New Relic Now Learn about New Relic’s most transformative platform update yet with 15 product launches.
Save your seat.
No momento, esta página está disponível apenas em inglês.

Last Updated: February 5, 2025

 

This Data Processing Addendum, including its Schedules, (“Addendum”) forms part of the agreement (“Agreement”) for the use of New Relic Services between New Relic, Inc. a Delaware corporation with offices located at 188 Spear Street, Suite 1000, San Francisco, CA 94105 (“New Relic”) and Customer, and applies to the processing of Personal Data by New Relic in connection with the provision of Services as configured by Customer, including the selection of a particular feature or functionality by Customer. If you have a separate data processing addendum with New Relic for use of the Services, then this Addendum will not apply to you. If and to the extent New Relic processes Personal Data on behalf of Customer’s Affiliates, this Addendum applies to Customer’s Affiliates and all references to Customer shall include each Customer Affiliate. Customer acknowledges that, to the extent permitted by law, it is the sole entity which may enforce this Addendum on its own behalf and on behalf of its Affiliates.

 

1. Scope of this Addendum 

This Addendum applies where, and only to the extent that, New Relic processes Personal Data that is subject to Data Protection Laws on behalf of Customer as Processor in the course of providing the Services pursuant to the Agreement. New Relic’s Services are available as described in the Documentation and Personal Data is stored in the region selected by Customer. Customer will comply with all laws applicable to its role as a Controller. New Relic will comply with all laws applicable to its role as a Processor to the extent the processing is as authorized under the Agreement. This Addendum does not include personal data collected in accordance with the General Data Privacy Notice for which New Relic determines the purposes and means of processing.

 

2. Jurisdictional Terms

2.1. International Data Transfers.

2.1.1. To the extent New Relic’s provision of the Services necessitates the transfer of Personal Data from its originating region, such transfer will be subject to the provisions set forth at Schedule 3 (“International Data Transfers”) of this Addendum.

 

2.2. California Provisions.

2.2.1. Where the CCPA applies, New Relic acknowledges that it does not receive Personal Data as consideration for any services provided to Customer. New Relic: (i) is responsible for compliance with its obligations under this Addendum, (ii) is responsible for compliance with its obligations as a Service Provider under the CCPA, and (iii) shall provide the same level of privacy protection as required by the CCPA. New Relic shall notify Customer if it reasonably determines that it cannot meet its obligations under the CCPA, and in such circumstances, and upon provision of notice to New Relic, Customer shall be entitled to take reasonable and appropriate steps to remediate unauthorized use of Personal Data. New Relic must not process the Personal Data for any purpose other than for the Business Purpose, except where and to the extent permitted by the CCPA.

2.2.2. Service Provider Certification. New Relic shall not: (a) Sell or Share; (b) retain, use, or disclose the Personal Data for any purpose other than for the Business Purpose, including to retain, use, or disclose the Personal Data for a commercial purpose other than providing its Services under the Agreement unless permitted by the CCPA; (c) retain, use, or disclose the Personal Data outside of the direct business relationship between New Relic and Customer; (d) process the Personal Data for targeted and/or cross context behavioral advertising; or (e) combine Personal Data with any other data if and to the extent this would be inconsistent with the limitations on service providers under the CCPA or other laws. New Relic certifies that it understands the restrictions set out in this Section 2.2.2 and will comply with them.

 

3. Roles and Scope of Processing 

3.1. Roles of the parties. As between the parties, Customer is the Controller of Personal Data and New Relic shall process Personal Data only as a Processor acting on behalf or on the instruction of Customer.

3.2. New Relic Processing of Personal Data. New Relic shall only process Personal Data upon lawful documented instructions from Customer, including those in the Agreement, in this Addendum, and Customer’s configuration of the New Relic Services including the selection of a particular feature or functionality, or as otherwise necessary to provide the Services, except where required otherwise by applicable laws (and provided such laws do not conflict with applicable Data Protection Laws); in such case, New Relic shall inform Customer of that legal requirement upon becoming aware of same (except where prohibited by applicable laws).

3.3. Customer Processing of Personal Data. Customer agrees it (i) shall comply with its obligations as a Controller under Data Protection Laws in respect of its processing of Personal Data and any processing instructions it issues to New Relic; and (ii) has provided notice, has an adequate basis of processing, and has obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for New Relic to process Personal Data and provide the Services pursuant to the Agreement and this Addendum. 

3.4. Details of Data Processing. Details of Data Processing are set forth in the attached Schedule 1 (“Details of Processing”). 

 

4. Confidentiality of Processing 

New Relic shall ensure that any persons authorized by New Relic authorized to process Personal Data (including its staff and agents) are committed to a duty of confidentiality (whether a contractual or statutory duty) and receive appropriate privacy and security training in respect of such Personal Data. 

 

5. Security

5.1. Security Measures. New Relic shall implement appropriate technical and organizational measures as required by Article 32 EU GDPR/UK GDPR to protect Personal Data from Personal Data Breaches and to preserve the security and confidentiality of the Personal Data, in accordance with New Relic’s security standards set forth in the attached Schedule 2 (“Security”; the “Security Measures”). New Relic’s technical and organizational measures are subject to technical progress and further development. Accordingly, New Relic reserves the right to modify the technical and organizational measures provided that the security of the New Relic Services is not degraded.

5.2. Personal Data Breach Response. New Relic shall notify Customer without undue delay after becoming aware of a Personal Data Breach. To the extent that Customer requires additional information to meet its Personal Data Breach notification obligations under Data Protection Laws, New Relic shall provide timely information relating to the Personal Data Breach as it becomes known or as is reasonably requested by Customer. Where and insofar as it is not possible to provide the information at the same time as the notification, New Relic shall provide the information in phases without further undue delay.

5.3. Personal Data Breach Investigation. New Relic shall, without undue delay, commence an investigation of a Personal Data Breach and take appropriate remedial steps to prevent and minimize any possible harm. For the avoidance of doubt, Personal Data Breaches will not include unsuccessful attempts to, or activities that do not, compromise the security of Personal Data, including, without limitation, unsuccessful login attempts, denial of service attacks and other attacks on firewalls or networked systems.

 

6. Sub-Processing

6.1. Authorized Sub-Processors. Customer acknowledges and expressly agrees that New Relic may engage Sub-Processors to process Personal Data in connection with the provision of the Services. New Relic’s list of current Sub-Processors is available online, currently: https://newrelic.com/sub-processors. Where the Standard Contractual Clauses apply, the parties acknowledge that Customer may provide a general consent to onward sub-processing by New Relic. Accordingly, Customer on behalf of itself (or, where Customer is a Processor, on behalf of and consistent with the instructions of its Controller) provides a general consent to New Relic, pursuant to Clause 9 Option 2 of Modules 2 and/or 3 of the Standard Contractual Clauses to engage onward Sub-Processors. Such consent is conditional on New Relic’s compliance with the requirements set out in this Section 6.

6.2. Changes to Sub-Processors. Provided that Customer signs up for notifications at https://newrelic.com/NR-legal-signup-datasubprocessors, New Relic shall provide twenty-one (21) days’ prior notice of any new third party Sub-Processor(s) (where that third party Sub-Processor is a core service provider within the New Relic observability platform and where Personal Data would immediately be processed by that Sub-Processor in the absence of any objection by Customer). After being notified, Customer will have ten (10) business days to notify New Relic in writing of any reasonable objection it has to the new third party Sub-Processor(s). Failure to notify New Relic within this time frame will be deemed approval of the new third party Sub-Processor(s). In the event Customer provides reasonable objection, New Relic will use reasonable efforts to make a change in the Service or Customer’s configuration available to avoid processing of Personal Data by such third party Sub-Processor and shall not allow the rejected third party Sub-Processor to process Personal Data during this time. If New Relic is unable to make available such change within a reasonable period of time, which shall not exceed forty-five (45) days, Customer may terminate the applicable order with respect to the affected service that cannot be provided without use of the rejected third party Sub-Processor.

6.3. Where the new third party Sub-Processor (non-core service provider) relates to an optional new feature or functionality that Customer is not currently using and where the use of such new feature or functionality (and the subsequent processing of Personal Data) could only be enabled by Customer’s deliberate configuration of the Services to include such Sub-Processor, New Relic shall provide notice of the appointment of the third party Sub-Processor simultaneously with the announcement of the new feature or functionality. Where Clause 9 Option 2 of the Standard Contractual Clauses applies, the time period for prior notice of Sub-Processor changes shall be as set out at this Section 6.3.

6.4. Sub-Processor Obligations. In the event New Relic engages a third party Sub-Processor to carry out specific processing activities on behalf of Customer, New Relic shall conduct appropriate due diligence and security review prior to engaging that Sub-Processor. New Relic shall place substantially similar obligations to this Addendum on such Sub-Processor. Where such additional third party Sub-Processor fails to fulfil its data protection obligations, New Relic shall remain fully liable to Customer for the performance of that Sub-Processor’s obligations.

 

7. Cooperation

7.1. Data Subjects and Data Protection Authorities RequestsTo the extent that Customer is unable to independently access the relevant Personal Data within the Services and, taking into account the nature of the processing, New Relic will (at Customer's expense and in accordance with the Documentation) use reasonable efforts to assist Customer in responding to requests by Data Subjects or applicable data protection authorities relating to the processing of Personal Data under the Agreement. In the event that any such request is made directly to New Relic, New Relic shall not respond to such communication directly without Customer's prior authorization, unless legally compelled to do so or if New Relic cannot identify the relevant Customer(s). If New Relic is required to respond to such a request, New Relic shall promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.

7.2. Data Protection Impact Assessments. To the extent New Relic is required under Data Protection Laws, New Relic will (at Customer's expense) provide reasonably requested information regarding New Relic's processing of Personal Data under the Agreement to enable Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.

 

8. Other Obligations

Where European Data Protection Law applies, taking into account the nature of the processing under this Addendum, New Relic shall take all reasonable steps to assist Customer in meeting Customer’s obligations under Articles 32 to 36 of GDPR/UK GDPR as set out in this Addendum at Section 5 ‘Security’ and Section 7 ‘Cooperation’.

 

9. Return or Deletion of Data 

Upon receipt of Customer’s written request, New Relic shall (at Customer's election) return Personal Data or close Customer’s account and delete all Personal Data within 90 days of the termination, save that this requirement shall not apply to the extent New Relic is required by applicable law to retain some or all of the Personal Data, which Personal Data New Relic shall securely isolate and protect from any further processing, except to the extent required by applicable law. Customer may uninstall the New Relic software agent at any time to cease processing of new information. Where Clause 8.5 of Modules 2 and/or 3 of the Standard Contractual Clauses applies, New Relic shall provide Customer with a certificate of deletion of Personal Data upon receipt of Customer’s written request for such a certificate.

 

10. Security Reports and Audits

10.1. Customer may audit New Relic’s compliance with the terms of this Addendum in the manner set out in this Addendum once annually. Customer may elect to perform such an audit on its own behalf or pursuant to a formal direction or request for information from a supervisory authority to which Customer is subject.

10.2. Customer must send New Relic notice in writing of a request to conduct an audit. Once requested by Customer, subject to the confidentiality obligations set forth in the Agreement, New Relic shall make available to Customer (or Customer’s independent, third party auditor that is not a competitor of New Relic) information regarding New Relic’s compliance with the obligations set forth in this Addendum in the form of the third party certifications and audits described at https://www.newrelic.com/security.

10.3. Upon review of such materials as described in Section 10.2, if Customer identifies areas that have not been covered that it is lawfully permitted to audit under this Addendum, then Customer may submit reasonable requests for information security and audit questionnaires that are necessary to confirm New Relic’s compliance with this Addendum, provided that Customer shall not exercise this right more than once per year.

10.4. Where the Standard Contractual Clauses apply, the parties agree and acknowledge that Customer shall exercise its audit right under Clauses 8.9 (c) and (d) of Modules 2 and/or 3 of the Standard Contractual Clauses by instructing New Relic to comply with the audit measures described in this Section 10. Customer further agrees that such audit rights shall be exercised by the Customer party that enters into this Addendum.

 

11. Government Requests

11.1. If a government entity (including a law enforcement agency) sends New Relic a demand for Personal Data, New Relic shall attempt to redirect the government entity to request that data directly from Customer. As part of this effort, New Relic may provide Customer’s basic contact information to the government entity. If compelled to disclose Personal Data to a government entity, then New Relic shall give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless New Relic is legally prohibited from doing so.

11.2. New Relic undertakes to adopt appropriate technical and organizational measures to protect the Personal Data in accordance with the requirements of the EU GDPR and UK GDPR (as applicable), including by implementing appropriate technical and organizational safeguards as set out in Schedule 2 of this Addendum to protect Personal Data against any interference by a government authority that goes beyond what is necessary in a democratic society to safeguard national security, defense, and public security.

11.3. New Relic certifies that it has not created (nor knowingly allowed to be created) back doors or similar programming that could be used to access Personal Data processed under this Addendum on its systems by a government authority or created or changed its business processes in a manner that facilitates access to Personal Data processed under this Addendum on its systems by government authorities.

 

12. Relationship with the Agreement

12.1. This Addendum supersedes any conflicting or inconsistent provisions in the Agreement related to data protection and, in the event of any such conflict, this Addendum will prevail. The Agreement, as amended and modified by this Addendum, otherwise remains in full force and effect.

12.2. Any claims brought under or in connection with this Addendum shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement. Where the Standard Contractual Clauses apply, any claims brought under the Standard Contractual Clauses shall also be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement. In no event shall either party limit its liability with respect to any Data Subject or any competent supervisory authority under the Standard Contractual Clauses.

12.3. No one other than a party to this Addendum, its successors and permitted assignees shall have any right to enforce any of its terms.

12.4. This Addendum shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Law.

12.5. This Addendum and the Standard Contractual Clauses (if applicable) shall terminate simultaneously and automatically with the termination or expiration of the Agreement.

13. Updates

New Relic may modify this Addendum from time to time. The most current version of this Addendum will be posted on www.newrelic.com (the “Site”). Any changes to this Addendum posted on the Site will be effective if Customer assents to such changes or upon entering any new or renewal Order for the Services after such changes are posted, except changes required by law or as necessary for new features will immediately become effective to the extent necessary to comply with such law or as required to use such new features. If Customer objects to the updated Addendum, as Customer’s exclusive remedy and without penalty, Customer may choose not to renew an Order for the Services as permitted pursuant to the Agreement.

14. Definitions

Capitalized terms used but not defined in this Addendum shall have the same meanings as set out in the Agreement. In this Addendum, the following terms shall have the following meanings:

“Affiliate” means an entity where Customer owns greater than 50% of the voting securities, provided that such an entity will be considered an Affiliate for only such time as such equity interest is maintained. 

“Controller”, “Processor”, “Data Subject” and “Process” (and “Processes”, “Processed” and “Processing”) have the meanings given to them under the Data Protection Laws, and shall include “Business”, “Consumer”, and “Service Provider”, respectively where applicable.

“Data Privacy Framework” means the: EU-U.S. and/or the Swiss-U.S. Data Privacy Framework (“DPF”), including, where applicable, the UK Extension to the DPF (“UK Extension”) which is operated by the U.S. Department of Commerce.

“Data Protection Laws” means all laws applicable to the processing of Personal Data under the Agreement including European Data Protection Laws and United States Privacy Laws.

“DPF Principles” means the Data Privacy Framework Principles.

“EEA” means the European Economic Area.

“European Data Protection Laws” means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ("EU GDPR"); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); (iii) any national data protection laws made under or pursuant to (i) or (ii); and (iv) (where applicable) the EU GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the “UK GDPR”), the United Kingdom Data Protection Act 2018 and the Privacy and Electronic Communications Regulations (PECR) (in each of cases (i) to (iv), as superseded, amended or replaced).

“New Relic Group” means the subsidiaries and affiliates of New Relic, Inc. that may assist in the performance of Services. 

“Personal Data” means any information relating to an identified or identifiable natural person (Data Subject) included in the Customer Data that New Relic processes on behalf of Customer as a Processor in the course of providing the Services. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to a name, an identification number etc. or to one or more factors specific to the physical, physiological etc. identity of that natural person. 

“Personal Data Breach” means a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

“Restricted Transfer” means: (i) where the EU GDPR applies, a transfer of personal data from the European Economic Area to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the Swiss DPA applies, a transfer of personal data from Switzerland to any country which is not recognized to provide adequate protection by the Swiss Federal Data Protection and Information Commission; (iii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018

“Standard Contractual Clauses” means the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council. The Standard Contractual Clauses include, where applicable, the UK SCCs.

“Sub-Processor” means any Processor engaged by New Relic to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this Addendum. Sub-Processors may include third parties or members of the New Relic Group. 

“United States Privacy Laws” means (i) the California Consumer Privacy Act of 2018, as amended, including as amended by the California Privacy Rights Act of 2020, together with all implementing regulations (the “CCPA”); (ii) Virginia’s Consumer Data Protection Act, Va. Code Ann. § 59.1-571 et seq (the “VCDPA”); (iii) the Colorado Privacy Act, Colo. Rev. Stat. § 6-1-1301 et seq. (the “CPA”); (iv) Connecticut’s Act Concerning Data Privacy and Online Monitoring, Pub. Act No. 22015 (the “CTDPA”); and (v) the Utah Consumer Privacy Act, Utah Code Ann. § 13-61-101 et seq (the “UCPA”) and any other applicable U.S. state privacy laws relevant to New Relic’s provision of the Services as a Processor.

The terms “Business”, “Business Purpose”, “Consumer”, “Personal Information”, “Sale”, “Sell”, “Service Provider”, and “Share” as used in this Addendum have the meanings given in United States Privacy Laws.

 

Schedule 1 - Details of Processing

A. LIST OF PARTIES

Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

Customer:The party entering into the Agreement for the use of New Relic Services
Contact details:The email address(es) designated by Customer in Customer’s account via its notification preferences.
Signature and date:By entering into the Agreement, Data Exporter is deemed to have signed these EU Standard Contractual Clauses incorporated herein, including their Annexes, as of the effective date of the Agreement.
 Customer may act as controller or processor of personal data transmitted to the Services under the EU SCCs.

Data importer(s)[Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]

Name:New Relic, Inc.
Address:188 Spear Street, Suite 1000, San Francisco, CA 94105, United States.
Contact person’s name,
position and contact details:

Data Protection Officer
Privacy@newrelic.com

Activities relevant to the data transferred under these Clauses:New Relic provides performance monitoring and analytics services for applications, infrastructure systems, mobile applications, browser and client-side software, and other digital systems, as specified in the applicable order from Customer.
Signature and date:By entering into the Agreement, Data Importer is deemed to have signed these EU SCCs, incorporated herein, including their Annexes, as of the effective date of the Agreement;
Role (controller/processor):New Relic may act as processor and/or subprocessor of personal data transmitted to the Services under the EU SCCs.

В. DESCRIPTION OF TRANSFER 

Categories of data subjects whose personal data is transferredData Subjects who interact with the software, system or application Customer (or Customer’s customer) has chosen to monitor and perform analytics on using the Services, which may include (but are not limited to) Customer’s users and customers or as otherwise determined by Customer in the configuration of the Services.
Categories of personal data transferredPersonal Data that is submitted to the Services by Customer, which may include, but is not limited to, IP address, username, and other types of identifiable data configured by Customer (or Customer’s customer), subject to the restrictions in the Agreement.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.Non applicable.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).Continuous basis.
Nature of the processingNew Relic is providing performance monitoring and analytics services for applications, infrastructure systems, mobile applications, browser and client-side software, and other digital systems, as specified in the applicable order and in the Agreement. These Services may include the processing of Personal Data by New Relic as determined by Customer in the configuration of the Services.
Purpose(s) of the data transfer and further processingThe purpose of the data transfer and further processing (where applicable) is the provision of the Services by New Relic to Customer as specified in the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that periodPersonal data will be deleted within 90 days of the termination of Customer’s Account, save that this requirement shall not apply to the extent New Relic is required by applicable law to retain some or all of the Personal Data.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing Where New Relic is acting as a sub-processor the foregoing subject matter, nature and duration shall also apply.

C. Competent Supervisory Authority 

Customer’s competent supervisory authority will be determined in accordance with the EU GDPR.

 

Schedule 2 – Security 

New Relic will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality, and integrity of Personal Data transmitted to the Services, as described in the New Relic Security Policy, as updated from time to time, and located and accessible via the Documentation, currently: https://docs.newrelic.com/docs/licenses/license-information/referenced-policies/security-policy.

 

Schedule 3 – International Data Transfers

1. Data Regions.

New Relic’s data hosting regions are described in the Documentation, currently located in the U.S. and the EU. Personal Data held in Customer’s Account in the Services environment will be: (i) hosted in the data hosting region selected by Customer during the provisioning of the Account or (ii) hosted in the data region selected by Customer in configuring a new feature or functionality. New Relic will not migrate Customer’s Account in the Services environment to another data hosting region without Customer’s prior consent.

 

2. Operational Access and Processing. 

Without prejudice to Section 1 of this Schedule 3, New Relic or its Sub-Processors may access and Process Personal Data outside the EEA, including in the U.S., as necessary to maintain, secure, or perform the Services, for technical support, or as necessary to comply with law or a binding order of a government body as further described in Section 11 (Government Requests). New Relic may also engage Sub-Processors as further described in Section 6 (Sub-Processing).

 

3. Data Privacy Framework. 

With respect to the transfer of Personal Data to the U.S. from the EEA and/or Switzerland, New Relic is certified under the DPF and complies with the DPF Principles when processing such Personal Data. If New Relic’s certification under the DPF is revoked or otherwise invalidated, New Relic shall, where applicable, inform Customer and (if applicable) upon request, take reasonable and appropriate steps to remediate any unauthorized processing.

 

4. Restricted Transfers. 

The parties agree that when the transfer of Personal Data from Customer to New Relic is a Restricted Transfer the appropriate Standard Contractual Clauses as set out in Sections 5.1, 5.2, & 6 of this Schedule 3 shall apply. Where the DPF applies in respect of a Restricted Transfer, and/or if New Relic’s certification under the DPF is revoked and/or if the DPF is invalidated, or otherwise no longer applies, Sections 5.1, 5.2 and 6 of this Schedule 3 will apply for that Restricted Transfer.

 

5. Transfers outside the EEA and Switzerland.

In relation to Personal Data that is protected by the EU GDPR and/or the Swiss DPA, the Standard Contractual Clauses are incorporated and will apply completed as follows (as applicable): 

5.1. Where Customer is a Controller of the Personal Data protected by the EU GDPR, then Module 2 of the Standard Contractual Clauses applies between Customer as "data exporter" (notwithstanding that the Customer may be an entity located outside the EEA) and New Relic as "data importer" on the following basis: (i) in Clause 7, the optional docking clause will apply, (ii) in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-Processor changes shall be as set out in Section 9.2 of this Addendum, (iii) in Clause 11, the optional language shall not apply, (iv) in Clause 17, Option 1 will apply, and the Standard Contractual Clauses will be governed by Irish law, (v) in Clause 18(b), disputes shall be resolved before the courts of Ireland, (vi) Annex 1 to the Standard Contractual Clauses will be deemed to incorporate Schedule 1 to this Addendum, and (vii) Annex 2 to the Standard Contractual Clauses will be deemed to incorporate Schedule 2 of this Addendum. Where Customer is a Controller of Personal Data protected by the Swiss DPA, then Module 2 of the Standard Contractual Clauses applies between Customer as "data exporter" and New Relic as "data importer" on the preceding basis and additionally: (i) in Clause 13 the competent supervisory authority shall be the Swiss Federal Data Protection and Information Commission, (ii) the term Member State must not be interpreted in such a way as to exclude Data Subjects in Switzerland from enforcing their rights in their place of habitual residence in accordance with Clause 18(c), (iii) all references to the EU GDPR in this Addendum are also deemed to refer to the Swiss DPA, and (iv) the Standard Contractual Clauses also protect the personal data of legal entities until such time as a revised Swiss DPA enters into force.

5.2. Where Customer is a Processor on behalf of a third party Controller, then Module 3 of the Standard Contractual Clauses applies between Customer as "data exporter" (notwithstanding that Customer or the third party Controller may be an entity located outside the EEA) and New Relic as "data importer" on the following basis: (i) in Clause 7, the optional docking clause will apply, (ii) in Clause 9, Option 2 will apply, the time period for prior notice of Sub-Processor changes shall be as set out in Section 9.2 of this Addendum, and New Relic shall fulfil its Sub-Processor notification obligations under Clause 9 by notifying Customer of any Sub-Processor changes in accordance with Section 6.2 of this Addendum (and Customer shall, in turn, be responsible for notifying the relevant Controller and communicating any objections it may raise to New Relic), (iii) in Clause 11, the optional language shall not apply, (iv) in Clause 17, Option 1 will apply, and the Standard Contractual Clauses will be governed by Irish law, (v) in Clause 18(b), disputes shall be resolved before the courts of Ireland, (vi) Annex 1 to the Standard Contractual Clauses will be deemed to incorporate Schedule 1 to this Addendum, and (vii) Annex 2 to the Standard Contractual Clauses will be deemed to incorporate Schedule 2 of this Addendum. Where Customer is a Processor on behalf of a third party Controller of Personal Data protected by the Swiss DPA, then Module 3 of the Standard Contractual Clauses applies between Customer as "data exporter" and New Relic as "data importer" on the preceding basis and additionally: (i) in Clause 13 the competent supervisory authority shall be the Swiss Federal Data Protection and Information Commission, (ii) the term Member State must not be interpreted in such a way as to exclude data subjects in Switzerland from enforcing their rights in their place of habitual residence in accordance with Clause 18(c), (iii) all references to the EU GDPR in this Addendum are also deemed to refer to the Swiss DPA, and (iv) the Standard Contractual Clauses also protect the personal data of legal entities until such time as a revised Swiss DPA enters into force.

 

6. Transfers outside the UK.

In relation to Personal Data that is protected by the UK GDPR, the Standard Contractual Clauses will apply completed with the following modifications: 

6.1. Each party will be deemed to have signed the “UK Addendum to the EU Standard Contractual Clauses” (“UK Addendum”) issued by the Information Commissioner’s Office under Section 119 A of the United Kingdom Data Protection Act 2018, (ii) the Standard Contractual Clauses shall be deemed amended as specified by the UK Addendum in respect of the transfer of Personal Data, (iii) in Table 1 of the UK Addendum, the parties’ contact information is located in Schedule 1 of this Addendum, (iv) in Table 2 of the UK Addendum, information on the Standard Contractual Clauses, modules and selected clauses is located in Sections 5.1 and 5.2 of this Schedule 3, (v) Table 3 of the UK Addendum shall be deemed completed with the information set out at this Schedules 1 & 2 of this Addendum, and (vi) in Table 4 of the UK Addendum, either party may end the UK Addendum in accordance with its terms and the respective box for each is deemed checked (“UK SCCs”).

6.2. If Section 6.1 above does not apply, the Customer and New Relic shall cooperate in good faith to implement appropriate safeguards for transfers of such Personal Data as required or permitted by the UK GDPR without undue delay.

6.3. With respect to the transfer to the U.S. of Personal Data that is subject to the UK GDPR, the UK Extension shall apply. If New Relic’s certification under the UK Extension is revoked and/or if the UK Extension is invalidated, or otherwise no longer applies, then Sections 6.1 & 6.2 of this Schedule 3 shall apply in respect of that transfer.

 

7. Application of the Standard Contractual Clauses.

If the Standard Contractual Clauses apply, Customer agrees that the Standard Contractual Clauses constitute New Relic's Confidential Information as that term is defined in the Agreement and may not be disclosed by Customer to any third party without New Relic's prior written consent unless permitted pursuant to Agreement. This shall not prevent disclosure of the Standard Contractual Clauses to a Data Subject nor to a competent supervisory authority upon request. In the event that the current Standard Contractual Clauses are superseded or replaced by new standard contractual clauses approved by the competent authority for Personal Data in: (i) the EEA and/or (ii) the United Kingdom, New Relic and Customer agree that such new standard contractual clauses shall automatically apply to the transfer of such Personal Data from Customer to New Relic and shall be deemed completed on a mutatis mutandis basis to the completion of the Standard Contractual Clauses as described above. In the event that the standard contractual clauses (in any form) are no longer accepted as a valid transfer mechanism, the parties shall take such steps as are necessary to ensure that any ongoing transfer of Personal Data is in accordance with applicable law.

 

8. Suspension of Transfer.

Where the Standard Contractual Clauses apply, the parties acknowledge that New Relic may process the Personal Data only on behalf of Customer and in compliance with Customer’s instructions and the Clauses. If New Relic becomes aware that it cannot provide such compliance it agrees to promptly inform Customer of its inability to comply, and Customer will be entitled to suspend the transfer of data under Clauses 14(f) and/or 16(b) of the Standard Contractual Clauses. If Customer intends to suspend the transfer of Personal Data, it shall provide notice to New Relic within a reasonable period of time to cure the non-compliance (“Cure Period”). If, after the Cure Period, New Relic has not or cannot cure the non-compliance, Customer may suspend or terminate the transfer of Personal Data immediately. Notwithstanding the foregoing, Customer shall not be required to afford New Relic a Cure Period where it reasonably considers there is a material risk of harm to Data Subjects or their personal data or where a competent supervisory authority has directed the suspension or termination of the transfer of Personal Data.