s Name, Position, and Contact Details
Rahul Gupta, Head of Information Security & GRC, rahul@sigmacomputing.com.
Activities relevant to the data transferred
Providing the Service to Customer.
Role (controller / processor)
Processor.
Signature
By signing the Agreement, the EU Standard Contract Clauses and UK Addendum will be deemed executed by the parties.
Categories of data subjects
The categories of Data Subjects are determined and controlled by Customer in its sole discretion, and may include, but are not limited to:
Users authorized by Customer to use the Service
Prospects, customers, business partners, and vendors of Customer (who are natural persons)
Employees, agents, advisors, and freelancers of Customer (who are natural persons)
Categories of personal data
The categories of personal data or personal information are determined and controlled by Customer in its sole discretion, and may include, but are not limited to:
Identification and contact data (first and last name, title, contact details)
Employment details (employer, job title, geographic location, area of responsibility)
IT information (username and password, IP address, location data)
Sensitive data transferred (if applicable)
Subject to any applicable restrictions and/or conditions in the Agreement (including this DPA), Customer may include categories of sensitive data in Customer Personal Data, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but are not limited to, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, data concerning health and/or data concerning a natural person’s sex life or sexual orientation.
Frequency of the transfer
Continuous
Duration of the processing
Sigma agrees to process Customer Personal Data in accordance with Customer's processing instructions and for the duration of the Service to Customer, as set out under the Agreement (including this DPA).
Nature of the processing
Sigma will process Customer Personal Data as necessary to comply with its obligations and exercise its rights under the Agreement, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, destruction, or other processing activities.
Purpose of the processing
Customer may submit personal data or personal information to the Service, the extent of which is determined and controlled by Customer in its sole discretion. Sigma will process Customer Personal Data to provide business intelligence analytics on behalf of Customer.
Period for which personal data will be retained
Sigma will retain Customer Personal Data for the term of the Agreement and any period after the termination of expiry of the Agreement during which Sigma continues to process Customer Personal Data on Customer's behalf, as set out under the Agreement (including this DPA).
The data exporter's competent supervisory authority will be determined in accordance with the GDPR, UK GDPR, or Swiss FADP (as applicable).
Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
The technical and organizational measures designed to protect Customer Personal Data are set out in Sigma's data security policy, located at https://www.sigmacomputing.com/legal/security-policy.
Last updated: March 3, 2025. To see what has changed, click here.