Skip to main content

Appian Data Processing Agreement

This Data Processing Agreement (“DPA”) is subject to, governed by and deemed an integral part of the Agreement, and applies when Customer Personal Data is Processed by Appian on behalf of Customer. This DPA will become legally binding upon the Effective Date of the Agreement or upon the date that the parties sign this DPA if it is completed after the Effective Date of the Agreement.

 

1. Definitions. 

“Agreement” shall mean the (i) Cloud Subscription Agreement and/or the (ii) Master On Premise Agreement, in place between the Parties, as applicable.

“Appian” means the Processor contracting entity under this DPA, being, as the case may be, either: (a) Appian Corporation; or (b) Appian Software International LLC, as more particularly described in the Agreement with the Customer or, if this DPA is signed separately, as indicated in the signature block of this DPA.

“Controller”, “Data Subject”, “Processing”, “Processor”, “Personal Data” and “Personal Data Breach” have the respective meanings given to them in the applicable Data Protection Laws.  

“Customer” means the Controller of Customer Personal Data under this DPA and identified in an applicable Order Form.

“Customer Personal Data” means Personal Data placed inside the Cloud Offering and Processed by Appian on behalf of Customer in its performance of the Services under the Agreement.

“Applicable Data Protection Laws” means all applicable laws and regulations applicable to the Processing of Customer Personal Data under the Agreement, where Appian or Customer is located and wherever the Customer Personal Data is hosted, but in all cases, including the EU GDPR, the UK GDPR where the Customer Personal Data includes data from EU or UK data subjects, and the Swiss Data Protection Laws.

“EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the European Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as may be amended or replaced from time to time.

“Purpose” means the purpose of the Processing which is the carrying out of the Services by Appian. 

“Restricted Transfers” mean transfers of personal data to jurisdictions or organisations not considered adequate under the EU GDPR or UK GDPR.

“SCCs” means the Standard Data Protection clauses as defined in Article 46 of GDPR pursuant to the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021,  including those as incorporated into the UK Addendum, as applicable.

“Services” means either (i) where the Customer is a customer of Appian’s Cloud Offering under the Cloud Subscription Agreement, the making available of the Cloud Offering and provision of associated maintenance, and/or (ii) where the Customer is a customer of Appian’s on premise software offering under the Master On Premise Software Agreement, the provision of associated maintenance on the Appian Software. 

“Swiss Data Protection Laws” mean the Swiss Federal Act on Data Protection (as amended or replaced)

“UK Addendum” means International Data Transfer Addendum to the EU Commission Standard Contractual Clauses VERSION B1.0 issued 21 March 2022 by the UK Information Commissioner’s Office.

“UK GDPR" means the UK General Data Protection Regulation 2016/679, as implemented by the Data Protection Act 2018, the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020.

Capitalized terms used but not defined in this DPA shall have the meaning given to them in the Agreement and, if not defined therein, the applicable Order Form.

 

2. Roles and Responsibilities. 

The Parties acknowledge and agree that, for the purposes of the Processing of the Customer Personal Data, Customer shall be the Controller and Appian will be acting as Processor in respect of Appian’s performance of the Services under the Agreement.  The Purpose of any Transfer shall be solely for the performance of the Services and on the instructions of the Controller. The Data Subject categories shall be as determined by the Controller during the course of the Agreement.

 

3. Transfer Mechanism

3.1. Appian Inc is a participant to and adheres to  the Data Privacy Framework administered by the U.S. Department of Commerce <https://www.dataprivacyframework.gov/s/> (“DPF”), the UK Extension to the EU-US DPF (“UK Extension”), (“DPF”) and the Swiss Swiss-US Data Privacy Framework (“Swiss-US DPF”). All transfers of applicable Customer Personal Data from the European Economic Area (“EEA”) to the United States,  from the United Kingdom to the United States, shall be governed by the D DPF and the UK Extension, respectively.  Transfers of applicable Customer Personal Data from Switzerland to the United States shall be governed by the Swiss-US DPF. Appian will notify Customer at least thirty (30) days in advance of Appian’s withdrawal from such self-certification.

3.2 Restricted Transfers. For any transfers of Customer Personal Data under this DPA to countries or organisations which do not ensure an adequate level of data protection within the meaning of EU,UK  or Swiss Data Protection Laws:

(i) to the extent such transfers are subject to such EU or Swiss Data Protection Laws , where Customer is the Controller and Appian is the Processor, the EU SCCs Module Two Controller  to Processor shall apply; and

(ii) or transfers from the UK which are subject to the UK GDPR, the UK Addendum shall apply.

3.3 Under Annex I.A of the SCCs Customer is a controller and the “data exporter” and the Appian is a processor, and the “data importer”;

a. The remaining details required in Annex I.A are as set out in the Agreement or attached hereto.

b. Under Annex I.B, the details of the transfer are as set out in the Agreement or attached hereto;

c. Under Annex I.C, the competent supervisory authority is the authority in the member state in which Personal Data is being exported; and 

d. Under Annex II, the technical and organizational measures implemented by Appian shall be as set out in clause 7 of this DPA.

e. Under Annex C, the list of subprocessors shall be as set out in clause 8 of this DPA.

f. Under clause 13, the competent supervisory authority is the member state in which Personal Data is being exported;

g. Under clause 17, the governing law is the law of the member state in which Personal Data is being exported;

h. Under clause 18, any dispute arising from the SCCs shall be resolved by the courts of the member state in which Personal Data is being exported;

 

4. Controller Obligations.  

The Customer shall comply with this DPA and all Applicable Data Protection Laws in relation to Personal Data.

Customer acknowledges that it has exclusive control and responsibility for determining the means and purposes and what Customer Personal Data Customer submits to Appian and warrants it has all authority, grounds, rights and consents and permissions for submission and transfer of Customer Personal Data and Processing by Appian under the Agreement and this DPA. 

Customer shall provide assistance reasonably requested by Appian in relation to the fulfillment of Appian’s obligations to cooperate with the relevant supervisory authority under Article 31 EU GDPR.  Notwithstanding any other provision of this DPA or the Agreement, Appian shall be entitled to respond to and provide all relevant information in respect of requests or orders issued by such supervisory authority.

 

5. Processor Obligations.  

Appian shall comply with this DPA and all Applicable Data Protection Laws applicable to it as a Data Processor in respect of the Processing of Customer Personal Data for the Purpose in accordance with these terms.

Appian shall:

a. only carry out any Processing of Customer Personal Data on the documented instructions of Customer, including with regard to transfers of Personal Data to a third country, unless Appian is required to do so by law. In such a case, Appian shall inform Customer of that legal requirement before Processing Customer Personal Data, unless that law prohibits such information;

b. immediately inform Customer if, in its opinion, an instruction from Customer infringes applicable Data Protection Laws;

c. ensure that persons authorized by it to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

d. taking into account the nature of the Processing, implement and maintain technical and organisational measures to ensure a level of security appropriate to the risk in accordance with Article 32 of the GDPR, as further set out in Clause 7 of this DPA;

e. have the right to engage Sub-Processors for Processing of Customer Personal Data in accordance with Clause 8 of this Agreement, provided that:  (i) Appian shall ensure that all Sub-Processors are bound by written agreements that require them to provide substantially the same level of protection to Customer Personal Data as stated hereunder;  (ii) such Sub-Processors have been reviewed by an appropriate due diligence process; and  (iii) Appian will be liable to Customer for the acts and omissions of the Sub-Processor undertaken in connection with Appian’s performance under this Agreement to the same extent Appian would be liable if performing the Services directly.

f. notify Customer in writing of any notices it receives in connection with the Processing of any Customer Personal Data, , and taking into account the nature of the Processing of Customer Personal Data, assist Customer through appropriate technical and organisational measures, insofar as this is possible, for the fulfillment of Customer’s obligations to respond to Data Subject requests to exercise their rights with respect to Personal Data;

g. without undue delay, notify Customer in writing after becoming aware of a Personal Data Breach involving Customer Personal Data, in accordance with Clause 7.4 below, provided that Customer agrees that Appian’s notification of or response to a Personal Data Breach does not constitute an acknowledgement of fault or liability with respect to the Personal Data Breach;

h. assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR in accordance with this DPA, taking into account the nature of Processing and the information available to Appian; and

i. upon request, securely delete all Customer Personal Data within 30 days after the end of the provision of the Services relating to the Processing under this Agreement, and securely delete existing copies, unless EU law or the law of the EU member state(s) to which Appian is subject require storage of Customer Personal Data.

 

7. Scope of Processing

Unless expressly agreed otherwise or compelled by law otherwise:

a. the subject-matter, type of Personal Data and categories of Data Subjects of the Processing shall all be as set out in the Agreement or, if not set out in the Agreement, as provided by Customer to Appian before and during the term of the Agreement, the details of which Customer warrants are accurate;

b. the duration of the Processing shall be the term and a reasonable period thereafter (within 30 days after the end of the provision of Services) in accordance with the Services relating to the Processing under this Agreement and Appian’s data retention policies then in force;

c. the nature and purpose of the Processing shall be the performance of this Agreement; and

d. the obligations and rights of Customer shall be as stated in the Agreement and in accordance with applicable law.

7. Security Technical and Organisational Measures

7.1 Appian maintains an information security management program (“Program”) which includes administrative, technical and physical safeguards designed to: (a) protect and secure Customer Personal Data from unauthorized access, use or disclosure; and (b) protect against anticipated threats or hazards to the security or integrity of Customer Personal Data.  The Program is documented and kept current by Appian based on changes to industry standard information security practices and legal and regulatory requirements applicable to Appian.  The Program at a minimum adheres to applicable information security practices as identified in International Organization for Standardization 27001 (ISO/IEC 27001).

7.2 In respect of its Cloud Offering, Appian maintains an annual Service Organization Control (SOC) report in connection with the cloud-based elements of the Appian software.  Appian will use procedural, technical, and administrative safeguards for the Appian Cloud Offering in accordance with the measures set forth in Appian’s then-current SOC 2 Type II report.  During the [Subscription Term], Appian will not materially reduce the overall level of security set forth in its SOC 2 report as of the Effective Date of this Data Processing Agreement (DPA), but may replace or upgrade controls to maintain or increase the security level.

7.3 Upon request, and subject to the confidentiality obligations set forth in the Agreement and this DPA, Appian shall provide to Customer copies of Appian’s then most recent audit reports and certificates (“Trust Documents”) that detail Appian’s security controls related to the Cloud Offering so that the Customer may validate these controls.  Upon thirty (30) days prior written notice, Appian shall use commercially reasonable efforts to support a once annual security review by Customer to assess the effectiveness of Appian’s compliance with Appian’s requirements under this DPA and demonstrate compliance with the obligations laid down in Article 28 of the GDPR, but only to the extent the scope of such audit is not addressed in the Trust Documents provided by Appian.  Before the commencement of any audit, Appian and Customer shall mutually agree upon the timing and duration of the audit.  Customer acknowledges and accepts that with respect to Amazon Web Services (AWS), an Appian Sub-Processor, Appian is able to evidence that AWS has undergone an annual independent third party security audit but cannot commit to procure AWS’s compliance with any specific audit requirement from Customer.

7.4 Appian shall notify Customer without undue delay (unless compelled by law otherwise), and, where feasible, not later than 72 hours after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data Processed by Appian or its Sub-Processors (a “Security Incident”). Appian shall take those steps as Appian deems necessary and reasonable in order to remediate the cause of such a Security Incident to the extent the remediation is within Appian’s reasonable control. The obligations in this Clause shall not apply to Security Incidents that are attributable to Customer or Customer’s Users.

 

8. Appian Sub-Processors.

8.1 Customer hereby authorises Appian to transfer Customer Personal Data to Appian branches, Affiliates and selected third parties (together “Sub-Processors”), within and outside the EEA or Switzerland for Processing for the purposes of performing its obligations under the Agreement and/or as may be expressly authorised by Customer.  Appian has entered into a written agreement with each Sub-Processor containing data protection obligations that are consistent with those in this Agreement with respect to the protection of Customer Personal Data to the extent applicable to the nature of the services provided by such Sub-Processor. 

8.2 Appian Sub-Processors may (i) in the case of Appian branches and Affiliates, provide maintenance services to a Customer in connection with the customer using covered Appian Services. These entities may respond to a customer’s request for technical support and/or defect correction services as part of maintenance services provided by Appian on its products/services, and (ii) in the case of third parties, provide additional services related to the performance or security of the Appian Cloud Offering .

8.3 The Sub-Processors currently engaged by Appian are posted at https://assets.appian.com/uploads/sub-process-notice.pdf or at such other URL that Appian may provide to the Customer from time-to-time (“Site”). For the avoidance of doubt, Appian will ensure that the link is continuously available (e.g., not a broken link). The Site shall include the identities of those Sub-Processors, their country of location and the duties of such Sub-Processor with respect to Customer Personal Data. The Customer’s execution of this DPA shall constitute written consent for Appian to engage the Sub-Processors named on the Site.

8.4 At least 30 days before Appian engages a Sub-Processor, Appian will update the list of Sub-Processors available on the Site. 

 

9. Liability 

Where the Customer has entered into an Agreement with Appian, the parties acknowledge and agree that any liability incurred by either party as a result of a breach of the terms of this DPA shall be subject to the limitation of liability set out in the Agreement, such that the limitation of liability set out in the Agreement applies to each Party’s liability in the aggregate under both the Agreement and DPA together. 

 

10. General 

The Competent Supervisory Authority shall be the supervisory authority of the EU Member State where the Customer is headquartered. All capitalized terms not defined in this DPA shall have the meaning ascribed to them in the Agreement.  In the event of any conflict, ambiguity or inconsistency between the Agreement (including any policies or schedules referenced therein), and the terms of this DPA, the relevant terms of this DPA shall prevail. This DPA shall continue in force under the termination of the Agreement (“Termination Date”). 

 

11. Governing law and dispute resolution 

Where the Customer has entered into an Agreement with Appian, the parties acknowledge and agree that this DPA shall be subject to the governing law and dispute resolution provisions set out in the Agreement. 

 

12. Notices 

12.1. The notice provisions set out in the Agreement shall apply to this DPA. 

 


Appian is The Process Company. We deliver a software platform that helps organizations run better processes that reduce costs, improve customer experiences, and gain a strategic edge. Committed to client success, we serve many of the world’s largest companies across industries.

Contact Us

Terms of Use

Environmental Policy

Accessibility

Privacy

Trust Center

About Appian

Appian Blog

Careers

Investors

Manage Preferences

©2024 Appian. All rights reserved.