Tailscale Data Protection DPA for Customers
Effective date: 2023-07-05
This Data Privacy Addendum ("DPA") forms part of the underlying agreement (either a Master Services Agreement or Terms of Service), along with any associated contractual document between the Parties, such as an order form or statement of work ("Agreement") by and between Tailscale Inc. ("Tailscale") and the customer named in the Agreement ("Customer"), each a “Party” and collectively the “Parties”. This DPA applies to and takes precedence over the Agreement.
Customer and Tailscale agree as follows:
-
Definitions. For purposes of this DPA:
a. “Data Protection Law(s)” means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable, the General Data Protection Regulation, Regulation (EU) 2016/679 ("GDPR"), the United Kingdom Data Protection Act of 2018 ("UK Privacy Act"), the Swiss Federal Act on Data Protection ("FADP"), the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. and associated amendments and regulations thereto ("CCPA"), and the Canadian Personal Information Protection and Electronic Documents Act ("PIPEDA").
b. “Data Subject” means an identified or identifiable natural person about whom Personal Data relates.
c. “EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, located http://data.europa.eu/eli/dec_impl/2021/914/oj., and completed as set forth in Section 7 below.
d. “Personal Data” includes “personal data,” “personal information,” “personally identifiable information,” and similar terms, and such terms shall have the same meaning as defined by applicable Data Protection Laws, that is Processed in relation to the Agreement.
e. “Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
f. “Security Breach” means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
-
Scope and Purposes of Processing.
a. The scope, nature, purposes, and duration of the processing, the types of Personal Data Processed, and the Data Subjects concerned are set forth in this DPA, including its Schedules. The details provided in Schedule A are deemed to satisfy any requirement to provide some or all of such details under any Data Privacy Law.
b. Tailscale will Process Personal Data solely: (1) to fulfill its obligations to Customer under the Agreement, including this DPA; (2) on Customer’s behalf; and (3) in compliance with applicable Data Protection Laws. Tailscale will not “sell” Personal Data (as such term is defined in applicable Data Protection Laws), “share” Personal Data for purposes of “cross-context behavioral advertising” (as such terms are defined in applicable Data Protection Laws), or otherwise Process Personal Data for any purpose other than for the specific purposes set forth herein or outside of the direct business relationship with Customer.
c. Tailscale will comply with any applicable restrictions under Data Protection Laws on combining Personal Data with personal data that Tailscale receives from, or on behalf of, another person or persons, or that Tailscale collects from any interaction between it and a Data Subject.
-
Personal Data Processing Requirements. Tailscale will:
a. Provide the same level of protection for Personal Data as is required under the Data Protection Laws applicable to Customer.
b. Ensure that the persons it authorizes to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
c. Assist Customer in the fulfilment of Customer’s obligations to respond to verifiable requests by Data Subjects (or their lawful representatives) for exercising their rights under Data Protection Laws (such as rights to access or delete Personal Data).
d. Promptly, and in any event within seven business (7) days, notify Customer of (i) any third-party or Data Subject complaints regarding the Processing of Personal Data; or (ii) any government or Data Subject requests for access to or information about Tailscale’s Processing of Personal Data on Customer’s behalf, unless prohibited by Data Protection Laws. Following such notification, Tailscale will await written instructions from Customer on how, if at all, to assist in responding to the request. Tailscale will provide Customer with reasonable cooperation and assistance in relation to any such request. If Tailscale is prohibited from providing notice regarding a government request, and determines that the request would interfere with Tailscale’s ability to meet its obligations under this DPA, Tailscale will notify Customer that Tailscale can no longer comply with this DPA, without being required to identify the specific provision with which it can no longer comply.
e. Provide reasonable assistance to and cooperation with Customer for Customer’s performance of a data protection impact assessment of Processing or proposed Processing of Personal Data, when required by applicable Data Protection Laws.
f. Provide reasonable assistance to and cooperation with Customer for Customer’s consultation with regulatory authorities in relation to the Processing or proposed Processing of Personal Data, including complying with any obligation applicable to Customer under Data Protection Laws to consult with a regulatory authority in relation to Tailscale’s Processing or proposed Processing of Personal Data.
g. Tailscale certifies that it understands its obligations under this DPA (including without limitation the restrictions under Sections 2 and 3) and that it will comply with them.
-
Data Security. Tailscale will implement appropriate administrative, technical, physical, and organizational measures to protect Personal Data, as set forth in Schedule B.
-
Security Breach. Tailscale will notify Customer promptly, and in any event within forty-eight (48) hours, of any Security Breach resulting from Tailscale’s Processing of Personal Data on behalf of Customer. Tailscale will comply with the Security Breach-related obligations directly applicable to it under Data Protection Laws and will assist Customer in Customer’s compliance with its Security Breach-related obligations, including without limitation by:
a. At Tailscale’s own expense, taking reasonable and appropriate steps to mitigate the effects of the Security Breach and reduce the risk to Data Subjects whose Personal Data was involved; and
b. Providing Customer with the following information, to the extent known:
i. The nature of the Security Breach, including, where possible, how the Security Breach occurred, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned; ii. The likely consequences of the Security Breach; and iii. Measures taken or proposed to be taken by Tailscale to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.
-
Subprocessors.
a. Customer acknowledges and agrees that Tailscale may use Tailscale affiliates and other subprocessors to Process Personal Data in accordance with the provisions within this DPA and Data Protection Laws. Where Tailscale sub-contracts any of its rights or obligations concerning Personal Data, including to any affiliate, Tailscale will: (1) take steps to select and retain subprocessors that are capable of maintaining appropriate privacy and security measures to protect Personal Data consistent with applicable Data Protection Laws; and (2) require that each subprocessor complies with obligations that are no less restrictive than those imposed on Tailscale under this DPA.
b. To the extent required by applicable Data Protection Laws, Tailscale has provided a current list of Tailscale’s subprocessors listed herein as Schedule C, and Customer hereby consents to Tailscale’s use of such subprocessors. Tailscale will maintain an up-to-date list of its subprocessors, and it will provide Customer with reasonable notice of any new subprocessor added to the list. In the event Customer objects to a new subprocessor, Tailscale will not transfer Personal Data to the new subprocessor and will use reasonable efforts to make available to Customer a change in the services or recommend a commercially reasonable change to Customer’s use of the services to avoid Processing of Personal Data by the objected-to subprocessor without unreasonably burdening the Customer. Customer may, in its sole discretion, terminate the Agreement at any time and by providing written notice to Tailscale in the event that it objects to a subprocessor and Tailscale is unable to offer reasonable changes the services to satisfy Customer.
-
Data Transfers
a. Tailscale will not engage in any cross-border Processing of Personal Data, or transmit, directly or indirectly, any Personal Data to any country outside of the country from which such Personal Data was collected, without complying with applicable Data Protection Laws. Where Tailscale engages in an onward transfer of Personal Data, Tailscale shall ensure that a lawful data transfer mechanism is in place prior to transferring Personal Data from one country to another.
b. To the extent legally required, by signing this DPA, Customer and Tailscale are deemed to have signed the EU SCCs, which form part of this DPA and (except as described in Section 7(c) and (d) below) will be deemed completed as follows:
i. Module 2 of the EU SCCs applies to transfers of Personal Data from Customer (as a controller) to Tailscale (as a processor); ii. Clause 7 (the optional docking clause) is included; iii. Under Clause 9 (Use of sub-processors), the Parties select Option 2 (General written authorization). The initial list of sub-processors is set forth in Schedule C of this DPA and Tailscale shall propose an update to that list at least fifteen (15) business days in advance of any intended additions or replacements of sub-processors in accordance with Section 6(b) of this DPA; iv. Under Clause 11 (Redress), the optional language requiring that data subjects be permitted to lodge a complaint with an independent dispute resolution body shall not be deemed to be included; v. Under Clause 17 (Governing law), the Parties choose Option 1 (the law of an EU Member State that allows for third-Party beneficiary rights). The Parties select the law of Ireland; vi. Under Clause 18 (Choice of forum and jurisdiction), the Parties select the courts of Ireland; vii. Annex I(A) and I(B) (List of Parties) is completed as set forth in Schedule A of this DPA; viii. Under Annex I(C) (Competent supervisory authority), the Parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission. ix. Annex II (Technical and organizational measures) is completed with Schedule B of this DPA; and x. Annex III (List of subprocessors) is not applicable as the Parties have chosen General Authorization under Clause 9. Tailscale's current subprocessors are listed in Schedule C.
c. With respect to Personal Data transferred from the United Kingdom for which United Kingdom law (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, the International Data Transfer DPA to the EU Commission Standard Contractual Clauses (available as of the Effective Date at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf (“UK SCCs”) forms part of this DPA and takes precedence over the rest of this DPA as set forth in the UK SCCs. Undefined capitalized terms used in this provision shall mean the definitions in the UK SCCs. For purposes of the UK SCCs, they shall be deemed completed as follows:
i. Table 1 of the UK SCCs: 1. The Parties' details shall be the Parties and their affiliates to the extent any of them is involved in such transfer. 2. The Key Contact shall be the contacts set forth in the Agreement. ii. Table 2 of the UK SCCs: The Approved EU SCCs referenced in Table 2 shall be the EU SCCs as executed by the Parties. iii. Table 3 of the UK SCCs: Annex 1A, 1B, II, and III shall be set forth in Schedules A, B, and C below. iv. Table 4 of the UK SCCs: Either Party may end this DPA as set out in Section 19 of the UK SCCs. v. By entering into this DPA, the Parties are deemed to be signing the UK SCCs.
d. For transfers of Personal Data that are subject to the FADP, the EU SCCs form part of this DPA as set forth in Section 7(b) of this DPA, but with the following differences to the extent required by the FADP: (1) references to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR; (2) references to personal data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope; (3) term “member state” in EU SCCs shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; and (4) the relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and GDPR apply, respectively).
-
Audits. Tailscale will make available to Customer all information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, provided that such audit shall occur not more than once every twelve (12) calendar months, upon reasonable prior written notice, at Customer’s sole expense, and to the extent Tailscale’s personnel are required to cooperate therewith, only during Tailscale’s normal business hours. Notwithstanding the foregoing, in the event of a Security Breach resulting from Tailscale’s Processing of Personal Data on behalf of Customer, Customer shall have the right to request an audit with no frequency cap, and any audits performed as the result of a Security Breach shall be performed at Tailscale’s sole expense.
-
Return or Destruction of Personal Data. Except to the extent required otherwise by Data Protection Laws, Tailscale will, at the choice of Customer and upon Customer’s written request, either at the termination of the Agreement or at any time during the term of the Agreement, return to Customer and/or securely destroy all Personal Data. Except to the extent prohibited by Data Protection Laws, Tailscale will inform Customer if it is not able to return or delete the Personal Data.
-
Survival. The provisions of this DPA survive the termination or expiration of the Agreement for so long as Tailscale or its subprocessors Process the Personal Data.
Schedule A
ANNEX I
A. LIST OF PARTIES
Data exporter(s):
Name: The data exporter is Customer.
Activities relevant to the data transferred under these SCCs: The data exporter is a user of Tailscale’s VPN Services pursuant to their underlying Agreement. The data exporter acts as a controller with respect to its own personal data.
Signature and date: The Parties agree that execution of the Agreement shall constitute execution of these SCCs by both Parties.
Data importer(s):
Name: The data importer is Tailscale.
Activities relevant to the data transferred under these SCCs: The data importer is the provider of Services to the data exporter and its customers pursuant to their underlying Agreement. The data importer acts as the data exporter’s processor.
Signature and date: The Parties agree that execution of the Agreement shall constitute execution of these SCCs by both Parties.
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: Customer’s employees and authorized users.
Categories of personal data transferred: The Personal Data transferred concern: the names and email addresses or usernames of Customer’s employees and authorized users; authorized user log-in authentication information; and metadata regarding devices used to connect to the Services, including device names, operating system type, host name, IP address and IP routing information, cryptographic public key, user agent (where applicable), language settings, date and time of access to the Tailscale VPN, logs describing connections and containing statistics about data sent to and from other devices (“Inter-Node Traffic Logs”), and version of Tailscale VPN installed. Tailscale does not Process in any way, or have the ability to access, the content of Customer’s traffic data transmitted through the Services, which is fully end-to-end encrypted.
Customers have the option, in their discretion, to use certain features and functionalities through the Tailscale Solution that may generate additional logs and other data that Tailscale processes and stores on behalf of our Customers (“Customer Log Data”). The Customer, and not Tailscale, has control over the contents of Customer Log Data processed through the Tailscale Solution using such additional features and functionalities.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: N/A – as explained above, any traffic data transmitted through use of the Services is fully end-to-end encrypted and not accessible or viewable by Tailscale.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Continuous.
Nature of the processing: Tailscale Processes Personal Data solely in connection with providing its VPN services to Customer.
Purpose(s) of the data transfer and further processing: The objective of the transfer and further Processing of Personal Data by Tailscale is to provide Tailscale’s VPN services to Customer.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Personal Data will be retained for the period of time necessary to provide the Services to Customer under the Agreement and the DPA, and otherwise in accordance with applicable legal requirements.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: Same as above to the extent such information is provided to subprocessors for purposes of providing the Services.
C. COMPETENT SUPERVISORY AUTHORITY
See Section 7(b)(viii) of the DPA.
Schedule B
TAILSCALE DATA SECURITY MEASURES
Tailscale’s data security measures (“Tailscale Security Measures”) are outlined in depth at the following link: https://tailscale.com/security. At all times during the term of the Agreement and for as long as Tailscale is Processing Personal Data, Tailscale will maintain security measures that are at least as robust as those included in the Tailscale Security Measures on the data of execution of this DPA.
Schedule C
TAILSCALE SUBPROCESSORS