Pinecone Data Processing Addendum

This Data Processing Addendum (DPA), dated 2024-05-24, governs Pinecone Systems, Inc.'s processing of Customer Personal Data in its role as a data processor under the Master Subscription Agreement, incorporating Standard Contractual Clauses where applicable. The agreement states that Pinecone will process Customer Personal Data only in accordance with Customer's documented instructions, that Pinecone remains fully liable for Subprocessor breaches to the same extent as if caused by Pinecone directly, and that Pinecone will notify Customer within 72 hours of becoming aware of a Security Incident. The DPA establishes that Customer bears sole responsibility for ensuring lawful bases for processing and for excluding special categories of personal data (GDPR Articles 9 and 10) from Customer Data, a responsibility allocation that places significant compliance burden on the Customer; the sole remedy available to Customer upon unresolved Subprocessor objections is termination of affected service subscriptions with prepaid fee refund, which forecloses other contractual remedies. The DPA explicitly engages the EU GDPR, UK GDPR, Swiss FADP, CCPA/CPRA, Colorado Privacy Act, Connecticut Personal Data Privacy and Online Monitoring Act, Utah Consumer Privacy Act, and Virginia Consumer Data Protection Act, incorporating EU Commission SCCs (Implementing Decision 2021/914) and the ICO UK Addendum (version B1.0) for cross-border data transfers. Compliance teams should note that the DPA permits Pinecone to modify its Security Measures unilaterally provided modifications do not materially diminish overall security, and authorizes Pinecone to update its Subprocessor list with only 15-day advance notice to Customers, which may require evaluation under GDPR Article 28 requirements for prior specific or general written authorization of subprocessors.