Contracts
- Terms of Use
- Cookies Policy
- Wiz Anti-Corruption and Bribery Policy
- Wiz Code of Conduct
- Data Processing Agreement
- Master Subscription Agreement
- Service and Support Levels Agreement (SLA)
- Tech Integration Agreement
- Wiz Cooperation Agreement
- U.S. Government Addendum
- Wiz Acceptable Use Policy
- Wiz Communities Terms of Service
- Wiz Privacy Addendum
- Wiz Security Addendum
- Modern Slavery Act Transparency Statement
- Sub Processor List
- Wiz Subscription Agreement
- Preview Terms
- Privacy Policy
- Privacy Notice for Wiz Employees, Contractors, and Workers
Terms of Use
Effective June 20th 2024
DownloadTable of Contents
Wiz Website Terms of Use
Welcome to https://www.wiz.io/ (together with its subdomains, Content, Marks and services, the “Website”). Please read the following Terms of Use carefully before using this Website so that you are aware of your legal rights and obligations with respect to Wiz Inc. ("Wiz", "we", "our" or "us"). By accessing or using the Website, you expressly acknowledge and agree that you are entering a legal agreement with us and have understood and agree to comply with, and be legally bound by, these Terms of Use, together with our Privacy Policy (collectively the "Terms"). If you do not agree to be bound by these Terms please do not access or use the Website.
PLEASE ALSO READ THESE TERMS OF USE CAREFULLY, AS THEY AFFECT YOUR LEGAL RIGHTS AND OBLIGATIONS. PLEASE NOTE THAT, TO THE EXTENT PERMITTED BY APPLICABLE LAW, THESE TERMS REQUIRE THE USE OF ARBITRATION ON AN INDIVIDUAL BASIS TO RESOLVE DISPUTES, RATHER THAN COURTS OR JURY TRIALS, AND LIMIT THE REMEDIES AVAILABLE IN THE EVENT OF A DISPUTE.
1. Background. The Website is intended to provide you with information related to our products and services and to enable you to contact us via the Website.
2. Modification. We reserve the right, at our discretion, to change these Terms at any time. Such change will be effective ten (10) days following the posting of the revised Terms on the Website, and your continued use of the Website thereafter means that you accept those changes.
3. Ability to Accept Terms. The Website is only intended for individuals aged eighteen (18) years or older. If you are under eighteen (18) years old please do not visit or use the Website.
4. Website Access. For such time as these Terms are in effect, we hereby grant you permission to visit and use the Website, provided that you comply with these Terms and applicable laws.
5. Restrictions. You shall not: (i) copy, distribute or modify any part of the Website without our prior written authorization; (ii) use, modify, create derivative works of, transfer (by sale, resale, license, sublicense, download or otherwise), reproduce, distribute, display or disclose Content (defined below), except as expressly authorized herein; (iii) disrupt servers or networks connected to the Website; (iv) use or launch any automated system (including without limitation, "robots" and "spiders") to access the Website; and/or (v) circumvent, disable or otherwise interfere with security-related features of the Website or features that prevent or restrict use or copying of any Content or that enforce limitations on use of the Website.
6. Intellectual Property Rights.
6.1. Content and Marks. The (i) content on the Website, including without limitation, the text, documents, articles, brochures, descriptions, products, software, graphics, photos, sounds, videos, interactive features, and services (collectively, the "Content"), and (ii) the trademarks, service marks and logos contained therein ("Marks"), are the property of Wiz and/or its licensors and may be protected by applicable copyright or other intellectual property laws and treaties. “Wiz”, the Wiz logo, and other marks are Marks of Wiz or its affiliates. All other trademarks, service marks, and logos used on the Website are the trademarks, service marks, or logos of their respective owners. We reserve all rights not expressly granted in and to the Website and the Content.
6.2. Use of Content. Content on the Website is provided to you for your information and personal use only and may not be used, modified, copied, distributed, transmitted, broadcast, displayed, sold, licensed, de-compiled, or otherwise exploited for any other purposes whatsoever without our prior written consent. If you download or print a copy of the Content you must retain all copyright and other proprietary notices contained therein.
6.3. Spam. You agree not to, and will not, use the communication systems provided by the Website to send unauthorized commercial communications and you shall be solely responsible and liable for any such unauthorized communications.
7. Information Description. We attempt to be as accurate as possible. However, we cannot and do not warrant that the Content available on the Website is accurate, complete, reliable, current, or error-free. We reserve the right to make changes in or to the Content, or any part thereof, in our sole judgment, without the requirement of giving any notice prior to or after making such changes to the Content. Your use of the Content, or any part thereof, is made solely at your own risk and responsibility.
8. Links.
8.1. The Website may contain links, and may enable you to post content, to third party websites that are not owned or controlled by Wiz. We are not affiliated with, have no control over, and assume no responsibility for the content, privacy policies, or practices of, any third party websites. You: (i) are solely responsible and liable for your use of and linking to third party websites and any content that you may send or post to a third party website; and (ii) expressly release Wiz from any and all liability arising from your use of any third party website. Accordingly, we encourage you to read the terms and conditions and privacy policy of each third party website that you may choose to visit.
8.2. Wiz permits you to link to the Website provided that: (i) you link to but do not replicate any page on this Website; (ii) the hyperlink text shall accurately describe the Content as it appears on the Website; (iii) you shall not misrepresent your relationship with Wiz or present any false information about Wiz and shall not imply in any way that we are endorsing any services or products, unless we have given you our express prior consent; (iv) you shall not link from a website ("Third Party Website") which prohibits linking to third parties; (v) such Third Party Website does not contain content that (a) is offensive or controversial (both at our discretion), or (b) infringes any intellectual property, privacy rights, or other rights of any person or entity; and/or (vi) you, and your website, comply with these Terms and applicable law.
9. Privacy. We will use any personal information that we may collect or obtain in connection with the Website in accordance with our privacy policy which is available at: https://www.wiz.io/legal/privacy.
10. Warranty Disclaimers.
10.1. This section applies whether or not the services provided under the Website are for payment. Applicable law may not allow the exclusion of certain warranties, so to that extent certain exclusions set forth herein may not apply.
10.2. THE WEBSITE IS PROVIDED ON AN "AS IS" AND "AS AVAILABLE" BASIS, AND WITHOUT WARRANTIES OF ANY KIND EITHER EXPRESS OR IMPLIED. WIZ HEREBY DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, TITLE, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND THOSE ARISING BY STATUTE OR FROM A COURSE OF DEALING OR USAGE OF TRADE. WIZ DOES NOT GUARANTEE THAT THE WEBSITE WILL BE FREE OF BUGS, SECURITY BREACHES, OR VIRUS ATTACKS. THE WEBSITE MAY OCCASIONALLY BE UNAVAILABLE FOR ROUTINE MAINTENANCE, UPGRADING, OR OTHER REASONS. YOU AGREE THAT WIZ WILL NOT BE HELD RESPONSIBLE FOR ANY CONSEQUENCES TO YOU OR ANY THIRD PARTY THAT MAY RESULT FROM TECHNICAL PROBLEMS OF THE INTERNET, SLOW CONNECTIONS, TRAFFIC CONGESTION OR OVERLOAD OF OUR OR OTHER SERVERS. WE DO NOT WARRANT, ENDORSE OR GUARANTEE ANY CONTENT, PRODUCT, OR SERVICE THAT IS FEATURED OR ADVERTISED ON THE WEBSITE BY A THIRD PARTY.
10.3. EXCEPT AS EXPRESSLY STATED IN OUR PRIVACY POLICY, WIZ DOES NOT MAKE ANY REPRESENTATIONS, WARRANTIES OR CONDITIONS OF ANY KIND, EXPRESS OR IMPLIED, AS TO THE SECURITY OF ANY INFORMATION YOU MAY PROVIDE OR ACTIVITIES YOU ENGAGE IN DURING THE COURSE OF YOUR USE OF THE WEBSITE.
11. Limitation of Liability.
11.1. TO THE FULLEST EXTENT PERMISSIBLE BY LAW, WIZ SHALL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, EXEMPLARY, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES OF ANY KIND, OR FOR ANY LOSS OF DATA, REVENUE, PROFITS OR REPUTATION, ARISING UNDER THESE TERMS OR OUT OF YOUR USE OF, OR INABILITY TO USE, THE WEBSITE, EVEN IF WIZ HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR LOSSES. Some jurisdictions do not allow the limitation or exclusion of liability for incidental or consequential damages, so the above limitations may not apply to you.
11.2. IN NO EVENT SHALL THE AGGREGATE LIABILITY OF WIZ FOR ANY DAMAGES ARISING UNDER THESE TERMS OR OUT OF YOUR USE OF, OR INABILITY TO USE THE WEBSITE, EXCEED THE TOTAL AMOUNT OF FEES, IF ANY, PAID BY YOU TO WIZ FOR USING THE WEBSITE DURING THE THREE (3) MONTHS PRIOR TO BRINGING THE CLAIM.
12. Indemnity. You agree to defend, indemnify and hold harmless Wiz and our affiliates, and our respective officers, directors, employees and agents, from and against any and all claims, damages, obligations, losses, liabilities, costs and expenses (including but not limited to attorney's fees) arising from: (i) your use of, or inability to use, the Website; (ii) your interaction with any Website user; or (iii) your violation of these Terms.
13. Dispute Resolution: PLEASE READ THIS “DISPUTE RESOLUTION” SECTION CAREFULLY, AS IT MAY SIGNIFICANTLY AFFECT YOUR LEGAL RIGHTS, INCLUDING YOUR RIGHT TO FILE OR PARTICIPATE IN A LAWSUIT FILED IN COURT.
13.1. Informal dispute resolution procedure. If a dispute arises between you and Wiz, we are committed to working with you to reach a reasonable resolution. For any such dispute, both parties acknowledge and agree that they will first make a good faith effort to resolve it informally before initiating any formal dispute resolution proceeding in arbitration or otherwise. This requires first sending a written description of the dispute to the other party. For any dispute you initiate, you agree to send the written description of the dispute along with the email address associated with your account, if any, to the following email address: legalnotices@wiz.io. For any dispute that Wiz initiates, we will send our written description of the dispute to the email address associated with your Wiz account (if any) or to any email address we have on file for you. The written description must be on an individual basis and provide, at minimum, the following information: your name; a description of the nature or basis of the claim or dispute; and the specific relief sought. If the dispute is not resolved within sixty (60) days after receipt of the written description of the dispute, you and Wiz agree to the further dispute resolution provisions below.
The above process for an informal dispute resolution process is required before you may commence any formal dispute resolution proceeding. The parties agree that any relevant limitations period and filing fees or other deadlines will be tolled while the parties engage in this informal dispute resolution process.
13.2. Mutual arbitration agreement. You and Wiz agree that all claims, disputes, or disagreements that may arise out of the interpretation or performance of these Terms (including its formation, performance, and breach) or payments by or to Wiz, or that in any way relate to the provision or use of the Website, your relationship with Wiz, or any other dispute with Wiz, shall be resolved exclusively through binding arbitration in accordance with this Section 13 (collectively, the “Arbitration Agreement”). This includes claims that arose, were asserted, or involve facts occurring before the existence of this Arbitration Agreement or any prior agreement as well as claims that may arise after the termination of this Arbitration Agreement, in accordance with the notice and opt-out provisions set forth in Sections 13.10 and 13.11). This Arbitration Agreement is governed by the Federal Arbitration Act (“FAA”) in all respects and evidences a transaction involving interstate commerce. You and Wiz expressly agree that the FAA shall exclusively govern the interpretation and enforcement of this Arbitration Agreement. If for whatever reason the rules and procedures of the FAA cannot apply, the state law governing arbitration agreements in the state in which you reside shall apply.
Except as set forth in this Section 13.2, the arbitrator or arbitration body, and not any federal, state or local court or agency, shall have exclusive authority to resolve all disputes arising out of or relating to the interpretation, applicability, enforceability or formation of the Agreement (including these Terms) and this Arbitration Agreement, including, but not limited to any claim that all or any part thereof are void or voidable, whether a claim is subject to arbitration, and any dispute regarding the payment of administrative or arbitrator fees (including the timing of such payments and remedies for nonpayment). The arbitrator or arbitration body shall be empowered to grant whatever relief would be available in a court under law or in equity.
Notwithstanding the parties' decision to resolve all disputes through arbitration, each party retains the right to (i) elect to have any claims resolved in small claims court on an individual basis for disputes and actions within the scope of such court's jurisdiction, regardless of what forum the filing party initial chose; (ii) bring an action in state or federal court to protect its intellectual property rights (“intellectual property rights” in this context means patents, copyrights, moral rights, trademarks, and trade secrets and other confidential or proprietary information, but not privacy or publicity rights); and (iii) seek a declaratory judgment, injunction, or other equitable relief in a court of competent jurisdiction regarding whether a party's claims are time-barred or may be brought in small claims court. Seeking such relief shall not waive a party's right to arbitration under this agreement, and any filed arbitrations related to any action filed pursuant to this paragraph shall automatically be stayed pending the outcome of such action.
You and Wiz agree to submit to the personal jurisdiction of any federal or state court in New York, NY in order to compel arbitration, to stay proceedings pending arbitration, or to confirm, modify, vacate, or enter judgment on the award entered by the arbitrator; and in connection with any such proceeding, further agree to accept service of process by U.S. mail and hereby waive any and all jurisdictional and venue defenses otherwise available.
Except as set forth in Section 13.3 below, if any provision of this Arbitration Agreement is found by an arbitrator or court of competent jurisdiction to be invalid, the parties nevertheless agree that the arbitrator or court should endeavor to give effect to the parties’ intentions as reflected in the provision, and the other provisions thereof remain in full force and effect.
THE PARTIES UNDERSTAND THAT ARBITRATION MEANS THAT AN ARBITRATOR AND NOT A JUDGE OR JURY WILL DECIDE THE CLAIM, AND THAT RIGHTS TO PREHEARING EXCHANGE OF INFORMATION AND APPEALS MAY BE LIMITED IN ARBITRATION. YOU HEREBY ACKNOWLEDGE AND AGREE THAT YOU AND Wiz ARE EACH WAIVING THE RIGHT TO A TRIAL BY JURY TO THE MAXIMUM EXTENT PERMITTED BY LAW.
13.3. Class arbitration and collective relief waiver. YOU AND WIZ ACKNOWLEDGE AND AGREE THAT, TO THE MAXIMUM EXTENT ALLOWED BY LAW, EXCEPT AS SET OUT OTHERWISE IN THIS SECTION 13.3 AND SECTION 13.7 BELOW, ANY ARBITRATION SHALL BE CONDUCTED IN AN INDIVIDUAL CAPACITY ONLY AND NOT AS A CLASS OR OTHER CONSOLIDATED ACTION AND THE ARBITRATOR MAY AWARD RELIEF ONLY IN FAVOR OF THE INDIVIDUAL PARTY SEEKING RELIEF AND ONLY TO THE EXTENT NECESSARY TO RESOLVE AN INDIVIDUAL PARTY'S CLAIM, UNLESS WIZ PROVIDES ITS CONSENT TO CONSOLIDATE IN WRITING.
If there is a final judicial determination that either the Class Arbitration Action and Collective Relief Waiver or the provisions in Section 13.7 are not enforceable as to a particular claim or request for relief, then the parties agree that that particular claim or request for relief may proceed in court but shall be severed and stayed pending arbitration of the remaining claims. This provision does not prevent you or Wiz from participating in a class-wide settlement of claims.
13.4. Arbitration rules. The arbitration will be administered by National Arbitration and Mediation (“NAM”) and resolved before a single arbitrator. If NAM is not available to arbitrate, the parties will select an alternative arbitration provider, but in no event shall any arbitration be administered by the American Arbitration Association. Except as modified by this “Dispute Resolution” provision, NAM will administer the arbitration in accordance with the NAM Comprehensive Dispute Resolution Rules and Procedures, Fees For Disputes When One of the Parties is a Consumer and the Mass Filing Dispute Resolution Rules and Procedures in effect at the time any demand for arbitration is filed with NAM, excluding any rules or procedures governing or permitting class or representative actions. The applicable NAM rules and procedures are available at www.namadr.com or by emailing National Arbitration and Mediation's Commercial Dept at commercial@namadr.com.
13.5. Initiating arbitration. Only after the parties have engaged in a good-faith effort to resolve the dispute in accordance with the Informal Dispute Resolution Procedure provision, and only if those efforts fail, then either party may initiate binding arbitration as the sole means to resolve claims using the procedures set forth in the applicable NAM rules. If you are initiating arbitration, a copy of the demand shall also be emailed to legalnotices@wiz.io. If Wiz is initiating arbitration, it will serve a copy of the demand to the email address associated with your Wiz account or the email that Wiz has on file for you. The arbitrator has the right to impose sanctions in accordance with the NAM rules and procedures for any frivolous claims or submissions the arbitrator determines have not been filed in good faith, as well as for a party's failure to comply with the Informal Dispute Resolution Procedure contemplated by this Agreement.
13.6. Arbitration location and procedure. If you are a resident of the United States the arbitration will be conducted in the county where you reside, and if you are not a resident of the United States the arbitration shall be conducted in New York, New York, United States of America, unless you and Wiz otherwise agree or unless the designated arbitrator determines that such venue would be unreasonably burdensome to any party, in which case the arbitrator shall have the discretion to select another venue. If the amount in controversy does not exceed $10,000 and you do not seek injunctive or declaratory relief, then the arbitration will be conducted solely on the basis of documents you and Wiz submit to the arbitrator, unless the arbitrator determines that a hearing is necessary. If the amount in controversy exceeds $10,000 or seeks declaratory or injunctive relief, either party may request (or the arbitrator may determine) to hold a hearing, which shall be via videoconference or telephone conference unless the parties agree otherwise.
Subject to the applicable NAM rules and procedures, the parties agree that the arbitrator will have the discretion to allow the filing of dispositive motions if they are likely to efficiently resolve or narrow issues in dispute. Unless otherwise prohibited by law, all arbitration proceedings will be confidential and closed to the public and any parties other than you and Wiz (and each of the parties’ authorized representatives and agents), and all records relating thereto will be permanently sealed, except as necessary to obtain court confirmation of the arbitration award (provided that the party seeking confirmation shall seek to file such records under seal to the extent permitted by law).
13.7. Batch arbitration. To increase the efficiency of administration and resolution of arbitrations, in the event 100 or more similar arbitration demands (those asserting the same or substantially similar facts or claims, and seeking the same or substantially similar relief) presented by or with the assistance or coordination of the same law firm(s) or organization(s) are submitted to NAM (or another arbitration provider selected in accordance with Section 13.4 if NAM is unavailable) against Wiz within reasonably close proximity (“Mass Filing”), the parties agree (i) to administer the Mass Filing in batches of 100 demands per batch (to the extent there are fewer than 100 arbitration demands left over after the batching described above, a final batch will consist of the remaining demands) with only one batch filed, processed, and adjudicated at a time; (ii) to designate one arbitrator for each batch; (iii) to accept applicable fees, including any related fee reduction determined by NAM (or another arbitration provider selected in accordance with 13.4 if NAM is unavailable) in its discretion; (iv) that no other demands for arbitration that are part of the Mass Filing may be filed, processed, or adjudicated until the prior batch of 100 is filed, processed, and adjudicated; (v) that fees associated with a demand for arbitration included in a Mass Filing, including fees owed by Wiz and the claimants, shall only be due after your demand for arbitration is included in a set of batch proceedings and that batch is properly designated for filing, processing, and adjudication; and (vi) that the staged process of batched proceedings, with each set including 100 demands, shall continue until each demand (including your demand) is adjudicated or otherwise resolved. Arbitrator selection for each batch shall be conducted to the greatest extent possible in accordance with the applicable NAM rules and procedures for such selection, and the arbitrator will determine the location where the proceedings will be conducted. You agree to cooperate in good faith with Wiz and the arbitration provider to implement such a “batch approach” or other similar approach to provide for an efficient resolution of claims, including the payment of combined reduced fees, set by NAM in its discretion, for each batch of claims. The parties further agree to cooperate with each other and the arbitration provider or arbitrator to establish any other processes or procedures that the arbitration provider or arbitrator believe will provide for an efficient resolution of claims. Any disagreement between the parties as to whether this provision applies or as to the process or procedure for batching shall be resolved by a procedural arbitrator appointed by NAM. This “Batch Arbitration” provision shall in no way be interpreted as increasing the number of claims necessary to trigger the applicability of NAM’s Mass Filing Supplemental Dispute Resolution Rules and Procedures or authorizing class arbitration of any kind. Unless Wiz otherwise consents in writing, Wiz does not agree or consent to class arbitration, private attorney general arbitration, or arbitration involving joint or consolidated claims under any circumstances, except as set forth in section 13.3 above and this section 13.7. If your demand for arbitration is included in the Mass Filing, your claims will remain tolled until your demand for arbitration is decided, withdrawn, or is settled.
13.8. Arbitrator's decision. The arbitrator will render an award within the time frame specified in the applicable NAM rules and procedures. The arbitrator's decision will include the essential findings and conclusions upon which the arbitrator based the award. Judgment on the arbitration award may be entered in any court having jurisdiction thereof. The arbitrator will have the authority to award monetary damages on an individual basis and to grant, on an individual basis, any non-monetary remedy or relief available to an individual to the extent available under applicable law, the arbitral forum's rules, and this Arbitration Agreement. The parties agree that the damages and/or other relief must be consistent with section 13.3 above and also must be consistent with the terms of the “Limitation of Liability” section of the Agreement as to the types and the amounts of damages or other relief for which a party may be held liable. No arbitration award or decision will have any preclusive effect as to issues or claims in any dispute with anyone who is not a named party to the arbitration. Attorneys’ fees will be available to the prevailing party in the arbitration only if authorized under applicable substantive law governing the claims in the arbitration.
13.9. Fees. You are responsible for your own attorneys’ fees unless the arbitration rules and/or applicable law provide otherwise. The parties agree that NAM has discretion to reduce the amount or modify the timing of any administrative or arbitration fees due under NAM’s Rules where it deems appropriate (including as specified in Section 13.7), provided that such modification does not increase the costs to you, and you further agree that you waive any objection to such fee modification. The parties also agree that a good-faith challenge by either party to the fees imposed by NAM does not constitute a default, waiver, or breach of this Section 13 while such challenge remains pending before NAM, the arbitrator, and/or a court of competent jurisdiction, and that any and all due dates for those fees shall be tolled during the pendency of such challenge.
13.10. Right to opt-out of the Arbitration Agreement. IF YOU DO NOT WISH TO BE BOUND BY THE “ARBITRATION AGREEMENT” AS SET FORTH IN THIS “DISPUTE RESOLUTION” SECTION 13, THEN: (1) you must notify Wiz in writing within thirty (30) days of the date that you first use the Website or otherwise become subject to this Arbitration Agreement (or any subsequent changes to the provisions of the section titled “Dispute Resolution”); (2) your written notification must be mailed to: Wiz, Inc. Attn: Legal, One Manhattan West, 52nd Floor, New York, NY 10001 or emailed to legalnotices@wiz.io; and (3) your written notification must include (a) your name, (b) your address, (c) the date you purchased the product, if applicable and (d) a clear statement that you wish to opt out of this Arbitration Agreement. Wiz will continue to honor any valid opt outs if you opted out of arbitration in a prior version of the Agreement pursuant to the requirements set forth in that version. If you do not timely opt out of this Arbitration Agreement, such action shall constitute mutual acceptance of the terms of these “Dispute Resolution” provisions by you and Wiz.
13.11. Changes. Wiz will provide thirty (30) days’ notice of any changes to this “Dispute Resolution” section by posting the change on Wiz's website, or providing any other notice in accordance with legal requirements. Any such changes will go into effect 30 days after Wiz provides this notice and apply to all claims not yet filed. If you reject any such changes by opting out of the Arbitration Agreement, you may exercise your right to a trial by jury or judge, as permitted by applicable law, but any prior existing agreement to arbitrate disputes under a prior version of the Arbitration Agreement will not apply to claims not yet filed. If Wiz changes this “Dispute Resolution” section after the date you first accepted this Agreement (or accepted any subsequent changes to this Agreement), you agree that your continued use of the Website 30 days after such change will be deemed acceptance of those changes. If you do not agree to such change, you may opt out by providing notice as described in Section 13.10.
14. Term and Termination. These Terms are effective until terminated by Wiz or you. Wiz, in its sole discretion, has the right to terminate these Terms and/or your access to the Website, or any part thereof, immediately at any time and with or without cause (including, without any limitation, for a breach of these Terms). Wiz shall not be liable to you or any third party for termination of the Website, or any part thereof. If you object to any term or condition of these Terms, or any subsequent modifications thereto, or become dissatisfied with the Website in any way, your only recourse is to immediately discontinue your use of the Website. Upon termination of these Terms, you shall cease all use of the Website. This Section (Section 14) and Sections 6 (Intellectual Property Rights), 9 (Privacy), 10 (Warranty Disclaimers), 11 (Limitation of Liability), 12 (Indemnity), 13 (Dispute Resolution) and Sections 15 (Independent Contractors) to 18 (General) shall survive termination of these Terms.
15. Independent Contractors. You and Wiz are independent contractors. Nothing in these Terms creates a partnership, joint venture, agency, or employment relationship between you and Wiz. You must not under any circumstances make, or undertake, any warranties, representations, commitments or obligations on behalf of Wiz.
16. Assignment. These Terms, and any rights and licenses granted hereunder, may not be transferred or assigned by you but may be assigned by Wiz without restriction or notification to you. Any prohibited assignment shall be null and void.
17. Governing Law. Wiz reserves the right to discontinue or modify any aspect of the Website at any time. These Terms and the relationship between you and Wiz shall be governed by and construed in accordance with the laws of the State of New York, without regard to its principles of conflict of laws. You agree to submit to the personal and exclusive jurisdiction of the courts located in New York City, New York and waive any jurisdictional, venue, or inconvenient forum objections to such courts, provided that Wiz may seek injunctive relief in any court of competent jurisdiction.
18. General. These Terms shall constitute the entire agreement between you and Wiz concerning the Website. If any provision of these Terms is deemed invalid by a court of competent jurisdiction, the invalidity of such provision shall not affect the validity of the remaining provisions of these Terms, which shall remain in full force and effect. No waiver of any term of these Terms shall be deemed a further or continuing waiver of such term or any other term, and a party's failure to assert any right or provision under these Terms shall not constitute a waiver of such right or provision. YOU AGREE THAT ANY CAUSE OF ACTION THAT YOU MAY HAVE ARISING OUT OF OR RELATED TO THE WEBSITE MUST COMMENCE WITHIN ONE (1) YEAR AFTER THE CAUSE OF ACTION ACCRUES. OTHERWISE, SUCH CAUSE OF ACTION IS PERMANENTLY BARRED.
Last updated: February 23, 2023
Effective October 9th 2023 to June 20th 2024
DownloadTable of Contents
Wiz Website Terms of Use
Welcome to https://www.wiz.io/ (together with its subdomains, Content, Marks and services, the “Website”). Please read the following Terms of Use carefully before using this Website so that you are aware of your legal rights and obligations with respect to Wiz Inc. ("Wiz", "we", "our" or "us"). By accessing or using the Website, you expressly acknowledge and agree that you are entering a legal agreement with us and have understood and agree to comply with, and be legally bound by, these Terms of Use, together with our Privacy Policy (collectively the "Terms"). If you do not agree to be bound by these Terms please do not access or use the Website.
PLEASE ALSO READ THESE TERMS OF USE CAREFULLY, AS THEY AFFECT YOUR LEGAL RIGHTS AND OBLIGATIONS. PLEASE NOTE THAT, TO THE EXTENT PERMITTED BY APPLICABLE LAW, THESE TERMS REQUIRE THE USE OF ARBITRATION ON AN INDIVIDUAL BASIS TO RESOLVE DISPUTES, RATHER THAN COURTS OR JURY TRIALS, AND LIMIT THE REMEDIES AVAILABLE IN THE EVENT OF A DISPUTE.
1. Background. The Website is intended to provide you with information related to our products and services and to enable you to contact us via the Website.
2. Modification. We reserve the right, at our discretion, to change these Terms at any time. Such change will be effective ten (10) days following the posting of the revised Terms on the Website, and your continued use of the Website thereafter means that you accept those changes.
3. Ability to Accept Terms. The Website is only intended for individuals aged eighteen (18) years or older. If you are under eighteen (18) years old please do not visit or use the Website.
4. Website Access. For such time as these Terms are in effect, we hereby grant you permission to visit and use the Website, provided that you comply with these Terms and applicable laws.
5. Restrictions. You shall not: (i) copy, distribute or modify any part of the Website without our prior written authorization; (ii) use, modify, create derivative works of, transfer (by sale, resale, license, sublicense, download or otherwise), reproduce, distribute, display or disclose Content (defined below), except as expressly authorized herein; (iii) disrupt servers or networks connected to the Website; (iv) use or launch any automated system (including without limitation, "robots" and "spiders") to access the Website; and/or (v) circumvent, disable or otherwise interfere with security-related features of the Website or features that prevent or restrict use or copying of any Content or that enforce limitations on use of the Website.
6. Intellectual Property Rights.
6.1. Content and Marks. The (i) content on the Website, including without limitation, the text, documents, articles, brochures, descriptions, products, software, graphics, photos, sounds, videos, interactive features, and services (collectively, the "Content"), and (ii) the trademarks, service marks and logos contained therein ("Marks"), are the property of Wiz and/or its licensors and may be protected by applicable copyright or other intellectual property laws and treaties. “Wiz”, the Wiz logo, and other marks are Marks of Wiz or its affiliates. All other trademarks, service marks, and logos used on the Website are the trademarks, service marks, or logos of their respective owners. We reserve all rights not expressly granted in and to the Website and the Content.
6.2. Use of Content. Content on the Website is provided to you for your information and personal use only and may not be used, modified, copied, distributed, transmitted, broadcast, displayed, sold, licensed, de-compiled, or otherwise exploited for any other purposes whatsoever without our prior written consent. If you download or print a copy of the Content you must retain all copyright and other proprietary notices contained therein.
6.3. Spam. You agree not to, and will not, use the communication systems provided by the Website to send unauthorized commercial communications and you shall be solely responsible and liable for any such unauthorized communications.
7. Information Description. We attempt to be as accurate as possible. However, we cannot and do not warrant that the Content available on the Website is accurate, complete, reliable, current, or error-free. We reserve the right to make changes in or to the Content, or any part thereof, in our sole judgment, without the requirement of giving any notice prior to or after making such changes to the Content. Your use of the Content, or any part thereof, is made solely at your own risk and responsibility.
8. Links.
8.1. The Website may contain links, and may enable you to post content, to third party websites that are not owned or controlled by Wiz. We are not affiliated with, have no control over, and assume no responsibility for the content, privacy policies, or practices of, any third party websites. You: (i) are solely responsible and liable for your use of and linking to third party websites and any content that you may send or post to a third party website; and (ii) expressly release Wiz from any and all liability arising from your use of any third party website. Accordingly, we encourage you to read the terms and conditions and privacy policy of each third party website that you may choose to visit.
8.2. Wiz permits you to link to the Website provided that: (i) you link to but do not replicate any page on this Website; (ii) the hyperlink text shall accurately describe the Content as it appears on the Website; (iii) you shall not misrepresent your relationship with Wiz or present any false information about Wiz and shall not imply in any way that we are endorsing any services or products, unless we have given you our express prior consent; (iv) you shall not link from a website ("Third Party Website") which prohibits linking to third parties; (v) such Third Party Website does not contain content that (a) is offensive or controversial (both at our discretion), or (b) infringes any intellectual property, privacy rights, or other rights of any person or entity; and/or (vi) you, and your website, comply with these Terms and applicable law.
9. Privacy. We will use any personal information that we may collect or obtain in connection with the Website in accordance with our privacy policy which is available at: https://www.wiz.io/legal/privacy.
10. Warranty Disclaimers.
10.1. This section applies whether or not the services provided under the Website are for payment. Applicable law may not allow the exclusion of certain warranties, so to that extent certain exclusions set forth herein may not apply.
10.2. THE WEBSITE IS PROVIDED ON AN "AS IS" AND "AS AVAILABLE" BASIS, AND WITHOUT WARRANTIES OF ANY KIND EITHER EXPRESS OR IMPLIED. WIZ HEREBY DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, TITLE, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND THOSE ARISING BY STATUTE OR FROM A COURSE OF DEALING OR USAGE OF TRADE. WIZ DOES NOT GUARANTEE THAT THE WEBSITE WILL BE FREE OF BUGS, SECURITY BREACHES, OR VIRUS ATTACKS. THE WEBSITE MAY OCCASIONALLY BE UNAVAILABLE FOR ROUTINE MAINTENANCE, UPGRADING, OR OTHER REASONS. YOU AGREE THAT WIZ WILL NOT BE HELD RESPONSIBLE FOR ANY CONSEQUENCES TO YOU OR ANY THIRD PARTY THAT MAY RESULT FROM TECHNICAL PROBLEMS OF THE INTERNET, SLOW CONNECTIONS, TRAFFIC CONGESTION OR OVERLOAD OF OUR OR OTHER SERVERS. WE DO NOT WARRANT, ENDORSE OR GUARANTEE ANY CONTENT, PRODUCT, OR SERVICE THAT IS FEATURED OR ADVERTISED ON THE WEBSITE BY A THIRD PARTY.
10.3. EXCEPT AS EXPRESSLY STATED IN OUR PRIVACY POLICY, WIZ DOES NOT MAKE ANY REPRESENTATIONS, WARRANTIES OR CONDITIONS OF ANY KIND, EXPRESS OR IMPLIED, AS TO THE SECURITY OF ANY INFORMATION YOU MAY PROVIDE OR ACTIVITIES YOU ENGAGE IN DURING THE COURSE OF YOUR USE OF THE WEBSITE.
11. Limitation of Liability.
11.1. TO THE FULLEST EXTENT PERMISSIBLE BY LAW, WIZ SHALL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, EXEMPLARY, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES OF ANY KIND, OR FOR ANY LOSS OF DATA, REVENUE, PROFITS OR REPUTATION, ARISING UNDER THESE TERMS OR OUT OF YOUR USE OF, OR INABILITY TO USE, THE WEBSITE, EVEN IF WIZ HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR LOSSES. Some jurisdictions do not allow the limitation or exclusion of liability for incidental or consequential damages, so the above limitations may not apply to you.
11.2. IN NO EVENT SHALL THE AGGREGATE LIABILITY OF WIZ FOR ANY DAMAGES ARISING UNDER THESE TERMS OR OUT OF YOUR USE OF, OR INABILITY TO USE THE WEBSITE, EXCEED THE TOTAL AMOUNT OF FEES, IF ANY, PAID BY YOU TO WIZ FOR USING THE WEBSITE DURING THE THREE (3) MONTHS PRIOR TO BRINGING THE CLAIM.
12. Indemnity. You agree to defend, indemnify and hold harmless Wiz and our affiliates, and our respective officers, directors, employees and agents, from and against any and all claims, damages, obligations, losses, liabilities, costs and expenses (including but not limited to attorney's fees) arising from: (i) your use of, or inability to use, the Website; (ii) your interaction with any Website user; or (iii) your violation of these Terms.
13. Dispute Resolution: PLEASE READ THIS “DISPUTE RESOLUTION” SECTION CAREFULLY, AS IT MAY SIGNIFICANTLY AFFECT YOUR LEGAL RIGHTS, INCLUDING YOUR RIGHT TO FILE OR PARTICIPATE IN A LAWSUIT FILED IN COURT.
13.1. Informal dispute resolution procedure. If a dispute arises between you and Wiz, we are committed to working with you to reach a reasonable resolution. For any such dispute, both parties acknowledge and agree that they will first make a good faith effort to resolve it informally before initiating any formal dispute resolution proceeding in arbitration or otherwise. This requires first sending a written description of the dispute to the other party. For any dispute you initiate, you agree to send the written description of the dispute along with the email address associated with your account, if any, to the following email address: legalnotices@wiz.io. For any dispute that Wiz initiates, we will send our written description of the dispute to the email address associated with your Wiz account (if any) or to any email address we have on file for you. The written description must be on an individual basis and provide, at minimum, the following information: your name; a description of the nature or basis of the claim or dispute; and the specific relief sought. If the dispute is not resolved within sixty (60) days after receipt of the written description of the dispute, you and Wiz agree to the further dispute resolution provisions below.
The above process for an informal dispute resolution process is required before you may commence any formal dispute resolution proceeding. The parties agree that any relevant limitations period and filing fees or other deadlines will be tolled while the parties engage in this informal dispute resolution process.
13.2. Mutual arbitration agreement. You and Wiz agree that all claims, disputes, or disagreements that may arise out of the interpretation or performance of these Terms (including its formation, performance, and breach) or payments by or to Wiz, or that in any way relate to the provision or use of the Website, your relationship with Wiz, or any other dispute with Wiz, shall be resolved exclusively through binding arbitration in accordance with this Section 13 (collectively, the “Arbitration Agreement”). This includes claims that arose, were asserted, or involve facts occurring before the existence of this Arbitration Agreement or any prior agreement as well as claims that may arise after the termination of this Arbitration Agreement, in accordance with the notice and opt-out provisions set forth in Sections 13.10 and 13.11). This Arbitration Agreement is governed by the Federal Arbitration Act (“FAA”) in all respects and evidences a transaction involving interstate commerce. You and Wiz expressly agree that the FAA shall exclusively govern the interpretation and enforcement of this Arbitration Agreement. If for whatever reason the rules and procedures of the FAA cannot apply, the state law governing arbitration agreements in the state in which you reside shall apply.
Except as set forth in this Section 13.2, the arbitrator or arbitration body, and not any federal, state or local court or agency, shall have exclusive authority to resolve all disputes arising out of or relating to the interpretation, applicability, enforceability or formation of the Agreement (including these Terms) and this Arbitration Agreement, including, but not limited to any claim that all or any part thereof are void or voidable, whether a claim is subject to arbitration, and any dispute regarding the payment of administrative or arbitrator fees (including the timing of such payments and remedies for nonpayment). The arbitrator or arbitration body shall be empowered to grant whatever relief would be available in a court under law or in equity.
Notwithstanding the parties' decision to resolve all disputes through arbitration, each party retains the right to (i) elect to have any claims resolved in small claims court on an individual basis for disputes and actions within the scope of such court's jurisdiction, regardless of what forum the filing party initial chose; (ii) bring an action in state or federal court to protect its intellectual property rights (“intellectual property rights” in this context means patents, copyrights, moral rights, trademarks, and trade secrets and other confidential or proprietary information, but not privacy or publicity rights); and (iii) seek a declaratory judgment, injunction, or other equitable relief in a court of competent jurisdiction regarding whether a party's claims are time-barred or may be brought in small claims court. Seeking such relief shall not waive a party's right to arbitration under this agreement, and any filed arbitrations related to any action filed pursuant to this paragraph shall automatically be stayed pending the outcome of such action.
You and Wiz agree to submit to the personal jurisdiction of any federal or state court in New York, NY in order to compel arbitration, to stay proceedings pending arbitration, or to confirm, modify, vacate, or enter judgment on the award entered by the arbitrator; and in connection with any such proceeding, further agree to accept service of process by U.S. mail and hereby waive any and all jurisdictional and venue defenses otherwise available.
Except as set forth in Section 13.3 below, if any provision of this Arbitration Agreement is found by an arbitrator or court of competent jurisdiction to be invalid, the parties nevertheless agree that the arbitrator or court should endeavor to give effect to the parties’ intentions as reflected in the provision, and the other provisions thereof remain in full force and effect.
THE PARTIES UNDERSTAND THAT ARBITRATION MEANS THAT AN ARBITRATOR AND NOT A JUDGE OR JURY WILL DECIDE THE CLAIM, AND THAT RIGHTS TO PREHEARING EXCHANGE OF INFORMATION AND APPEALS MAY BE LIMITED IN ARBITRATION. YOU HEREBY ACKNOWLEDGE AND AGREE THAT YOU AND Wiz ARE EACH WAIVING THE RIGHT TO A TRIAL BY JURY TO THE MAXIMUM EXTENT PERMITTED BY LAW.
13.3. Class arbitration and collective relief waiver. YOU AND WIZ ACKNOWLEDGE AND AGREE THAT, TO THE MAXIMUM EXTENT ALLOWED BY LAW, EXCEPT AS SET OUT OTHERWISE IN THIS SECTION 13.3 AND SECTION 13.7 BELOW, ANY ARBITRATION SHALL BE CONDUCTED IN AN INDIVIDUAL CAPACITY ONLY AND NOT AS A CLASS OR OTHER CONSOLIDATED ACTION AND THE ARBITRATOR MAY AWARD RELIEF ONLY IN FAVOR OF THE INDIVIDUAL PARTY SEEKING RELIEF AND ONLY TO THE EXTENT NECESSARY TO RESOLVE AN INDIVIDUAL PARTY'S CLAIM, UNLESS WIZ PROVIDES ITS CONSENT TO CONSOLIDATE IN WRITING.
If there is a final judicial determination that either the Class Arbitration Action and Collective Relief Waiver or the provisions in Section 13.7 are not enforceable as to a particular claim or request for relief, then the parties agree that that particular claim or request for relief may proceed in court but shall be severed and stayed pending arbitration of the remaining claims. This provision does not prevent you or Wiz from participating in a class-wide settlement of claims.
13.4. Arbitration rules. The arbitration will be administered by National Arbitration and Mediation (“NAM”) and resolved before a single arbitrator. If NAM is not available to arbitrate, the parties will select an alternative arbitration provider, but in no event shall any arbitration be administered by the American Arbitration Association. Except as modified by this “Dispute Resolution” provision, NAM will administer the arbitration in accordance with the NAM Comprehensive Dispute Resolution Rules and Procedures, Fees For Disputes When One of the Parties is a Consumer and the Mass Filing Dispute Resolution Rules and Procedures in effect at the time any demand for arbitration is filed with NAM, excluding any rules or procedures governing or permitting class or representative actions. The applicable NAM rules and procedures are available at www.namadr.com or by emailing National Arbitration and Mediation's Commercial Dept at commercial@namadr.com.
13.5. Initiating arbitration. Only after the parties have engaged in a good-faith effort to resolve the dispute in accordance with the Informal Dispute Resolution Procedure provision, and only if those efforts fail, then either party may initiate binding arbitration as the sole means to resolve claims using the procedures set forth in the applicable NAM rules. If you are initiating arbitration, a copy of the demand shall also be emailed to legalnotices@wiz.io. If Wiz is initiating arbitration, it will serve a copy of the demand to the email address associated with your Wiz account or the email that Wiz has on file for you. The arbitrator has the right to impose sanctions in accordance with the NAM rules and procedures for any frivolous claims or submissions the arbitrator determines have not been filed in good faith, as well as for a party's failure to comply with the Informal Dispute Resolution Procedure contemplated by this Agreement.
13.6. Arbitration location and procedure. If you are a resident of the United States the arbitration will be conducted in the county where you reside, and if you are not a resident of the United States the arbitration shall be conducted in New York, New York, United States of America, unless you and Wiz otherwise agree or unless the designated arbitrator determines that such venue would be unreasonably burdensome to any party, in which case the arbitrator shall have the discretion to select another venue. If the amount in controversy does not exceed $10,000 and you do not seek injunctive or declaratory relief, then the arbitration will be conducted solely on the basis of documents you and Wiz submit to the arbitrator, unless the arbitrator determines that a hearing is necessary. If the amount in controversy exceeds $10,000 or seeks declaratory or injunctive relief, either party may request (or the arbitrator may determine) to hold a hearing, which shall be via videoconference or telephone conference unless the parties agree otherwise.
Subject to the applicable NAM rules and procedures, the parties agree that the arbitrator will have the discretion to allow the filing of dispositive motions if they are likely to efficiently resolve or narrow issues in dispute. Unless otherwise prohibited by law, all arbitration proceedings will be confidential and closed to the public and any parties other than you and Wiz (and each of the parties’ authorized representatives and agents), and all records relating thereto will be permanently sealed, except as necessary to obtain court confirmation of the arbitration award (provided that the party seeking confirmation shall seek to file such records under seal to the extent permitted by law).
13.7. Batch arbitration. To increase the efficiency of administration and resolution of arbitrations, in the event 100 or more similar arbitration demands (those asserting the same or substantially similar facts or claims, and seeking the same or substantially similar relief) presented by or with the assistance or coordination of the same law firm(s) or organization(s) are submitted to NAM (or another arbitration provider selected in accordance with Section 13.4 if NAM is unavailable) against Wiz within reasonably close proximity (“Mass Filing”), the parties agree (i) to administer the Mass Filing in batches of 100 demands per batch (to the extent there are fewer than 100 arbitration demands left over after the batching described above, a final batch will consist of the remaining demands) with only one batch filed, processed, and adjudicated at a time; (ii) to designate one arbitrator for each batch; (iii) to accept applicable fees, including any related fee reduction determined by NAM (or another arbitration provider selected in accordance with 13.4 if NAM is unavailable) in its discretion; (iv) that no other demands for arbitration that are part of the Mass Filing may be filed, processed, or adjudicated until the prior batch of 100 is filed, processed, and adjudicated; (v) that fees associated with a demand for arbitration included in a Mass Filing, including fees owed by Wiz and the claimants, shall only be due after your demand for arbitration is included in a set of batch proceedings and that batch is properly designated for filing, processing, and adjudication; and (vi) that the staged process of batched proceedings, with each set including 100 demands, shall continue until each demand (including your demand) is adjudicated or otherwise resolved. Arbitrator selection for each batch shall be conducted to the greatest extent possible in accordance with the applicable NAM rules and procedures for such selection, and the arbitrator will determine the location where the proceedings will be conducted. You agree to cooperate in good faith with Wiz and the arbitration provider to implement such a “batch approach” or other similar approach to provide for an efficient resolution of claims, including the payment of combined reduced fees, set by NAM in its discretion, for each batch of claims. The parties further agree to cooperate with each other and the arbitration provider or arbitrator to establish any other processes or procedures that the arbitration provider or arbitrator believe will provide for an efficient resolution of claims. Any disagreement between the parties as to whether this provision applies or as to the process or procedure for batching shall be resolved by a procedural arbitrator appointed by NAM. This “Batch Arbitration” provision shall in no way be interpreted as increasing the number of claims necessary to trigger the applicability of NAM’s Mass Filing Supplemental Dispute Resolution Rules and Procedures or authorizing class arbitration of any kind. Unless Wiz otherwise consents in writing, Wiz does not agree or consent to class arbitration, private attorney general arbitration, or arbitration involving joint or consolidated claims under any circumstances, except as set forth in section 13.3 above and this section 13.7. If your demand for arbitration is included in the Mass Filing, your claims will remain tolled until your demand for arbitration is decided, withdrawn, or is settled.
13.8. Arbitrator's decision. The arbitrator will render an award within the time frame specified in the applicable NAM rules and procedures. The arbitrator's decision will include the essential findings and conclusions upon which the arbitrator based the award. Judgment on the arbitration award may be entered in any court having jurisdiction thereof. The arbitrator will have the authority to award monetary damages on an individual basis and to grant, on an individual basis, any non-monetary remedy or relief available to an individual to the extent available under applicable law, the arbitral forum's rules, and this Arbitration Agreement. The parties agree that the damages and/or other relief must be consistent with section 13.3 above and also must be consistent with the terms of the “Limitation of Liability” section of the Agreement as to the types and the amounts of damages or other relief for which a party may be held liable. No arbitration award or decision will have any preclusive effect as to issues or claims in any dispute with anyone who is not a named party to the arbitration. Attorneys’ fees will be available to the prevailing party in the arbitration only if authorized under applicable substantive law governing the claims in the arbitration.
13.9. Fees. You are responsible for your own attorneys’ fees unless the arbitration rules and/or applicable law provide otherwise. The parties agree that NAM has discretion to reduce the amount or modify the timing of any administrative or arbitration fees due under NAM’s Rules where it deems appropriate (including as specified in Section 13.7), provided that such modification does not increase the costs to you, and you further agree that you waive any objection to such fee modification. The parties also agree that a good-faith challenge by either party to the fees imposed by NAM does not constitute a default, waiver, or breach of this Section 13 while such challenge remains pending before NAM, the arbitrator, and/or a court of competent jurisdiction, and that any and all due dates for those fees shall be tolled during the pendency of such challenge.
13.10. Right to opt-out of the Arbitration Agreement. IF YOU DO NOT WISH TO BE BOUND BY THE “ARBITRATION AGREEMENT” AS SET FORTH IN THIS “DISPUTE RESOLUTION” SECTION 13, THEN: (1) you must notify Wiz in writing within thirty (30) days of the date that you first use the Website or otherwise become subject to this Arbitration Agreement (or any subsequent changes to the provisions of the section titled “Dispute Resolution”); (2) your written notification must be mailed to: Wiz, Inc. Attn: Legal, One Manhattan West, 57th Floor, New York, NY 10001 or emailed to legalnotices@wiz.io; and (3) your written notification must include (a) your name, (b) your address, (c) the date you purchased the product, if applicable and (d) a clear statement that you wish to opt out of this Arbitration Agreement. Wiz will continue to honor any valid opt outs if you opted out of arbitration in a prior version of the Agreement pursuant to the requirements set forth in that version. If you do not timely opt out of this Arbitration Agreement, such action shall constitute mutual acceptance of the terms of these “Dispute Resolution” provisions by you and Wiz.
13.11. Changes. Wiz will provide thirty (30) days’ notice of any changes to this “Dispute Resolution” section by posting the change on Wiz's website, or providing any other notice in accordance with legal requirements. Any such changes will go into effect 30 days after Wiz provides this notice and apply to all claims not yet filed. If you reject any such changes by opting out of the Arbitration Agreement, you may exercise your right to a trial by jury or judge, as permitted by applicable law, but any prior existing agreement to arbitrate disputes under a prior version of the Arbitration Agreement will not apply to claims not yet filed. If Wiz changes this “Dispute Resolution” section after the date you first accepted this Agreement (or accepted any subsequent changes to this Agreement), you agree that your continued use of the Website 30 days after such change will be deemed acceptance of those changes. If you do not agree to such change, you may opt out by providing notice as described in Section 13.10.
14. Term and Termination. These Terms are effective until terminated by Wiz or you. Wiz, in its sole discretion, has the right to terminate these Terms and/or your access to the Website, or any part thereof, immediately at any time and with or without cause (including, without any limitation, for a breach of these Terms). Wiz shall not be liable to you or any third party for termination of the Website, or any part thereof. If you object to any term or condition of these Terms, or any subsequent modifications thereto, or become dissatisfied with the Website in any way, your only recourse is to immediately discontinue your use of the Website. Upon termination of these Terms, you shall cease all use of the Website. This Section (Section 14) and Sections 6 (Intellectual Property Rights), 9 (Privacy), 10 (Warranty Disclaimers), 11 (Limitation of Liability), 12 (Indemnity), 13 (Dispute Resolution) and Sections 15 (Independent Contractors) to 18 (General) shall survive termination of these Terms.
15. Independent Contractors. You and Wiz are independent contractors. Nothing in these Terms creates a partnership, joint venture, agency, or employment relationship between you and Wiz. You must not under any circumstances make, or undertake, any warranties, representations, commitments or obligations on behalf of Wiz.
16. Assignment. These Terms, and any rights and licenses granted hereunder, may not be transferred or assigned by you but may be assigned by Wiz without restriction or notification to you. Any prohibited assignment shall be null and void.
17. Governing Law. Wiz reserves the right to discontinue or modify any aspect of the Website at any time. These Terms and the relationship between you and Wiz shall be governed by and construed in accordance with the laws of the State of New York, without regard to its principles of conflict of laws. You agree to submit to the personal and exclusive jurisdiction of the courts located in New York City, New York and waive any jurisdictional, venue, or inconvenient forum objections to such courts, provided that Wiz may seek injunctive relief in any court of competent jurisdiction.
18. General. These Terms shall constitute the entire agreement between you and Wiz concerning the Website. If any provision of these Terms is deemed invalid by a court of competent jurisdiction, the invalidity of such provision shall not affect the validity of the remaining provisions of these Terms, which shall remain in full force and effect. No waiver of any term of these Terms shall be deemed a further or continuing waiver of such term or any other term, and a party's failure to assert any right or provision under these Terms shall not constitute a waiver of such right or provision. YOU AGREE THAT ANY CAUSE OF ACTION THAT YOU MAY HAVE ARISING OUT OF OR RELATED TO THE WEBSITE MUST COMMENCE WITHIN ONE (1) YEAR AFTER THE CAUSE OF ACTION ACCRUES. OTHERWISE, SUCH CAUSE OF ACTION IS PERMANENTLY BARRED.
Last updated: February 23, 2023
Cookies Policy
Effective November 17th 2023 to August 21st 2024
DownloadTable of Contents
Cookies Policy
Our website https://www.wiz.io/ ("Website") uses cookies and similar files or technologies to automatically collect and store information about your computer, device, and Website usage, in order to improve their performance and enhance your user experience. We use the general term "cookies" in this policy to refer to these technologies and all such similar technologies that collect information automatically when you are using our Website where this policy is posted. You can find out more about cookies and how to control them in the information below.
If you do not accept the use of these cookies, please disable them using the instructions in this Cookies Policy or by changing your browser settings so that cookies from this Website cannot be placed on your computer or mobile device. Important: disabling certain cookies on this Website may cripple the user experience and other features on the Website, to the point of rendering them useless.
In this Cookies Policy, we use the term Wiz (and "we", "us" and "our") to refer to Wiz Inc. and our affiliates. Our Privacy Policy is available at https://www.wiz.io/privacy-policy.
What is a cookie?
Cookies are computer files containing small amounts of information which are downloaded to your computer or mobile device when you visit a website. Cookies can then be sent back to the originating website on each subsequent visit, or to another website that recognizes that cookie. Cookies are widely used in order to make websites work, or to work more efficiently, as well as to provide information to the owners of the website.
Cookies do lots of different jobs, like letting you navigate between pages efficiently, remembering your preferences and generally improving the user experience. Cookies may tell us, for example, whether you have visited our Website before or whether you are a new visitor.
There are two broad categories of cookies:
- First Party cookies, served directly by us to your computer or mobile device.
- Third Party cookies, which are served by a third party on our behalf. We use third party cookies for functionality, performance / analytics, marketing, unclassified and other technologies, and social media purposes.
Cookies can remain on your computer or mobile device for different periods of time. Some cookies are 'session cookies', meaning that they exist only while your browser is open. These are deleted automatically once you close your browser. Other cookies are 'permanent cookies', meaning that they survive after your browser is closed. They can be used by websites to recognize your computer when you open your browser and browse the Internet again.
What are web beacons?
Cookies are not the only way to recognize or track visitors to a website. We may use other, similar technologies from time to time, like web beacons (sometimes called "tracking pixels" or "clear gifs"). These are small graphics files that contain a unique identifier that enable us to recognize when someone has visited our website. This allows us, for example, to monitor the traffic patterns of users from one page within our website to another, to deliver or communicate with cookies, to understand whether you have come to our website from an online advertisement displayed on a third party website, to improve website performance and to measure the success of email marketing campaigns. In most instances, these technologies are reliant on cookies to function, and therefore declining cookies prevents them from functioning.
If you don't want your cookie information to be associated with your visits to these pages, you can set your browser to turn off cookies as described further below. If you turn off cookies, web beacon and other technologies will still detect your visits to our Website; however, they will not be associated with information otherwise stored in cookies.
Targeted advertising
Third parties may drop cookies on your computer or mobile device to serve advertising through our Website. These companies may use information about your visits to this and other websites in order to provide relevant advertisements about goods and services that you may be interested in. They may also employ technology that is used to measure the effectiveness of advertisements. The information collected through this process does not enable us or them to identify your name, contact details or other personally identifying details unless you choose to provide these to us.
How do we use cookies?
We use cookies to:
- track traffic flow and patterns of travel and behavior in connection with our Website;
- understand the total number of visitors to our Websites on an ongoing basis and the types of internet browsers (e.g. Chrome, Firefox, Safari, or Internet Explorer) and operating systems (e.g. Windows or Mac) used by our visitors;
- monitor the performance of our Website and to continually improve it;
- in connection with our marketing and advertising efforts; and
- customize and enhance your online experience.
What types of cookies do we use?
The types of cookies used by us in connection with the Website can be considered “strictly necessary”, “performance or analytics cookies”, “marketing / targeting”, and “unclassified”. We've set out some further information below about each category.
Cookies strictly necessary for website purposes
These cookies are strictly necessary to provide you with services available through the Website and to use some of its features, such as access to secure areas. These cookies cannot be switched as without them we will not be able to provide essential website services.
Cookie Name | Type | Lifespan |
OptanonAlertBoxClosed | 1st Party | 1 year |
OptanonConsent | 1st Party | 1 year |
Performance / Analytics Cookies
We use performance/analytics cookies to analyze how the website is accessed, used, or is performing. We do this in order to provide you with a better user experience and to maintain, operate and continually improve the website. For example, these cookies allow us to:
- Better understand our website visitors so that we can improve how we present our content;
- Test different design ideas for particular pages, such as our homepage;
- Collect information about Website visitors such as where they are located and what browsers they are using;
- Determine the number of unique users of the website;
- Improve the website by measuring any errors that occur;
- Measuring campaign effectiveness; and
- Conduct research and diagnostics to improve product offerings.
Cookie Name | Type | Lifespan |
_ga | 1st Party | 730 days |
_gid | 1st Party | 1 day |
_biz_sid | 1st Party | 0 days |
_biz_uid | 1st Party | 364 days |
_biz_nA | 1st Party | 364 days |
_biz_pendingA | 1st Party | 364 days |
_uetvid | 1st Party | 389 days |
_clsk | 1st Party | 0 days |
_session_id | 3rd Party | 13 days |
_clck | 1st Party | 364 days |
JSESSIONID | 3rd Party | 1 day |
_ga_xxxxxxx | 1st Party | 729 days |
ARRAffinity | 3rd Party | 0 days |
_gclxxxx | 1st Party | 90 days |
Functionality Cookies
These cookies enable the Website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
Cookie Name | Type | Lifespan |
_rdt_uuid | 1st Party | 90 days |
_gd_visitor | 1st Party | 730 days |
_gd_session | 1st Party | 0 days |
_mkto_trk | 1st Party | 730 days |
_an_uid | 1st Party | 6 days |
_gd_svisitor | 1st Party | 730 days |
vuid | 3rd party | 729 days |
__cf_bm | 3rd party | 0 days |
__cf_bm | 3rd party | 0 days |
__cf_bm | 3rd party | 0 days |
player | 3rd Party | 365 days |
__q_domainTest | 1st Party | 0 days |
Marketing / Targeting
We use marketing cookies to deliver many types of targeted digital marketing. We do this in order to provide you with a better user experience and to maintain, operate and continually improve the website. The cookie store user data and behavior information, which allows advertising services to target audience according to variables. For example, these cookies allow us to:
- Observe the Website performance and generate retargeting (Site retargeting, search retargeting, etc.).
- Maintain and improve the website and our products
Cookie Name | Type | Lifespan |
NO NAME | 3rd party | 0 days |
6suuid | 3rd party | 729 days |
lidc | 3rd party | 1 day |
_fbp | 1st Party | 90 days |
bcookie | 3rd party | 731 days |
bscookie | 3rd party | 731 days |
AnalyticsSyncHistory | 3rd party | 30 days |
UserMatchHistory | 3rd party | 30 days |
li_gc | 3rd party | 713 days |
_BUID | 3rd party | 364 days |
_biz_kvpA | 1st Party | 0 days |
_biz_dfsA | 1st Party | 0 days |
_BUID | 3rd party | 364 days |
VISITOR_INFO1_LIVE | 3rd party | 179 days |
YSC | 3rd party | 0 days |
CONSENT | 3rd party | 729 days |
_uetsid | 1st Party | 0 days |
ANONCHK | 3rd Party | 0 days |
SRM_B | 3rd Party | 389 days |
MUID | 3rd Party | 389 days |
SM | 3rd Party | 0 days |
muc_ads | 3rd Party | 729 days |
personalization_id | 3rd Party | 729 days |
in_or | 1st party | 0 days |
q_state_ubFjDH1QLqM69tJc | 1st Party | 3649 days |
_gat_UA-XXXXXX-X | 1st Party | 0 days |
_biz_flagsA | 1st Party | 364 days |
__cf_bm | 3rd Party | 0 days |
guest_id | 3rd Party | 729 days |
MR | 3rd Party | 6 days |
guest_id_ads | 3rd Party | 729 days |
_cfuvid | 3rd Party | 0 days |
li_sugr | 3rd Party | 89 days |
MUID | 3rd Party | 389 days |
guest_id_marketing | 3rd Party | 729 days |
ARRAffinitySameSite | 3rd Party | 0 days |
visitorId | 3rd Party | 364 days |
CLID | 3rd Party | 364 days |
MR | 3rd Party | 6 days |
CLID | 3rd Party | 364 days |
ARRAffinity | 3rd Party | 0 days |
MR | 3rd Party | 6 days |
How to control or delete cookies
Most browsers allow you to change your cookie settings. These settings will typically be found in the “options” or “preferences” menu of your browser. In order to understand these settings and learn how to use them, please consult the “Help” function of your browser, or the documentation published online for your particular browser type and version. However, please note that if you choose to refuse cookies you may not be able to use the full functionality of our Website.
Depending on where you are located, you may also be able to change your cookie preferences using the cookies banner on our Website.
The following pages have information on how to change your cookies settings for the different browsers:
- Cookie settings in Chrome
- Cookie settings in Firefox
- Cookie settings in Internet Explorer
- Cookie settings in Safari and iOS
Third Party Websites' Cookies
When using our Website you may be directed to other websites. These websites may use their own cookies. We do not have control over the placement of cookies by other websites you visit, even if you are directed to them from our Website.
If you use the buttons that allow you to share products and content with your friends via social networks like Google, Twitter and Facebook, these companies may set a cookie on your computer memory. Find out more about these here:
https://www.facebook.com/about/privacy http://twitter.com/privacy http://www.google.com/intl/en-GB/policies/privacy
Need More Information?
If you would like to find out more about cookies and their use on the Internet, you may find the following link useful: All About Cookies.
Cookies that have been set in the past
If you have disabled one or more Cookies, we may still use information collected from cookies prior to your disabled preference being set, however, we will stop using the disabled cookie to collect any further information.
Contact us
If you have any questions or comments about this cookies policy, or privacy matters generally, please contact us via email at privacy@wiz.io.
Updated 15 November 2023
Effective November 17th 2023 to November 17th 2023
DownloadTable of Contents
Cookies Policy
Our website https://www.wiz.io/ ("Website") uses cookies and similar files or technologies to automatically collect and store information about your computer, device, and Website usage, in order to improve their performance and enhance your user experience. We use the general term "cookies" in this policy to refer to these technologies and all such similar technologies that collect information automatically when you are using our Website where this policy is posted. You can find out more about cookies and how to control them in the information below.
If you do not accept the use of these cookies, please disable them using the instructions in this Cookies Policy or by changing your browser settings so that cookies from this Website cannot be placed on your computer or mobile device. Important: disabling certain cookies on this Website may cripple the user experience and other features on the Website, to the point of rendering them useless.
In this Cookies Policy, we use the term Wiz (and "we", "us" and "our") to refer to Wiz Inc. and our affiliates. Our Privacy Policy is available at https://www.wiz.io/privacy-policy.
What is a cookie?
Cookies are computer files containing small amounts of information which are downloaded to your computer or mobile device when you visit a website. Cookies can then be sent back to the originating website on each subsequent visit, or to another website that recognizes that cookie. Cookies are widely used in order to make websites work, or to work more efficiently, as well as to provide information to the owners of the website.
Cookies do lots of different jobs, like letting you navigate between pages efficiently, remembering your preferences and generally improving the user experience. Cookies may tell us, for example, whether you have visited our Website before or whether you are a new visitor.
There are two broad categories of cookies:
- First Party cookies, served directly by us to your computer or mobile device.
- Third Party cookies, which are served by a third party on our behalf. We use third party cookies for functionality, performance / analytics, marketing, unclassified and other technologies, and social media purposes.
Cookies can remain on your computer or mobile device for different periods of time. Some cookies are 'session cookies', meaning that they exist only while your browser is open. These are deleted automatically once you close your browser. Other cookies are 'permanent cookies', meaning that they survive after your browser is closed. They can be used by websites to recognize your computer when you open your browser and browse the Internet again.
What are web beacons?
Cookies are not the only way to recognize or track visitors to a website. We may use other, similar technologies from time to time, like web beacons (sometimes called "tracking pixels" or "clear gifs"). These are small graphics files that contain a unique identifier that enable us to recognize when someone has visited our website. This allows us, for example, to monitor the traffic patterns of users from one page within our website to another, to deliver or communicate with cookies, to understand whether you have come to our website from an online advertisement displayed on a third party website, to improve website performance and to measure the success of email marketing campaigns. In most instances, these technologies are reliant on cookies to function, and therefore declining cookies prevents them from functioning.
If you don't want your cookie information to be associated with your visits to these pages, you can set your browser to turn off cookies as described further below. If you turn off cookies, web beacon and other technologies will still detect your visits to our Website; however, they will not be associated with information otherwise stored in cookies.
Targeted advertising
Third parties may drop cookies on your computer or mobile device to serve advertising through our Website. These companies may use information about your visits to this and other websites in order to provide relevant advertisements about goods and services that you may be interested in. They may also employ technology that is used to measure the effectiveness of advertisements. The information collected through this process does not enable us or them to identify your name, contact details or other personally identifying details unless you choose to provide these to us.
How do we use cookies?
We use cookies to:
- track traffic flow and patterns of travel and behavior in connection with our Website;
- understand the total number of visitors to our Websites on an ongoing basis and the types of internet browsers (e.g. Chrome, Firefox, Safari, or Internet Explorer) and operating systems (e.g. Windows or Mac) used by our visitors;
- monitor the performance of our Website and to continually improve it;
- in connection with our marketing and advertising efforts; and
- customize and enhance your online experience.
What types of cookies do we use?
The types of cookies used by us in connection with the Website can be considered “strictly necessary”, “performance or analytics cookies”, “marketing / targeting”, and “unclassified”. We've set out some further information below about each category.
Cookies strictly necessary for website purposes
These cookies are strictly necessary to provide you with services available through the Website and to use some of its features, such as access to secure areas. These cookies cannot be switched as without them we will not be able to provide essential website services.
Cookie Name | Type | Lifespan |
OptanonAlertBoxClosed | 1st Party | 1 year |
OptanonConsent | 1st Party | 1 year |
Performance / Analytics Cookies
We use performance/analytics cookies to analyze how the website is accessed, used, or is performing. We do this in order to provide you with a better user experience and to maintain, operate and continually improve the website. For example, these cookies allow us to:
- Better understand our website visitors so that we can improve how we present our content;
- Test different design ideas for particular pages, such as our homepage;
- Collect information about Website visitors such as where they are located and what browsers they are using;
- Determine the number of unique users of the website;
- Improve the website by measuring any errors that occur;
- Measuring campaign effectiveness; and
- Conduct research and diagnostics to improve product offerings.
Cookie Name | Type | Lifespan |
_ga | 1st Party | 730 days |
_gid | 1st Party | 1 day |
_biz_sid | 1st Party | 0 days |
_biz_uid | 1st Party | 364 days |
_biz_nA | 1st Party | 364 days |
_biz_pendingA | 1st Party | 364 days |
_uetvid | 1st Party | 389 days |
_clsk | 1st Party | 0 days |
_session_id | 3rd Party | 13 days |
_clck | 1st Party | 364 days |
JSESSIONID | 3rd Party | 1 day |
_ga_xxxxxxx | 1st Party | 729 days |
ARRAffinity | 3rd Party | 0 days |
_gclxxxx | 1st Party | 90 days |
Functionality Cookies
These cookies enable the Website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
Cookie Name | Type | Lifespan |
_rdt_uuid | 1st Party | 90 days |
_gd_visitor | 1st Party | 730 days |
_gd_session | 1st Party | 0 days |
_mkto_trk | 1st Party | 730 days |
_an_uid | 1st Party | 6 days |
_gd_svisitor | 1st Party | 730 days |
vuid | 3rd party | 729 days |
__cf_bm | 3rd party | 0 days |
__cf_bm | 3rd party | 0 days |
__cf_bm | 3rd party | 0 days |
player | 3rd Party | 365 days |
__q_domainTest | 1st Party | 0 days |
Marketing / Targeting
We use marketing cookies to deliver many types of targeted digital marketing. We do this in order to provide you with a better user experience and to maintain, operate and continually improve the website. The cookie store user data and behavior information, which allows advertising services to target audience according to variables. For example, these cookies allow us to:
- Observe the Website performance and generate retargeting (Site retargeting, search retargeting, etc.).
- Maintain and improve the website and our products
Cookie Name | Type | Lifespan |
NO NAME | 3rd party | 0 days |
6suuid | 3rd party | 729 days |
lidc | 3rd party | 1 day |
_fbp | 1st Party | 90 days |
bcookie | 3rd party | 731 days |
bscookie | 3rd party | 731 days |
AnalyticsSyncHistory | 3rd party | 30 days |
UserMatchHistory | 3rd party | 30 days |
li_gc | 3rd party | 713 days |
_BUID | 3rd party | 364 days |
_biz_kvpA | 1st Party | 0 days |
_biz_dfsA | 1st Party | 0 days |
_BUID | 3rd party | 364 days |
VISITOR_INFO1_LIVE | 3rd party | 179 days |
YSC | 3rd party | 0 days |
CONSENT | 3rd party | 729 days |
_uetsid | 1st Party | 0 days |
ANONCHK | 3rd Party | 0 days |
SRM_B | 3rd Party | 389 days |
MUID | 3rd Party | 389 days |
SM | 3rd Party | 0 days |
muc_ads | 3rd Party | 729 days |
personalization_id | 3rd Party | 729 days |
in_or | 1st party | 0 days |
q_state_ubFjDH1QLqM69tJc | 1st Party | 3649 days |
_gat_UA-XXXXXX-X | 1st Party | 0 days |
_biz_flagsA | 1st Party | 364 days |
__cf_bm | 3rd Party | 0 days |
guest_id | 3rd Party | 729 days |
MR | 3rd Party | 6 days |
guest_id_ads | 3rd Party | 729 days |
_cfuvid | 3rd Party | 0 days |
li_sugr | 3rd Party | 89 days |
MUID | 3rd Party | 389 days |
guest_id_marketing | 3rd Party | 729 days |
ARRAffinitySameSite | 3rd Party | 0 days |
visitorId | 3rd Party | 364 days |
CLID | 3rd Party | 364 days |
MR | 3rd Party | 6 days |
CLID | 3rd Party | 364 days |
ARRAffinity | 3rd Party | 0 days |
MR | 3rd Party | 6 days |
How to control or delete cookies
Most browsers allow you to change your cookie settings. These settings will typically be found in the “options” or “preferences” menu of your browser. In order to understand these settings and learn how to use them, please consult the “Help” function of your browser, or the documentation published online for your particular browser type and version. However, please note that if you choose to refuse cookies you may not be able to use the full functionality of our Website.
Depending on where you are located, you may also be able to change your cookie preferences using the cookies banner on our Website.
The following pages have information on how to change your cookies settings for the different browsers:
- Cookie settings in Chrome
- Cookie settings in Firefox
- Cookie settings in Internet Explorer
- Cookie settings in Safari and iOS
Third Party Websites' Cookies
When using our Website you may be directed to other websites. These websites may use their own cookies. We do not have control over the placement of cookies by other websites you visit, even if you are directed to them from our Website.
If you use the buttons that allow you to share products and content with your friends via social networks like Google, Twitter and Facebook, these companies may set a cookie on your computer memory. Find out more about these here:
https://www.facebook.com/about/privacy http://twitter.com/privacy http://www.google.com/intl/en-GB/policies/privacy
Need More Information?
If you would like to find out more about cookies and their use on the Internet, you may find the following link useful: All About Cookies.
Cookies that have been set in the past
If you have disabled one or more Cookies, we may still use information collected from cookies prior to your disabled preference being set, however, we will stop using the disabled cookie to collect any further information.
Contact us
If you have any questions or comments about this cookies policy, or privacy matters generally, please contact us via email at privacy@wiz.io.
Updated 15 November 2023
Effective November 17th 2023 to November 17th 2023
DownloadTable of Contents
Cookies Policy
Our website https://www.wiz.io/ ("Website") uses cookies and similar files or technologies to automatically collect and store information about your computer, device, and Website usage, in order to improve their performance and enhance your user experience. We use the general term "cookies" in this policy to refer to these technologies and all such similar technologies that collect information automatically when you are using our Website where this policy is posted. You can find out more about cookies and how to control them in the information below.
If you do not accept the use of these cookies, please disable them using the instructions in this Cookies Policy or by changing your browser settings so that cookies from this Website cannot be placed on your computer or mobile device. Important: disabling certain cookies on this Website may cripple the user experience and other features on the Website, to the point of rendering them useless.
In this Cookies Policy, we use the term Wiz (and "we", "us" and "our") to refer to Wiz Inc. and our affiliates. Our Privacy Policy is available at https://legal.wiz.io/#privacy-policy.
What is a cookie?
Cookies are computer files containing small amounts of information which are downloaded to your computer or mobile device when you visit a website. Cookies can then be sent back to the originating website on each subsequent visit, or to another website that recognizes that cookie. Cookies are widely used in order to make websites work, or to work more efficiently, as well as to provide information to the owners of the website.
Cookies do lots of different jobs, like letting you navigate between pages efficiently, remembering your preferences and generally improving the user experience. Cookies may tell us, for example, whether you have visited our Website before or whether you are a new visitor.
There are two broad categories of cookies:
- First Party cookies, served directly by us to your computer or mobile device.
- Third Party cookies, which are served by a third party on our behalf. We use third party cookies for functionality, performance / analytics, marketing, unclassified and other technologies, and social media purposes.
Cookies can remain on your computer or mobile device for different periods of time. Some cookies are 'session cookies', meaning that they exist only while your browser is open. These are deleted automatically once you close your browser. Other cookies are 'permanent cookies', meaning that they survive after your browser is closed. They can be used by websites to recognize your computer when you open your browser and browse the Internet again.
What are web beacons?
Cookies are not the only way to recognize or track visitors to a website. We may use other, similar technologies from time to time, like web beacons (sometimes called "tracking pixels" or "clear gifs"). These are small graphics files that contain a unique identifier that enable us to recognize when someone has visited our website. This allows us, for example, to monitor the traffic patterns of users from one page within our website to another, to deliver or communicate with cookies, to understand whether you have come to our website from an online advertisement displayed on a third party website, to improve website performance and to measure the success of email marketing campaigns. In most instances, these technologies are reliant on cookies to function, and therefore declining cookies prevents them from functioning.
If you don't want your cookie information to be associated with your visits to these pages, you can set your browser to turn off cookies as described further below. If you turn off cookies, web beacon and other technologies will still detect your visits to our Website; however, they will not be associated with information otherwise stored in cookies.
Targeted advertising
Third parties may drop cookies on your computer or mobile device to serve advertising through our Website. These companies may use information about your visits to this and other websites in order to provide relevant advertisements about goods and services that you may be interested in. They may also employ technology that is used to measure the effectiveness of advertisements. The information collected through this process does not enable us or them to identify your name, contact details or other personally identifying details unless you choose to provide these to us.
How do we use cookies?
We use cookies to:
- track traffic flow and patterns of travel and behavior in connection with our Website;
- understand the total number of visitors to our Websites on an ongoing basis and the types of internet browsers (e.g. Chrome, Firefox, Safari, or Internet Explorer) and operating systems (e.g. Windows or Mac) used by our visitors;
- monitor the performance of our Website and to continually improve it;
- in connection with our marketing and advertising efforts; and
- customize and enhance your online experience.
What types of cookies do we use?
The types of cookies used by us in connection with the Website can be considered “strictly necessary”, “performance or analytics cookies”, “marketing / targeting”, and “unclassified”. We've set out some further information below about each category.
Cookies strictly necessary for website purposes
These cookies are strictly necessary to provide you with services available through the Website and to use some of its features, such as access to secure areas. These cookies cannot be switched as without them we will not be able to provide essential website services.
Cookie Name | Type | Lifespan |
OptanonAlertBoxClosed | 1st Party | 1 year |
OptanonConsent | 1st Party | 1 year |
Performance / Analytics Cookies
We use performance/analytics cookies to analyze how the website is accessed, used, or is performing. We do this in order to provide you with a better user experience and to maintain, operate and continually improve the website. For example, these cookies allow us to:
- Better understand our website visitors so that we can improve how we present our content;
- Test different design ideas for particular pages, such as our homepage;
- Collect information about Website visitors such as where they are located and what browsers they are using;
- Determine the number of unique users of the website;
- Improve the website by measuring any errors that occur;
- Measuring campaign effectiveness; and
- Conduct research and diagnostics to improve product offerings.
Cookie Name | Type | Lifespan |
_ga | 1st Party | 730 days |
_gid | 1st Party | 1 day |
_biz_sid | 1st Party | 0 days |
_biz_uid | 1st Party | 364 days |
_biz_nA | 1st Party | 364 days |
_biz_pendingA | 1st Party | 364 days |
_uetvid | 1st Party | 389 days |
_clsk | 1st Party | 0 days |
_session_id | 3rd Party | 13 days |
_clck | 1st Party | 364 days |
JSESSIONID | 3rd Party | 1 day |
_ga_xxxxxxx | 1st Party | 729 days |
ARRAffinity | 3rd Party | 0 days |
_gclxxxx | 1st Party | 90 days |
Functionality Cookies
These cookies enable the Website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
Cookie Name | Type | Lifespan |
_rdt_uuid | 1st Party | 90 days |
_gd_visitor | 1st Party | 730 days |
_gd_session | 1st Party | 0 days |
_mkto_trk | 1st Party | 730 days |
_an_uid | 1st Party | 6 days |
_gd_svisitor | 1st Party | 730 days |
vuid | 3rd party | 729 days |
__cf_bm | 3rd party | 0 days |
__cf_bm | 3rd party | 0 days |
__cf_bm | 3rd party | 0 days |
player | 3rd Party | 365 days |
__q_domainTest | 1st Party | 0 days |
Marketing / Targeting
We use marketing cookies to deliver many types of targeted digital marketing. We do this in order to provide you with a better user experience and to maintain, operate and continually improve the website. The cookie store user data and behavior information, which allows advertising services to target audience according to variables. For example, these cookies allow us to:
- Observe the Website performance and generate retargeting (Site retargeting, search retargeting, etc.).
- Maintain and improve the website and our products
Cookie Name | Type | Lifespan |
NO NAME | 3rd party | 0 days |
6suuid | 3rd party | 729 days |
lidc | 3rd party | 1 day |
_fbp | 1st Party | 90 days |
bcookie | 3rd party | 731 days |
bscookie | 3rd party | 731 days |
AnalyticsSyncHistory | 3rd party | 30 days |
UserMatchHistory | 3rd party | 30 days |
li_gc | 3rd party | 713 days |
_BUID | 3rd party | 364 days |
_biz_kvpA | 1st Party | 0 days |
_biz_dfsA | 1st Party | 0 days |
_BUID | 3rd party | 364 days |
VISITOR_INFO1_LIVE | 3rd party | 179 days |
YSC | 3rd party | 0 days |
CONSENT | 3rd party | 729 days |
_uetsid | 1st Party | 0 days |
ANONCHK | 3rd Party | 0 days |
SRM_B | 3rd Party | 389 days |
MUID | 3rd Party | 389 days |
SM | 3rd Party | 0 days |
muc_ads | 3rd Party | 729 days |
personalization_id | 3rd Party | 729 days |
in_or | 1st party | 0 days |
q_state_ubFjDH1QLqM69tJc | 1st Party | 3649 days |
_gat_UA-XXXXXX-X | 1st Party | 0 days |
_biz_flagsA | 1st Party | 364 days |
__cf_bm | 3rd Party | 0 days |
guest_id | 3rd Party | 729 days |
MR | 3rd Party | 6 days |
guest_id_ads | 3rd Party | 729 days |
_cfuvid | 3rd Party | 0 days |
li_sugr | 3rd Party | 89 days |
MUID | 3rd Party | 389 days |
guest_id_marketing | 3rd Party | 729 days |
ARRAffinitySameSite | 3rd Party | 0 days |
visitorId | 3rd Party | 364 days |
CLID | 3rd Party | 364 days |
MR | 3rd Party | 6 days |
CLID | 3rd Party | 364 days |
ARRAffinity | 3rd Party | 0 days |
MR | 3rd Party | 6 days |
How to control or delete cookies
Most browsers allow you to change your cookie settings. These settings will typically be found in the “options” or “preferences” menu of your browser. In order to understand these settings and learn how to use them, please consult the “Help” function of your browser, or the documentation published online for your particular browser type and version. However, please note that if you choose to refuse cookies you may not be able to use the full functionality of our Website.
Depending on where you are located, you may also be able to change your cookie preferences using the cookies banner on our Website.
The following pages have information on how to change your cookies settings for the different browsers:
- Cookie settings in Chrome
- Cookie settings in Firefox
- Cookie settings in Internet Explorer
- Cookie settings in Safari and iOS
Third Party Websites' Cookies
When using our Website you may be directed to other websites. These websites may use their own cookies. We do not have control over the placement of cookies by other websites you visit, even if you are directed to them from our Website.
If you use the buttons that allow you to share products and content with your friends via social networks like Google, Twitter and Facebook, these companies may set a cookie on your computer memory. Find out more about these here:
https://www.facebook.com/about/privacy http://twitter.com/privacy http://www.google.com/intl/en-GB/policies/privacy
Need More Information?
If you would like to find out more about cookies and their use on the Internet, you may find the following link useful: All About Cookies.
Cookies that have been set in the past
If you have disabled one or more Cookies, we may still use information collected from cookies prior to your disabled preference being set, however, we will stop using the disabled cookie to collect any further information.
Contact us
If you have any questions or comments about this cookies policy, or privacy matters generally, please contact us via email at privacy@wiz.io.
Updated 15 November 2023
Effective November 15th 2023 to November 17th 2023
DownloadTable of Contents
Cookies Policy
Our website https://www.wiz.io/ ("Website") uses cookies and similar files or technologies to automatically collect and store information about your computer, device, and Website usage, in order to improve their performance and enhance your user experience. We use the general term "cookies" in this policy to refer to these technologies and all such similar technologies that collect information automatically when you are using our Website where this policy is posted. You can find out more about cookies and how to control them in the information below.
If you do not accept the use of these cookies, please disable them using the instructions in this Cookies Policy or by changing your browser settings so that cookies from this Website cannot be placed on your computer or mobile device. Important: disabling certain cookies on this Website may cripple the user experience and other features on the Website, to the point of rendering them useless.
In this Cookies Policy, we use the term Wiz (and "we", "us" and "our") to refer to Wiz Inc. and our affiliates. Our Privacy Policy is available at https://www.wiz.io/legal/privacy-policy.
What is a cookie?
Cookies are computer files containing small amounts of information which are downloaded to your computer or mobile device when you visit a website. Cookies can then be sent back to the originating website on each subsequent visit, or to another website that recognizes that cookie. Cookies are widely used in order to make websites work, or to work more efficiently, as well as to provide information to the owners of the website.
Cookies do lots of different jobs, like letting you navigate between pages efficiently, remembering your preferences and generally improving the user experience. Cookies may tell us, for example, whether you have visited our Website before or whether you are a new visitor.
There are two broad categories of cookies:
- First Party cookies, served directly by us to your computer or mobile device.
- Third Party cookies, which are served by a third party on our behalf. We use third party cookies for functionality, performance / analytics, marketing, unclassified and other technologies, and social media purposes.
Cookies can remain on your computer or mobile device for different periods of time. Some cookies are 'session cookies', meaning that they exist only while your browser is open. These are deleted automatically once you close your browser. Other cookies are 'permanent cookies', meaning that they survive after your browser is closed. They can be used by websites to recognize your computer when you open your browser and browse the Internet again.
What are web beacons?
Cookies are not the only way to recognize or track visitors to a website. We may use other, similar technologies from time to time, like web beacons (sometimes called "tracking pixels" or "clear gifs"). These are small graphics files that contain a unique identifier that enable us to recognize when someone has visited our website. This allows us, for example, to monitor the traffic patterns of users from one page within our website to another, to deliver or communicate with cookies, to understand whether you have come to our website from an online advertisement displayed on a third party website, to improve website performance and to measure the success of email marketing campaigns. In most instances, these technologies are reliant on cookies to function, and therefore declining cookies prevents them from functioning.
If you don't want your cookie information to be associated with your visits to these pages, you can set your browser to turn off cookies as described further below. If you turn off cookies, web beacon and other technologies will still detect your visits to our Website; however, they will not be associated with information otherwise stored in cookies.
Targeted advertising
Third parties may drop cookies on your computer or mobile device to serve advertising through our Website. These companies may use information about your visits to this and other websites in order to provide relevant advertisements about goods and services that you may be interested in. They may also employ technology that is used to measure the effectiveness of advertisements. The information collected through this process does not enable us or them to identify your name, contact details or other personally identifying details unless you choose to provide these to us.
How do we use cookies?
We use cookies to:
- track traffic flow and patterns of travel and behavior in connection with our Website;
- understand the total number of visitors to our Websites on an ongoing basis and the types of internet browsers (e.g. Chrome, Firefox, Safari, or Internet Explorer) and operating systems (e.g. Windows or Mac) used by our visitors;
- monitor the performance of our Website and to continually improve it;
- in connection with our marketing and advertising efforts; and
- customize and enhance your online experience.
What types of cookies do we use?
The types of cookies used by us in connection with the Website can be considered “strictly necessary”, “performance or analytics cookies”, “marketing / targeting”, and “unclassified”. We've set out some further information below about each category.
Cookies strictly necessary for website purposes
These cookies are strictly necessary to provide you with services available through the Website and to use some of its features, such as access to secure areas. These cookies cannot be switched as without them we will not be able to provide essential website services.
Cookie Name | Type | Lifespan |
OptanonAlertBoxClosed | 1st Party | 1 year |
OptanonConsent | 1st Party | 1 year |
Performance / Analytics Cookies
We use performance/analytics cookies to analyze how the website is accessed, used, or is performing. We do this in order to provide you with a better user experience and to maintain, operate and continually improve the website. For example, these cookies allow us to:
- Better understand our website visitors so that we can improve how we present our content;
- Test different design ideas for particular pages, such as our homepage;
- Collect information about Website visitors such as where they are located and what browsers they are using;
- Determine the number of unique users of the website;
- Improve the website by measuring any errors that occur;
- Measuring campaign effectiveness; and
- Conduct research and diagnostics to improve product offerings.
Cookie Name | Type | Lifespan |
_ga | 1st Party | 730 days |
_gid | 1st Party | 1 day |
_biz_sid | 1st Party | 0 days |
_biz_uid | 1st Party | 364 days |
_biz_nA | 1st Party | 364 days |
_biz_pendingA | 1st Party | 364 days |
_uetvid | 1st Party | 389 days |
_clsk | 1st Party | 0 days |
_session_id | 3rd Party | 13 days |
_clck | 1st Party | 364 days |
JSESSIONID | 3rd Party | 1 day |
_ga_xxxxxxx | 1st Party | 729 days |
ARRAffinity | 3rd Party | 0 days |
_gclxxxx | 1st Party | 90 days |
Functionality Cookies
These cookies enable the Website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
Cookie Name | Type | Lifespan |
_rdt_uuid | 1st Party | 90 days |
_gd_visitor | 1st Party | 730 days |
_gd_session | 1st Party | 0 days |
_mkto_trk | 1st Party | 730 days |
_an_uid | 1st Party | 6 days |
_gd_svisitor | 1st Party | 730 days |
vuid | 3rd party | 729 days |
__cf_bm | 3rd party | 0 days |
__cf_bm | 3rd party | 0 days |
__cf_bm | 3rd party | 0 days |
player | 3rd Party | 365 days |
__q_domainTest | 1st Party | 0 days |
Marketing / Targeting
We use marketing cookies to deliver many types of targeted digital marketing. We do this in order to provide you with a better user experience and to maintain, operate and continually improve the website. The cookie store user data and behavior information, which allows advertising services to target audience according to variables. For example, these cookies allow us to:
- Observe the Website performance and generate retargeting (Site retargeting, search retargeting, etc.).
- Maintain and improve the website and our products
Cookie Name | Type | Lifespan |
NO NAME | 3rd party | 0 days |
6suuid | 3rd party | 729 days |
lidc | 3rd party | 1 day |
_fbp | 1st Party | 90 days |
bcookie | 3rd party | 731 days |
bscookie | 3rd party | 731 days |
AnalyticsSyncHistory | 3rd party | 30 days |
UserMatchHistory | 3rd party | 30 days |
li_gc | 3rd party | 713 days |
_BUID | 3rd party | 364 days |
_biz_kvpA | 1st Party | 0 days |
_biz_dfsA | 1st Party | 0 days |
_BUID | 3rd party | 364 days |
VISITOR_INFO1_LIVE | 3rd party | 179 days |
YSC | 3rd party | 0 days |
CONSENT | 3rd party | 729 days |
_uetsid | 1st Party | 0 days |
ANONCHK | 3rd Party | 0 days |
SRM_B | 3rd Party | 389 days |
MUID | 3rd Party | 389 days |
SM | 3rd Party | 0 days |
muc_ads | 3rd Party | 729 days |
personalization_id | 3rd Party | 729 days |
in_or | 1st party | 0 days |
q_state_ubFjDH1QLqM69tJc | 1st Party | 3649 days |
_gat_UA-XXXXXX-X | 1st Party | 0 days |
_biz_flagsA | 1st Party | 364 days |
__cf_bm | 3rd Party | 0 days |
guest_id | 3rd Party | 729 days |
MR | 3rd Party | 6 days |
guest_id_ads | 3rd Party | 729 days |
_cfuvid | 3rd Party | 0 days |
li_sugr | 3rd Party | 89 days |
MUID | 3rd Party | 389 days |
guest_id_marketing | 3rd Party | 729 days |
ARRAffinitySameSite | 3rd Party | 0 days |
visitorId | 3rd Party | 364 days |
CLID | 3rd Party | 364 days |
MR | 3rd Party | 6 days |
CLID | 3rd Party | 364 days |
ARRAffinity | 3rd Party | 0 days |
MR | 3rd Party | 6 days |
How to control or delete cookies
Most browsers allow you to change your cookie settings. These settings will typically be found in the “options” or “preferences” menu of your browser. In order to understand these settings and learn how to use them, please consult the “Help” function of your browser, or the documentation published online for your particular browser type and version. However, please note that if you choose to refuse cookies you may not be able to use the full functionality of our Website.
Depending on where you are located, you may also be able to change your cookie preferences using the cookies banner on our Website.
The following pages have information on how to change your cookies settings for the different browsers:
- Cookie settings in Chrome
- Cookie settings in Firefox
- Cookie settings in Internet Explorer
- Cookie settings in Safari and iOS
Third Party Websites' Cookies
When using our Website you may be directed to other websites. These websites may use their own cookies. We do not have control over the placement of cookies by other websites you visit, even if you are directed to them from our Website.
If you use the buttons that allow you to share products and content with your friends via social networks like Google, Twitter and Facebook, these companies may set a cookie on your computer memory. Find out more about these here:
https://www.facebook.com/about/privacy http://twitter.com/privacy http://www.google.com/intl/en-GB/policies/privacy
Need More Information?
If you would like to find out more about cookies and their use on the Internet, you may find the following link useful: All About Cookies.
Cookies that have been set in the past
If you have disabled one or more Cookies, we may still use information collected from cookies prior to your disabled preference being set, however, we will stop using the disabled cookie to collect any further information.
Contact us
If you have any questions or comments about this cookies policy, or privacy matters generally, please contact us via email at privacy@wiz.io.
Updated 15 November 2023
Effective October 9th 2023 to November 15th 2023
DownloadTable of Contents
Cookies Policy
Our website https://www.wiz.io/ ("Website") uses cookies and similar files or technologies to automatically collect and store information about your computer, device, and Website usage, in order to improve their performance and enhance your user experience. We use the general term "cookies" in this policy to refer to these technologies and all such similar technologies that collect information automatically when you are using our Website where this policy is posted. You can find out more about cookies and how to control them in the information below.
If you do not accept the use of these cookies, please disable them using the instructions in this Cookies Policy or by changing your browser settings so that cookies from this Website cannot be placed on your computer or mobile device. Important: disabling certain cookies on this Website may cripple the user experience and other features on the Website, to the point of rendering them useless.
In this Cookies Policy, we use the term Wiz (and "we", "us" and "our") to refer to Wiz Inc. and our affiliates. Our Privacy Policy is available at https://www.wiz.io/privacy-policy.
åWhat is a cookie?
Cookies are computer files containing small amounts of information which are downloaded to your computer or mobile device when you visit a website. Cookies can then be sent back to the originating website on each subsequent visit, or to another website that recognizes that cookie. Cookies are widely used in order to make websites work, or to work more efficiently, as well as to provide information to the owners of the website.
Cookies do lots of different jobs, like letting you navigate between pages efficiently, remembering your preferences and generally improving the user experience. Cookies may tell us, for example, whether you have visited our Website before or whether you are a new visitor.
There are two broad categories of cookies:
- First Party cookies, served directly by us to your computer or mobile device.
- Third Party cookies, which are served by a third party on our behalf. We use third party cookies for functionality, performance / analytics, marketing, unclassified and other technologies, and social media purposes.
Cookies can remain on your computer or mobile device for different periods of time. Some cookies are 'session cookies', meaning that they exist only while your browser is open. These are deleted automatically once you close your browser. Other cookies are 'permanent cookies', meaning that they survive after your browser is closed. They can be used by websites to recognize your computer when you open your browser and browse the Internet again.
What are web beacons?
Cookies are not the only way to recognize or track visitors to a website. We may use other, similar technologies from time to time, like web beacons (sometimes called "tracking pixels" or "clear gifs"). These are small graphics files that contain a unique identifier that enable us to recognize when someone has visited our website. This allows us, for example, to monitor the traffic patterns of users from one page within our website to another, to deliver or communicate with cookies, to understand whether you have come to our website from an online advertisement displayed on a third party website, to improve website performance and to measure the success of email marketing campaigns. In most instances, these technologies are reliant on cookies to function, and therefore declining cookies prevents them from functioning.
If you don't want your cookie information to be associated with your visits to these pages, you can set your browser to turn off cookies as described further below. If you turn off cookies, web beacon and other technologies will still detect your visits to our Website; however, they will not be associated with information otherwise stored in cookies.
Targeted advertising
Third parties may drop cookies on your computer or mobile device to serve advertising through our Website. These companies may use information about your visits to this and other websites in order to provide relevant advertisements about goods and services that you may be interested in. They may also employ technology that is used to measure the effectiveness of advertisements. The information collected through this process does not enable us or them to identify your name, contact details or other personally identifying details unless you choose to provide these to us.
How do we use cookies?
We use cookies to:
- track traffic flow and patterns of travel and behavior in connection with our Website;
- understand the total number of visitors to our Websites on an ongoing basis and the types of internet browsers (e.g. Chrome, Firefox, Safari, or Internet Explorer) and operating systems (e.g. Windows or Mac) used by our visitors;
- monitor the performance of our Website and to continually improve it;
- in connection with our marketing and advertising efforts; and
- customize and enhance your online experience.
What types of cookies do we use?
The types of cookies used by us in connection with the Website can be considered “strictly necessary”, “performance or analytics cookies”, “marketing / targeting”, and “unclassified”. We've set out some further information below about each category.
Cookies strictly necessary for website purposes
These cookies are strictly necessary to provide you with services available through the Website and to use some of its features, such as access to secure areas. These cookies cannot be switched as without them we will not be able to provide essential website services.
Cookie Name | Type | Lifespan |
OptanonAlertBoxClosed | 1st Party | 1 year |
OptanonConsent | 1st Party | 1 year |
Performance / Analytics Cookies
We use performance/analytics cookies to analyze how the website is accessed, used, or is performing. We do this in order to provide you with a better user experience and to maintain, operate and continually improve the website. For example, these cookies allow us to:
- Better understand our website visitors so that we can improve how we present our content;
- Test different design ideas for particular pages, such as our homepage;
- Collect information about Website visitors such as where they are located and what browsers they are using;
- Determine the number of unique users of the website;
- Improve the website by measuring any errors that occur;
- Measuring campaign effectiveness; and
- Conduct research and diagnostics to improve product offerings.
Cookie Name | Type | Lifespan |
---|---|---|
_ga | 1st Party | 730 days |
_gid | 1st Party | 1 day |
_biz_sid | 1st Party | 0 days |
_biz_uid | 1st Party | 364 days |
_biz_nA | 1st Party | 364 days |
_biz_pendingA | 1st Party | 364 days |
_uetvid | 1st Party | 389 days |
_clsk | 1st Party | 0 days |
_session_id | 3rd Party | 13 days |
_clck | 1st Party | 364 days |
JSESSIONID | 3rd Party | 1 day |
_ga_xxxxxxx | 1st Party | 729 days |
ARRAffinity | 3rd Party | 0 days |
Functionality Cookies
These cookies enable the Website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
Cookie Name | Type | Lifespan |
_rdt_uuid | 1st Party | 90 days |
_gd_visitor | 1st Party | 730 days |
_gd_session | 1st Party | 0 days |
_mkto_trk | 1st Party | 730 days |
_an_uid | 1st Party | 6 days |
_gd_svisitor | 1st Party | 730 days |
vuid | 3rd party | 729 days |
__cf_bm | 3rd party | 0 days |
player | 3rd Party | 365 days |
__q_domainTest | 1st Party | 0 days |
Marketing / Targeting
We use marketing cookies to deliver many types of targeted digital marketing. We do this in order to provide you with a better user experience and to maintain, operate and continually improve the website. The cookie store user data and behavior information, which allows advertising services to target audience according to variables. For example, these cookies allow us to:
- Observe the Website performance and generate retargeting (Site retargeting, search retargeting, etc.).
- Maintain and improve the website and our products
Cookie Name | Type | Lifespan |
NO NAME | 3rd party | 0 days |
6suuid | 3rd party | 729 days |
lidc | 3rd party | 1 day |
_fbp | 1st Party | 90 days |
bcookie | 3rd party | 731 days |
bscookie | 3rd party | 731 days |
AnalyticsSyncHistory | 3rd party | 30 days |
UserMatchHistory | 3rd party | 30 days |
li_gc | 3rd party | 713 days |
_BUID | 3rd party | 364 days |
_biz_kvpA | 1st Party | 0 days |
_biz_dfsA | 1st Party | 0 days |
_BUID | 3rd party | 364 days |
VISITOR_INFO1_LIVE | 3rd party | 179 days |
YSC | 3rd party | 0 days |
CONSENT | 3rd party | 729 days |
_uetsid | 1st Party | 0 days |
ANONCHK | 3rd Party | 0 days |
SRM_B | 3rd Party | 389 days |
MUID | 3rd Party | 389 days |
SM | 3rd Party | 0 days |
muc_ads | 3rd Party | 729 days |
personalization_id | 3rd Party | 729 days |
in_or | 1st party | 0 days |
q_state_ubFjDH1QLqM69tJc | 1st Party | 3649 days |
_gat_UA-XXXXXX-X | 1st Party | 0 days |
_biz_flagsA | 1st Party | 364 days |
__cf_bm | 3rd Party | 0 days |
guest_id | 3rd Party | 729 days |
MR | 3rd Party | 6 days |
guest_id_ads | 3rd Party | 729 days |
_cfuvid | 3rd Party | 0 days |
li_sugr | 3rd Party | 89 days |
MUID | 3rd Party | 389 days |
guest_id_marketing | 3rd Party | 729 days |
ARRAffinitySameSite | 3rd Party | 0 days |
visitorId | 3rd Party | 364 days |
CLID | 3rd Party | 364 days |
MR | 3rd Party | 6 days |
How to control or delete cookies
Most browsers allow you to change your cookie settings. These settings will typically be found in the “options” or “preferences” menu of your browser. In order to understand these settings and learn how to use them, please consult the “Help” function of your browser, or the documentation published online for your particular browser type and version. However, please note that if you choose to refuse cookies you may not be able to use the full functionality of our Website.
Depending on where you are located, you may also be able to change your cookie preferences using the cookies banner on our Website.
The following pages have information on how to change your cookies settings for the different browsers:
- Cookie settings in Chrome
- Cookie settings in Firefox
- Cookie settings in Internet Explorer
- Cookie settings in Safari and iOS
Third Party Websites' Cookies
When using our Website you may be directed to other websites. These websites may use their own cookies. We do not have control over the placement of cookies by other websites you visit, even if you are directed to them from our Website.
If you use the buttons that allow you to share products and content with your friends via social networks like Google, Twitter and Facebook, these companies may set a cookie on your computer memory. Find out more about these here:
https://www.facebook.com/about/privacy http://twitter.com/privacy http://www.google.com/intl/en-GB/policies/privacy
Need More Information?
If you would like to find out more about cookies and their use on the Internet, you may find the following link useful: All About Cookies.
Cookies that have been set in the past
If you have disabled one or more Cookies, we may still use information collected from cookies prior to your disabled preference being set, however, we will stop using the disabled cookie to collect any further information.
Contact us
If you have any questions or comments about this cookies policy, or privacy matters generally, please contact us via email at privacy@wiz.io.
Updated 17 July 2023
Wiz Anti-Corruption and Bribery Policy
Effective September 27th 2024
DownloadTable of Contents
Anti Corruption and Bribery Policy
4. Facilitation Payments and Kickbacks
5. Gifts, Hospitality, and Expenses
11. Training and Communication
13. Potential Risk Scenarios: “Red Flags”
14. Document Ownership and Approval
1. Purpose and Scope
The purpose of this Policy is to:
- Set out our responsibilities, and the responsibilities of those working for and on our behalf, in observing and upholding our position on bribery and corruption; and
- Provide information and guidance to those working for and on our behalf on how to recognize and deal with bribery and corruption issues
The scope of this policy applies to all Wiz personnel. This policy applies to the corporate controls environment.
Policy
Wiz conducts all business in an honest and ethical manner. We take a zero-tolerance approach to bribery and corruption and are committed to acting professionally, fairly and with integrity in all our business dealings and relationships wherever we operate and implementing and enforcing effective systems to counter bribery and corruption.
We take our legal responsibilities very seriously. We will uphold all laws relevant to countering bribery and corruption in all the jurisdictions in which we operate.
Wiz may amend this policy from time to time and shall make the amended policy available to all individuals to which this policy applies.
Who does this policy apply to?
This policy applies to all persons working for Wiz or on Wiz's behalf in any capacity, including employees at all levels, directors, officers, agency workers, volunteers, interns, agents, contractors, external consultants, third-party representatives and business partners, sponsors, or any other person associated with us, wherever located.
Who is responsible for this policy?
Wiz's legal team has the overall responsibility for the effective operation of this policy. However, Wiz's management shall ensure the overall enforcement of this policy throughout the company. Suggestions for change should be reported to Wiz's legal team.
2. Definitions
2.1 Bribery is offering, promising, giving or accepting any financial or other advantage, to induce the recipient or any other person to act improperly in the performance of their functions, or to reward them for acting improperly, or where the recipient would act improperly by accepting the advantage.
2.1.1 An advantage includes money, gifts, loans, fees, hospitality, services, discounts, the award of a contract, or anything else of value.
2.1.2 A person acts improperly where they act illegally, unethically, or contrary to an expectation of good faith or impartiality, or where they abuse a position of trust. The improper acts may be in relation to any business or professional activities, public functions, acts in the course of employment, or other activities by or on behalf of any organization of any kind.
It is a criminal offence to offer, promise, give, request, or accept a bribe. Individuals found guilty can be punished with imprisonment and/or fines and employers that fail to prevent bribery can face an unlimited fine, exclusion from tendering for public contracts, and damage to its reputation.
EXAMPLES Offering a bribe: You offer tickets to a major sporting event to a potential client, but only if they agree to do business with Wiz. This would be an offence as you are making the offer to gain a commercial and contractual advantage. We may also be found to have committed an offence because the offer has been made to obtain business for Wiz. It may also be an offence for the potential client to accept your offer. Receiving a bribe: A supplier gives your nephew a job, but makes it clear that in return they expect you to use your influence at Wiz to ensure we continue to do business with them. It is an offence for a supplier to make such an offer. It would be an offence for you to accept the offer as you would be doing so to gain a personal advantage. Bribing a foreign official: You arrange for the business to pay an additional "facilitation" payment to a foreign official to speed up an administrative process for Wiz. The offence of bribing a foreign public official is committed as soon as the offer is made. This is because it is made to gain a business advantage for us. We may also be found to have committed an offence. |
2.3 Facilitation Payments, also known as “back-handers” or “grease payments,” are typically small, unofficial payments made to secure or expedite a routine or necessary action (for example, by a government official).
2.5 Third Party means any individual or organization you come into contact with during the course of your work for or with Wiz, and includes actual and potential clients, customers, suppliers, distributors, business contacts, agents, advisers, and government and public bodies, including their advisors, representatives and officials, politicians and political parties.
3. What You Must Not Do
It is not acceptable for you (or someone on your behalf) to:
- give, promise to give, or offer, a payment, gift or hospitality with the expectation or hope that a business advantage will be received, or to reward a business advantage already given;
- give or accept a gift or hospitality during any commercial negotiations or tender process, if this could be perceived as intended or likely to influence the outcome;
- accept a payment, gift or hospitality from a third party that you know or suspect is offered with the expectation that it will provide a business advantage for them or anyone else in return;
- offer or accept a gift to or from government officials or representatives, or politicians or political parties, without the prior approval of the legal team;
- threaten or retaliate against another individual who has refused to commit a bribery offence or who has raised concerns under this policy; or
- engage in any other activity that might lead to a breach of this policy.
4. Facilitation Payments and Kickbacks
We do not make, and will not accept, facilitation payments or "kickbacks" of any kind. See section 2 for definitions of these terms.
You must avoid any activity that might lead to a facilitation payment or kickback being made or accepted by us or on our behalf, or that might suggest that such a payment will be made or accepted. If you are asked to make a payment on our behalf, you should always be mindful of what the payment is for and whether the amount requested is proportionate to the goods or services provided. You should always ask for a receipt which details the reason for the payment. If you have any suspicions, concerns, or queries regarding a payment, you should raise these with Wiz's legal team.
5. Gifts, Hospitality, and Expenses
This policy allows reasonable and appropriate hospitality or entertainment given to or received from third parties, for the purposes of:
- establishing or maintaining good business relationships;
- improving or maintaining our image or reputation; or
- marketing or presenting our products and/or services effectively.
The giving and accepting of gifts is allowed if the following requirements are met:
- it is not made with the intention of influencing a third party to obtain or retain business or a business advantage, or to reward the provision or retention of business or a business advantage, or in explicit or implicit exchange for favors or benefits;
- it is appropriate in the circumstances, taking account of the reason for the gift, its timing and value;
- it is given openly, not secretly; and
- it complies with any applicable local law.
Promotional gifts of low value such to or from existing customers, suppliers and business partners will usually be acceptable.
Reimbursing a third party's expenses or accepting an offer to reimburse our expenses (for example, the costs of attending a business meeting) would not usually amount to bribery. However, in excess of genuine and reasonable business expenses (such as the cost of an extended hotel stay) is not acceptable.
We appreciate that practice varies between countries and regions and what may be normal and acceptable in one region may not be in another. The test to be applied is whether in all the circumstances the gift, hospitality or payment is reasonable and justifiable. The intention behind it should always be considered.
6. Donations
We do not make contributions to political parties.
We only make charitable donations that are legal and ethical under local laws and practices.
7. Record-Keeping
We must keep financial records and have appropriate internal controls in place which will evidence the business reason for making payments to third parties.
You must declare and keep a written record of all hospitality or gifts given or received, which will be subject to managerial review.
You must submit all expenses claims relating to hospitality, gifts, or payments to third parties in accordance with our expenses policy and record the reason for expenditure.
All accounts, invoices, and other records relating to dealings with third parties including suppliers and customers should be prepared with strict accuracy and completeness. Accounts must not be kept "off-book" to facilitate or conceal improper payments.
8. Your Responsibilities
You must ensure that you read, understand, and comply with this policy.
The prevention, detection and reporting of bribery and other forms of corruption are the responsibility of all those working for Wiz or under Wiz's control. You are required to avoid any activity that might lead to, or suggest, a breach of this policy.
You must notify the Wiz legal team as soon as possible if you believe or suspect that a conflict with this policy has occurred or may occur in the future. For example, if a customer or potential customer offers you something to gain a business advantage with us or indicates to you that a gift or payment is required to secure their business. Further "red flags" that may indicate bribery or corruption are set out in section 13.
9. How to Raise a Concern
You are encouraged to raise concerns about any issue or suspicion of bribery or corruption at the earliest possible stage.
If you are offered a bribe, or are asked to make one, or if you believe or suspect that any bribery, corruption, or other breach of this policy has occurred or may occur, you must notify your manager, the HR team, or the legal team as soon as possible.
If you are unsure about whether a particular act constitutes bribery or corruption, raise it with your manager, the HR team, or the legal team.
10. Protection
Individuals who refuse to accept or offer a bribe or who raise concerns or report another's wrongdoing are sometimes worried about possible repercussions. We aim to encourage openness and will support anyone who raises genuine concerns in good faith under this policy, even if they turn out to be mistaken.
We are committed to ensuring no one suffers any detrimental treatment as a result of refusing to take part in bribery or corruption, or because of reporting in good faith their suspicion that an actual or potential bribery or other corruption offence has taken place or may take place in the future. Damaging treatment includes dismissal, disciplinary action, threats, or other unfavorable treatment connected with raising a concern. If you believe that you have suffered any such treatment, you should inform the legal team immediately.
11. Training and Communication
Training on this policy will be provided as necessary.
Our zero-tolerance approach to bribery and corruption must be communicated to all suppliers, contractors, and business partners at the outset of our business relationship with them and as appropriate thereafter.
12. Breaches of this Policy
Any employee who breaches this policy will face disciplinary action, up to dismissal for misconduct or gross misconduct.
We may terminate our relationship with other individuals and organizations working on our behalf if they breach this policy.
13. Potential Risk Scenarios: “Red Flags”
The following is a list of possible red flags that may arise during the course of your work for or with Wiz and which may raise concerns under various anti-bribery and anti-corruption laws. The list is not intended to be exhaustive and is for illustrative purposes only.
If you encounter any of these red flags while working for or with Wiz, you must report them promptly to your manager, the HR team or legal team:
- you become aware that a third party engages in, or has been accused of engaging in, improper business practices;
- you learn that a third party has a reputation for paying bribes, or requiring that bribes are paid to them, or has a reputation for having a "special relationship" with foreign government officials;
- a third party insists on receiving a commission or fee payment before carrying out a government function or process for us;
- a third-party requests payment in cash and/or refuses to sign a formal commission or fee agreement, or to provide an invoice or receipt for a payment made;
- a third party requests that payment is made to a country or geographic location different from where the third party resides or conducts business;
- a third party requests an unexpected additional fee or commission to "facilitate" a service;
- a third party demands lavish entertainment or gifts before commencing or continuing contractual negotiations or provision of services;
- a third party requests that a payment is made to "overlook" potential legal violations;
- a third party requests that you provide employment or some other advantage to a friend or relative;
- you receive an invoice from a third party that appears to be non-standard or customized;
- a third party insists on the use of side letters or refuses to put terms agreed in writing;
- you notice that we have been invoiced for a commission or fee payment that appears large given the service stated to have been provided;
- a third party requests or requires the use of an agent, intermediary, consultant, distributor, or supplier that is not typically used by or known to us; or
- you are offered an unusually generous gift or lavish hospitality by a third party.
14. Document Ownership and Approval
14.2 This policy is designated as non-critical; the Wiz Legal team is responsible for ensuring the policy is reviewed and approved every second year.
14.3 The current version of this document is available to all staff on the internal policy management tool.
14.4 This Policy was approved by Mya Joel, Privacy Officer & Legal Counsel and is issued on a version-controlled basis.
Effective November 17th 2023 to September 27th 2024
DownloadTable of Contents
Anti Corruption and Bribery Policy
Contents
Purpose and Scope
The purpose of this Policy is to:
- Set out our responsibilities, and the responsibilities of those working for and on our behalf, in observing and upholding our position on bribery and corruption; and
- Provide information and guidance to those working for and on our behalf on how to recognize and deal with bribery and corruption issues
The scope of this policy applies to all Wiz personnel. This policy applies to the corporate controls environment.
Policy
Wiz conducts all business in an honest and ethical manner. We take a zero-tolerance approach to bribery and corruption and are committed to acting professionally, fairly and with integrity in all our business dealings and relationships wherever we operate and implementing and enforcing effective systems to counter bribery and corruption.
We take our legal responsibilities very seriously. We will uphold all laws relevant to countering bribery and corruption in all the jurisdictions in which we operate.
Wiz may amend this policy from time to time and shall make the amended policy available to all individuals to which this policy applies.
Who does this policy apply to?
This policy applies to all persons working for Wiz or on Wiz's behalf in any capacity, including employees at all levels, directors, officers, agency workers, volunteers, interns, agents, contractors, external consultants, third-party representatives and business partners, sponsors, or any other person associated with us, wherever located.
Who is responsible for this policy?
Wiz's legal team has the overall responsibility for the effective operation of this policy. However, Wiz's management shall ensure the overall enforcement of this policy throughout the company. Suggestions for change should be reported to Wiz's legal team.
Definitions
- Bribery is offering, promising, giving or accepting any financial or other advantage, to induce the recipient or any other person to act improperly in the performance of their functions, or to reward them for acting improperly, or where the recipient would act improperly by accepting the advantage. An advantage includes money, gifts, loans, fees, hospitality, services, discounts, the award of a contract, or anything else of value. A person acts improperly where they act illegally, unethically, or contrary to an expectation of good faith or impartiality, or where they abuse a position of trust. The improper acts may be in relation to any business or professional activities, public functions, acts in the course of employment, or other activities by or on behalf of any organization of any kind. It is a criminal offence to offer, promise, give, request, or accept a bribe. Individuals found guilty can be punished with imprisonment and/or fines and employers that fail to prevent bribery can face an unlimited fine, exclusion from tendering for public contracts, and damage to its reputation.
- Corruption is the abuse of entrusted power or position for private gain.
EXAMPLES Offering a bribe: You offer tickets to a major sporting event to a potential client, but only if they agree to do business with Wiz. This would be an offence as you are making the offer to gain a commercial and contractual advantage. We may also be found to have committed an offence because the offer has been made to obtain business for Wiz. It may also be an offence for the potential client to accept your offer. Receiving a bribe: A supplier gives your nephew a job, but makes it clear that in return they expect you to use your influence at Wiz to ensure we continue to do business with them. It is an offence for a supplier to make such an offer. It would be an offence for you to accept the offer as you would be doing so to gain a personal advantage. Bribing a foreign official: You arrange for the business to pay an additional "facilitation" payment to a foreign official to speed up an administrative process for Wiz. The offence of bribing a foreign public official is committed as soon as the offer is made. This is because it is made to gain a business advantage for us. We may also be found to have committed an offence. |
- Facilitation Payments, also known as “back-handers” or “grease payments,” are typically small, unofficial payments made to secure or expedite a routine or necessary action (for example, by a government official).
- Kickbacks are typically payments made in return for a business favor or advantage.
- Third Party means any individual or organization you come into contact with during the course of your work for or with Wiz, and includes actual and potential clients, customers, suppliers, distributors, business contacts, agents, advisers, and government and public bodies, including their advisors, representatives and officials, politicians and political parties.
What You Must Not Do
It is not acceptable for you (or someone on your behalf) to:
- give, promise to give, or offer, a payment, gift or hospitality with the expectation or hope that a business advantage will be received, or to reward a business advantage already given;
- give or accept a gift or hospitality during any commercial negotiations or tender process, if this could be perceived as intended or likely to influence the outcome;
- accept a payment, gift or hospitality from a third party that you know or suspect is offered with the expectation that it will provide a business advantage for them or anyone else in return;
- offer or accept a gift to or from government officials or representatives, or politicians or political parties, without the prior approval of the legal team;
- threaten or retaliate against another individual who has refused to commit a bribery offence or who has raised concerns under this policy; or
- engage in any other activity that might lead to a breach of this policy.
Facilitation Payments and Kickbacks
We do not make, and will not accept, facilitation payments or "kickbacks" of any kind. See section 2 for definitions of these terms.
You must avoid any activity that might lead to a facilitation payment or kickback being made or accepted by us or on our behalf, or that might suggest that such a payment will be made or accepted. If you are asked to make a payment on our behalf, you should always be mindful of what the payment is for and whether the amount requested is proportionate to the goods or services provided. You should always ask for a receipt which details the reason for the payment. If you have any suspicions, concerns, or queries regarding a payment, you should raise these with Wiz's legal team.
Gifts, Hospitality, and Expenses
This policy allows reasonable and appropriate hospitality or entertainment given to or received from third parties, for the purposes of:
- establishing or maintaining good business relationships;
- improving or maintaining our image or reputation; or
- marketing or presenting our products and/or services effectively.
The giving and accepting of gifts is allowed if the following requirements are met:
- it is not made with the intention of influencing a third party to obtain or retain business or a business advantage, or to reward the provision or retention of business or a business advantage, or in explicit or implicit exchange for favors or benefits;
- it is appropriate in the circumstances, taking account of the reason for the gift, its timing and value;
- it is given openly, not secretly; and
- it complies with any applicable local law.
Promotional gifts of low value such to or from existing customers, suppliers and business partners will usually be acceptable.
Reimbursing a third party's expenses or accepting an offer to reimburse our expenses (for example, the costs of attending a business meeting) would not usually amount to bribery. However, in excess of genuine and reasonable business expenses (such as the cost of an extended hotel stay) is not acceptable.
We appreciate that practice varies between countries and regions and what may be normal and acceptable in one region may not be in another. The test to be applied is whether in all the circumstances the gift, hospitality or payment is reasonable and justifiable. The intention behind it should always be considered.
Donations
We do not make contributions to political parties.
We only make charitable donations that are legal and ethical under local laws and practices.
Record-Keeping
We must keep financial records and have appropriate internal controls in place which will evidence the business reason for making payments to third parties.
You must declare and keep a written record of all hospitality or gifts given or received, which will be subject to managerial review.
You must submit all expenses claims relating to hospitality, gifts, or payments to third parties in accordance with our expenses policy and record the reason for expenditure.
All accounts, invoices, and other records relating to dealings with third parties including suppliers and customers should be prepared with strict accuracy and completeness. Accounts must not be kept "off-book" to facilitate or conceal improper payments.
Your Responsibilities
You must ensure that you read, understand, and comply with this policy.
The prevention, detection and reporting of bribery and other forms of corruption are the responsibility of all those working for Wiz or under Wiz's control. You are required to avoid any activity that might lead to, or suggest, a breach of this policy.
You must notify the Wiz legal team as soon as possible if you believe or suspect that a conflict with this policy has occurred or may occur in the future. For example, if a customer or potential customer offers you something to gain a business advantage with us or indicates to you that a gift or payment is required to secure their business. Further "red flags" that may indicate bribery or corruption are set out in section 13.
How to Raise a Concern
You are encouraged to raise concerns about any issue or suspicion of bribery or corruption at the earliest possible stage.
If you are offered a bribe, or are asked to make one, or if you believe or suspect that any bribery, corruption, or other breach of this policy has occurred or may occur, you must notify your manager, the HR team, or the legal team as soon as possible.
If you are unsure about whether a particular act constitutes bribery or corruption, raise it with your manager, the HR team, or the legal team.
Protection
Individuals who refuse to accept or offer a bribe or who raise concerns or report another's wrongdoing are sometimes worried about possible repercussions. We aim to encourage openness and will support anyone who raises genuine concerns in good faith under this policy, even if they turn out to be mistaken.
We are committed to ensuring no one suffers any detrimental treatment as a result of refusing to take part in bribery or corruption, or because of reporting in good faith their suspicion that an actual or potential bribery or other corruption offence has taken place or may take place in the future. Damaging treatment includes dismissal, disciplinary action, threats, or other unfavorable treatment connected with raising a concern. If you believe that you have suffered any such treatment, you should inform the legal team immediately.
Training and Communication
Training on this policy will be provided as necessary.
Our zero-tolerance approach to bribery and corruption must be communicated to all suppliers, contractors, and business partners at the outset of our business relationship with them and as appropriate thereafter.
Breaches of this Policy
Any employee who breaches this policy will face disciplinary action, up to dismissal for misconduct or gross misconduct.
We may terminate our relationship with other individuals and organizations working on our behalf if they breach this policy.
Potential Risk Scenarios: “Red Flags”
The following is a list of possible red flags that may arise during the course of your work for or with Wiz and which may raise concerns under various anti-bribery and anti-corruption laws. The list is not intended to be exhaustive and is for illustrative purposes only.
If you encounter any of these red flags while working for or with Wiz, you must report them promptly to your manager, the HR team or legal team:
- you become aware that a third party engages in, or has been accused of engaging in, improper business practices;
- you learn that a third party has a reputation for paying bribes, or requiring that bribes are paid to them, or has a reputation for having a "special relationship" with foreign government officials;
- a third party insists on receiving a commission or fee payment before carrying out a government function or process for us;
- a third-party requests payment in cash and/or refuses to sign a formal commission or fee agreement, or to provide an invoice or receipt for a payment made;
- a third party requests that payment is made to a country or geographic location different from where the third party resides or conducts business;
- a third party requests an unexpected additional fee or commission to "facilitate" a service;
- a third party demands lavish entertainment or gifts before commencing or continuing contractual negotiations or provision of services;
- a third party requests that a payment is made to "overlook" potential legal violations;
- a third party requests that you provide employment or some other advantage to a friend or relative;
- you receive an invoice from a third party that appears to be non-standard or customized;
- a third party insists on the use of side letters or refuses to put terms agreed in writing;
- you notice that we have been invoiced for a commission or fee payment that appears large given the service stated to have been provided;
- a third party requests or requires the use of an agent, intermediary, consultant, distributor, or supplier that is not typically used by or known to us; or
- you are offered an unusually generous gift or lavish hospitality by a third party.
Document Ownership and Approval
- The Wiz Legal team is the owner of this document.
- This policy is designated as non-critical; the Wiz Legal team is responsible for ensuring the policy is reviewed and approved every second year.
- The current version of this document is available to all staff on the internal policy management tool.
- This Policy was approved by Mya Joel, Privacy Officer & Legal Counsel and is issued on a version-controlled basis.
- Change Record
Version | Author | Approver | Approval Date | Description of Changes |
3 | Rosie Cramer | Mya Joel | 8 November 2023 | Template and formatting updates |
Effective November 8th 2023 to November 17th 2023
DownloadTable of Contents
Anti Corruption and Bribery Policy
Contents
Purpose and Scope
The purpose of this Policy is to:
- Set out our responsibilities, and the responsibilities of those working for and on our behalf, in observing and upholding our position on bribery and corruption; and
- Provide information and guidance to those working for and on our behalf on how to recognize and deal with bribery and corruption issues
The scope of this policy applies to all Wiz personnel. This policy applies to the corporate controls environment.
Policy
Wiz conducts all business in an honest and ethical manner. We take a zero-tolerance approach to bribery and corruption and are committed to acting professionally, fairly and with integrity in all our business dealings and relationships wherever we operate and implementing and enforcing effective systems to counter bribery and corruption.
We take our legal responsibilities very seriously. We will uphold all laws relevant to countering bribery and corruption in all the jurisdictions in which we operate.
Wiz may amend this policy from time to time and shall make the amended policy available to all individuals to which this policy applies.
Who does this policy apply to?
This policy applies to all persons working for Wiz or on Wiz's behalf in any capacity, including employees at all levels, directors, officers, agency workers, volunteers, interns, agents, contractors, external consultants, third-party representatives and business partners, sponsors, or any other person associated with us, wherever located.
Who is responsible for this policy?
Wiz's legal team has the overall responsibility for the effective operation of this policy. However, Wiz's management shall ensure the overall enforcement of this policy throughout the company. Suggestions for change should be reported to Wiz's legal team.
Definitions
- Bribery is offering, promising, giving or accepting any financial or other advantage, to induce the recipient or any other person to act improperly in the performance of their functions, or to reward them for acting improperly, or where the recipient would act improperly by accepting the advantage. An advantage includes money, gifts, loans, fees, hospitality, services, discounts, the award of a contract, or anything else of value. A person acts improperly where they act illegally, unethically, or contrary to an expectation of good faith or impartiality, or where they abuse a position of trust. The improper acts may be in relation to any business or professional activities, public functions, acts in the course of employment, or other activities by or on behalf of any organization of any kind. It is a criminal offence to offer, promise, give, request, or accept a bribe. Individuals found guilty can be punished with imprisonment and/or fines and employers that fail to prevent bribery can face an unlimited fine, exclusion from tendering for public contracts, and damage to its reputation.
- Corruption is the abuse of entrusted power or position for private gain.
EXAMPLES Offering a bribe: You offer tickets to a major sporting event to a potential client, but only if they agree to do business with Wiz. This would be an offence as you are making the offer to gain a commercial and contractual advantage. We may also be found to have committed an offence because the offer has been made to obtain business for Wiz. It may also be an offence for the potential client to accept your offer. Receiving a bribe: A supplier gives your nephew a job, but makes it clear that in return they expect you to use your influence at Wiz to ensure we continue to do business with them. It is an offence for a supplier to make such an offer. It would be an offence for you to accept the offer as you would be doing so to gain a personal advantage. Bribing a foreign official: You arrange for the business to pay an additional "facilitation" payment to a foreign official to speed up an administrative process for Wiz. The offence of bribing a foreign public official is committed as soon as the offer is made. This is because it is made to gain a business advantage for us. We may also be found to have committed an offence. |
- Facilitation Payments, also known as “back-handers” or “grease payments,” are typically small, unofficial payments made to secure or expedite a routine or necessary action (for example, by a government official).
- Kickbacks are typically payments made in return for a business favor or advantage.
- Third Party means any individual or organization you come into contact with during the course of your work for or with Wiz, and includes actual and potential clients, customers, suppliers, distributors, business contacts, agents, advisers, and government and public bodies, including their advisors, representatives and officials, politicians and political parties.
What You Must Not Do
It is not acceptable for you (or someone on your behalf) to:
- give, promise to give, or offer, a payment, gift or hospitality with the expectation or hope that a business advantage will be received, or to reward a business advantage already given;
- give or accept a gift or hospitality during any commercial negotiations or tender process, if this could be perceived as intended or likely to influence the outcome;
- accept a payment, gift or hospitality from a third party that you know or suspect is offered with the expectation that it will provide a business advantage for them or anyone else in return;
- offer or accept a gift to or from government officials or representatives, or politicians or political parties, without the prior approval of the legal team;
- threaten or retaliate against another individual who has refused to commit a bribery offence or who has raised concerns under this policy; or
- engage in any other activity that might lead to a breach of this policy.
Facilitation Payments and Kickbacks
We do not make, and will not accept, facilitation payments or "kickbacks" of any kind. See section 2 for definitions of these terms.
You must avoid any activity that might lead to a facilitation payment or kickback being made or accepted by us or on our behalf, or that might suggest that such a payment will be made or accepted. If you are asked to make a payment on our behalf, you should always be mindful of what the payment is for and whether the amount requested is proportionate to the goods or services provided. You should always ask for a receipt which details the reason for the payment. If you have any suspicions, concerns, or queries regarding a payment, you should raise these with Wiz's legal team.
Gifts, Hospitality, and Expenses
This policy allows reasonable and appropriate hospitality or entertainment given to or received from third parties, for the purposes of:
- establishing or maintaining good business relationships;
- improving or maintaining our image or reputation; or
- marketing or presenting our products and/or services effectively.
The giving and accepting of gifts is allowed if the following requirements are met:
- it is not made with the intention of influencing a third party to obtain or retain business or a business advantage, or to reward the provision or retention of business or a business advantage, or in explicit or implicit exchange for favors or benefits;
- it is appropriate in the circumstances, taking account of the reason for the gift, its timing and value;
- it is given openly, not secretly; and
- it complies with any applicable local law.
Promotional gifts of low value such to or from existing customers, suppliers and business partners will usually be acceptable.
Reimbursing a third party's expenses or accepting an offer to reimburse our expenses (for example, the costs of attending a business meeting) would not usually amount to bribery. However, in excess of genuine and reasonable business expenses (such as the cost of an extended hotel stay) is not acceptable.
We appreciate that practice varies between countries and regions and what may be normal and acceptable in one region may not be in another. The test to be applied is whether in all the circumstances the gift, hospitality or payment is reasonable and justifiable. The intention behind it should always be considered.
Donations
We do not make contributions to political parties.
We only make charitable donations that are legal and ethical under local laws and practices.
Record-Keeping
We must keep financial records and have appropriate internal controls in place which will evidence the business reason for making payments to third parties.
You must declare and keep a written record of all hospitality or gifts given or received, which will be subject to managerial review.
You must submit all expenses claims relating to hospitality, gifts, or payments to third parties in accordance with our expenses policy and record the reason for expenditure.
All accounts, invoices, and other records relating to dealings with third parties including suppliers and customers should be prepared with strict accuracy and completeness. Accounts must not be kept "off-book" to facilitate or conceal improper payments.
Your Responsibilities
You must ensure that you read, understand, and comply with this policy.
The prevention, detection and reporting of bribery and other forms of corruption are the responsibility of all those working for Wiz or under Wiz's control. You are required to avoid any activity that might lead to, or suggest, a breach of this policy.
You must notify the Wiz legal team as soon as possible if you believe or suspect that a conflict with this policy has occurred or may occur in the future. For example, if a customer or potential customer offers you something to gain a business advantage with us or indicates to you that a gift or payment is required to secure their business. Further "red flags" that may indicate bribery or corruption are set out in section 13.
How to Raise a Concern
You are encouraged to raise concerns about any issue or suspicion of bribery or corruption at the earliest possible stage.
If you are offered a bribe, or are asked to make one, or if you believe or suspect that any bribery, corruption, or other breach of this policy has occurred or may occur, you must notify your manager, the HR team, or the legal team as soon as possible.
If you are unsure about whether a particular act constitutes bribery or corruption, raise it with your manager, the HR team, or the legal team.
Protection
Individuals who refuse to accept or offer a bribe or who raise concerns or report another's wrongdoing are sometimes worried about possible repercussions. We aim to encourage openness and will support anyone who raises genuine concerns in good faith under this policy, even if they turn out to be mistaken.
We are committed to ensuring no one suffers any detrimental treatment as a result of refusing to take part in bribery or corruption, or because of reporting in good faith their suspicion that an actual or potential bribery or other corruption offence has taken place or may take place in the future. Damaging treatment includes dismissal, disciplinary action, threats, or other unfavorable treatment connected with raising a concern. If you believe that you have suffered any such treatment, you should inform the legal team immediately.
Training and Communication
Training on this policy will be provided as necessary.
Our zero-tolerance approach to bribery and corruption must be communicated to all suppliers, contractors, and business partners at the outset of our business relationship with them and as appropriate thereafter.
Breaches of this Policy
Any employee who breaches this policy will face disciplinary action, up to dismissal for misconduct or gross misconduct.
We may terminate our relationship with other individuals and organizations working on our behalf if they breach this policy.
Potential Risk Scenarios: “Red Flags”
The following is a list of possible red flags that may arise during the course of your work for or with Wiz and which may raise concerns under various anti-bribery and anti-corruption laws. The list is not intended to be exhaustive and is for illustrative purposes only.
If you encounter any of these red flags while working for or with Wiz, you must report them promptly to your manager, the HR team or legal team:
- you become aware that a third party engages in, or has been accused of engaging in, improper business practices;
- you learn that a third party has a reputation for paying bribes, or requiring that bribes are paid to them, or has a reputation for having a "special relationship" with foreign government officials;
- a third party insists on receiving a commission or fee payment before carrying out a government function or process for us;
- a third-party requests payment in cash and/or refuses to sign a formal commission or fee agreement, or to provide an invoice or receipt for a payment made;
- a third party requests that payment is made to a country or geographic location different from where the third party resides or conducts business;
- a third party requests an unexpected additional fee or commission to "facilitate" a service;
- a third party demands lavish entertainment or gifts before commencing or continuing contractual negotiations or provision of services;
- a third party requests that a payment is made to "overlook" potential legal violations;
- a third party requests that you provide employment or some other advantage to a friend or relative;
- you receive an invoice from a third party that appears to be non-standard or customized;
- a third party insists on the use of side letters or refuses to put terms agreed in writing;
- you notice that we have been invoiced for a commission or fee payment that appears large given the service stated to have been provided;
- a third party requests or requires the use of an agent, intermediary, consultant, distributor, or supplier that is not typically used by or known to us; or
- you are offered an unusually generous gift or lavish hospitality by a third party.
Document Ownership and Approval
- The Wiz Legal team is the owner of this document.
- This policy is designated as non-critical; the Wiz Legal team is responsible for ensuring the policy is reviewed and approved every second year.
- The current version of this document is available to all staff on the internal policy management tool.
- This Policy was approved by Mya Joel, Privacy Officer & Legal Counsel and is issued on a version-controlled basis.
- Change Record
Version | Author | Approver | Approval Date | Description of Changes |
3 | Rosie Cramer | Mya Joel | 8 November 2023 | Template and formatting updates |
Effective August 29th 2023 to November 8th 2023
DownloadTable of Contents
Anti Corruption and Bribery Policy
Contents
Who does this policy apply to?	3
4. Facilitation Payments and Kickbacks	5
5. Gifts, Hospitality, and Expenses	5
8. Your Responsibilities	6
9. How to Raise a Concern	6
11. Training and Communication	7
12. Breaches of this Policy	7
13. Potential Risk Scenarios: “Red Flags”	7
14. Document Ownership and Approval	8
Purpose and Scope
The purpose of this Policy is to:
- Set out our responsibilities, and the responsibilities of those working for and on our behalf, in observing and upholding our position on bribery and corruption; and
- Provide information and guidance to those working for and on our behalf on how to recognize and deal with bribery and corruption issues
The scope of this policy applies to all Wiz personnel. This policy applies to the corporate controls environment.
Policy
Wiz conducts all business in an honest and ethical manner. We take a zero-tolerance approach to bribery and corruption and are committed to acting professionally, fairly and with integrity in all our business dealings and relationships wherever we operate and implementing and enforcing effective systems to counter bribery and corruption.
We take our legal responsibilities very seriously. We will uphold all laws relevant to countering bribery and corruption in all the jurisdictions in which we operate.
Wiz may amend this policy from time to time and shall make the amended policy available to all individuals to which this policy applies.
Who does this policy apply to?
This policy applies to all persons working for Wiz or on Wiz's behalf in any capacity, including employees at all levels, directors, officers, agency workers, volunteers, interns, agents, contractors, external consultants, third-party representatives and business partners, sponsors, or any other person associated with us, wherever located.
Who is responsible for this policy?
Wiz's legal team has the overall responsibility for the effective operation of this policy. However, Wiz's management shall ensure the overall enforcement of this policy throughout the company. Suggestions for change should be reported to Wiz's legal team.
Definitions
- Bribery is offering, promising, giving or accepting any financial or other advantage, to induce the recipient or any other person to act improperly in the performance of their functions, or to reward them for acting improperly, or where the recipient would act improperly by accepting the advantage.
- An advantage includes money, gifts, loans, fees, hospitality, services, discounts, the award of a contract, or anything else of value.
- A person acts improperly where they act illegally, unethically, or contrary to an expectation of good faith or impartiality, or where they abuse a position of trust. The improper acts may be in relation to any business or professional activities, public functions, acts in the course of employment, or other activities by or on behalf of any organization of any kind.
- Bribery is offering, promising, giving or accepting any financial or other advantage, to induce the recipient or any other person to act improperly in the performance of their functions, or to reward them for acting improperly, or where the recipient would act improperly by accepting the advantage.
It is a criminal offence to offer, promise, give, request, or accept a bribe. Individuals found guilty can be punished with imprisonment and/or fines and employers that fail to prevent bribery can face an unlimited fine, exclusion from tendering for public contracts, and damage to its reputation.
- Corruption is the abuse of entrusted power or position for private gain.
EXAMPLES Offering a bribe: You offer tickets to a major sporting event to a potential client, but only if they agree to do business with Wiz. This would be an offence as you are making the offer to gain a commercial and contractual advantage. We may also be found to have committed an offence because the offer has been made to obtain business for Wiz. It may also be an offence for the potential client to accept your offer. Receiving a bribe: A supplier gives your nephew a job, but makes it clear that in return they expect you to use your influence at Wiz to ensure we continue to do business with them. It is an offence for a supplier to make such an offer. It would be an offence for you to accept the offer as you would be doing so to gain a personal advantage. Bribing a foreign official: You arrange for the business to pay an additional "facilitation" payment to a foreign official to speed up an administrative process for Wiz. The offence of bribing a foreign public official is committed as soon as the offer is made. This is because it is made to gain a business advantage for us. We may also be found to have committed an offence. |
- Facilitation Payments, also known as “back-handers” or “grease payments,” are typically small, unofficial payments made to secure or expedite a routine or necessary action (for example, by a government official).
- Kickbacks are typically payments made in return for a business favor or advantage.
- Third Party means any individual or organization you come into contact with during the course of your work for or with Wiz, and includes actual and potential clients, customers, suppliers, distributors, business contacts, agents, advisers, and government and public bodies, including their advisors, representatives and officials, politicians and political parties.
What You Must Not Do
It is not acceptable for you (or someone on your behalf) to:
- give, promise to give, or offer, a payment, gift or hospitality with the expectation or hope that a business advantage will be received, or to reward a business advantage already given;
- give or accept a gift or hospitality during any commercial negotiations or tender process, if this could be perceived as intended or likely to influence the outcome;
- accept a payment, gift or hospitality from a third party that you know or suspect is offered with the expectation that it will provide a business advantage for them or anyone else in return;
- offer or accept a gift to or from government officials or representatives, or politicians or political parties, without the prior approval of the legal team;
- threaten or retaliate against another individual who has refused to commit a bribery offence or who has raised concerns under this policy; or
- engage in any other activity that might lead to a breach of this policy.
Facilitation Payments and Kickbacks
We do not make, and will not accept, facilitation payments or "kickbacks" of any kind. See section 2 for definitions of these terms.
You must avoid any activity that might lead to a facilitation payment or kickback being made or accepted by us or on our behalf, or that might suggest that such a payment will be made or accepted. If you are asked to make a payment on our behalf, you should always be mindful of what the payment is for and whether the amount requested is proportionate to the goods or services provided. You should always ask for a receipt which details the reason for the payment. If you have any suspicions, concerns, or queries regarding a payment, you should raise these with Wiz's legal team.
Gifts, Hospitality, and Expenses
This policy allows reasonable and appropriate hospitality or entertainment given to or received from third parties, for the purposes of:
- establishing or maintaining good business relationships;
- improving or maintaining our image or reputation; or
- marketing or presenting our products and/or services effectively.
The giving and accepting of gifts is allowed if the following requirements are met:
- it is not made with the intention of influencing a third party to obtain or retain business or a business advantage, or to reward the provision or retention of business or a business advantage, or in explicit or implicit exchange for favors or benefits;
- it is appropriate in the circumstances, taking account of the reason for the gift, its timing and value;
- it is given openly, not secretly; and
- it complies with any applicable local law.
Promotional gifts of low value such to or from existing customers, suppliers and business partners will usually be acceptable.
Reimbursing a third party's expenses or accepting an offer to reimburse our expenses (for example, the costs of attending a business meeting) would not usually amount to bribery. However, in excess of genuine and reasonable business expenses (such as the cost of an extended hotel stay) is not acceptable.
We appreciate that practice varies between countries and regions and what may be normal and acceptable in one region may not be in another. The test to be applied is whether in all the circumstances the gift, hospitality or payment is reasonable and justifiable. The intention behind it should always be considered.
Donations
We do not make contributions to political parties.
We only make charitable donations that are legal and ethical under local laws and practices.
Record-Keeping
We must keep financial records and have appropriate internal controls in place which will evidence the business reason for making payments to third parties.
You must declare and keep a written record of all hospitality or gifts given or received, which will be subject to managerial review.
You must submit all expenses claims relating to hospitality, gifts, or payments to third parties in accordance with our expenses policy and record the reason for expenditure.
All accounts, invoices, and other records relating to dealings with third parties including suppliers and customers should be prepared with strict accuracy and completeness. Accounts must not be kept "off-book" to facilitate or conceal improper payments.
Your Responsibilities
You must ensure that you read, understand, and comply with this policy.
The prevention, detection and reporting of bribery and other forms of corruption are the responsibility of all those working for Wiz or under Wiz's control. You are required to avoid any activity that might lead to, or suggest, a breach of this policy.
You must notify the Wiz legal team as soon as possible if you believe or suspect that a conflict with this policy has occurred or may occur in the future. For example, if a customer or potential customer offers you something to gain a business advantage with us or indicates to you that a gift or payment is required to secure their business. Further "red flags" that may indicate bribery or corruption are set out in section 13.
How to Raise a Concern
You are encouraged to raise concerns about any issue or suspicion of bribery or corruption at the earliest possible stage.
If you are offered a bribe, or are asked to make one, or if you believe or suspect that any bribery, corruption, or other breach of this policy has occurred or may occur, you must notify your manager, the HR team, or the legal team as soon as possible.
If you are unsure about whether a particular act constitutes bribery or corruption, raise it with your manager, the HR team, or the legal team.
Protection
Individuals who refuse to accept or offer a bribe or who raise concerns or report another's wrongdoing are sometimes worried about possible repercussions. We aim to encourage openness and will support anyone who raises genuine concerns in good faith under this policy, even if they turn out to be mistaken.
We are committed to ensuring no one suffers any detrimental treatment as a result of refusing to take part in bribery or corruption, or because of reporting in good faith their suspicion that an actual or potential bribery or other corruption offence has taken place or may take place in the future. Damaging treatment includes dismissal, disciplinary action, threats, or other unfavorable treatment connected with raising a concern. If you believe that you have suffered any such treatment, you should inform the legal team immediately.
Training and Communication
Training on this policy will be provided as necessary.
Our zero-tolerance approach to bribery and corruption must be communicated to all suppliers, contractors, and business partners at the outset of our business relationship with them and as appropriate thereafter.
Breaches of this Policy
Any employee who breaches this policy will face disciplinary action, up to dismissal for misconduct or gross misconduct.
We may terminate our relationship with other individuals and organizations working on our behalf if they breach this policy.
Potential Risk Scenarios: “Red Flags”
The following is a list of possible red flags that may arise during the course of your work for or with Wiz and which may raise concerns under various anti-bribery and anti-corruption laws. The list is not intended to be exhaustive and is for illustrative purposes only.
If you encounter any of these red flags while working for or with Wiz, you must report them promptly to your manager, the HR team or legal team:
- you become aware that a third party engages in, or has been accused of engaging in, improper business practices;
- you learn that a third party has a reputation for paying bribes, or requiring that bribes are paid to them, or has a reputation for having a "special relationship" with foreign government officials;
- a third party insists on receiving a commission or fee payment before carrying out a government function or process for us;
- a third-party requests payment in cash and/or refuses to sign a formal commission or fee agreement, or to provide an invoice or receipt for a payment made;
- a third party requests that payment is made to a country or geographic location different from where the third party resides or conducts business;
- a third party requests an unexpected additional fee or commission to "facilitate" a service;
- a third party demands lavish entertainment or gifts before commencing or continuing contractual negotiations or provision of services;
- a third party requests that a payment is made to "overlook" potential legal violations;
- a third party requests that you provide employment or some other advantage to a friend or relative;
- you receive an invoice from a third party that appears to be non-standard or customized;
- a third party insists on the use of side letters or refuses to put terms agreed in writing;
- you notice that we have been invoiced for a commission or fee payment that appears large given the service stated to have been provided;
- a third party requests or requires the use of an agent, intermediary, consultant, distributor, or supplier that is not typically used by or known to us; or
- you are offered an unusually generous gift or lavish hospitality by a third party.
Document Ownership and Approval
- The Wiz Legal team is the owner of this document.
- This policy is designated as non-critical; the Wiz Legal team is responsible for ensuring the policy is reviewed and approved every second year.
- The current version of this document is available to all staff on the internal policy management tool.
- This Policy was approved by Mya Joel, Privacy Officer & Legal Counsel and is issued on a version-controlled basis.
- Change Record
Version | Author | Approver | Approval Date | Description of Changes |
2.0 | Gosia Gilad | Mya Joel | 16 July 2023 | Template and formatting updates |
Effective June 12th 2023 to August 29th 2023
DownloadTable of Contents
WIZ ANTI-CORRUPTION AND BRIBERY POLICY
Contents
3. WHO DOES THIS POLICY APPLY TO?
4. WHO IS RESPONSIBLE FOR THE POLICY?
7. FACILITATION PAYMENTS AND KICKBACKS
8. GIFTS, HOSPITALITY, AND EXPENSES
14. TRAINING AND COMMUNICATION
16. POTENTIAL RISK SCENARIOS: "RED FLAGS"8
- POLICY STATEMENT
- We conduct all our business in an honest and ethical manner. We take a zero-tolerance approach to bribery and corruption and are committed to acting professionally, fairly and with integrity in all our business dealings and relationships wherever we operate and implementing and enforcing effective systems to counter bribery and corruption.
- We take our legal responsibilities very seriously. We will uphold all laws relevant to countering bribery and corruption in all the jurisdictions in which we operate.
- ABOUT THIS POLICY
- WHO DOES THIS POLICY APPLY TO?
This policy applies to all persons working for Wiz or on Wiz's behalf in any capacity, including employees at all levels, directors, officers, agency workers, volunteers, interns, agents, contractors, external consultants, third-party representatives and business partners, sponsors, or any other person associated with us, wherever located. - WHO IS RESPONSIBLE FOR THE POLICY?
Wiz's legal team has the overall responsibility for the effective operation of this policy. However, Wiz's management shall ensure the overall enforcement of this policy throughout the company. Suggestions for change should be reported to Wiz's legal team. - DEFINITIONS
- Bribery is offering, promising, giving or accepting any financial or other advantage, to induce the recipient or any other person to act improperly in the performance of their functions, or to reward them for acting improperly, or where the recipient would act improperly by accepting the advantage.
- An advantage includes money, gifts, loans, fees, hospitality, services, discounts, the award of a contract or anything else of value.
- A person acts improperly where they act illegally, unethically, or contrary to an expectation of good faith or impartiality, or where they abuse a position of trust. The improper acts may be in relation to any business or professional activities, public functions, acts in the course of employment, or other activities by or on behalf of any organization of any kind.
It is a criminal offence to offer, promise, give, request, or accept a bribe. Individuals found guilty can be punished with imprisonment and/or fines and employers that fail to prevent bribery can face an unlimited fine, exclusion from tendering for public contracts, and damage to its reputation.
- Corruption is the abuse of entrusted power or position for private gain.
- Facilitation payments, also known as "back-handers" or "grease payments", are typically small, unofficial payments made to secure or expedite a routine or necessary action (for example by a government official).
- Kickbacks are typically payments made in return for a business favor or advantage.
- Third party means any individual or organization you come into contact with during the course of your work for or with Wiz, and includes actual and potential clients, customers, suppliers, distributors, business contacts, agents, advisers, and government and public bodies, including their advisors, representatives and officials, politicians and political parties.
- Bribery is offering, promising, giving or accepting any financial or other advantage, to induce the recipient or any other person to act improperly in the performance of their functions, or to reward them for acting improperly, or where the recipient would act improperly by accepting the advantage.
Examples: Offering a bribe: You offer a potential client tickets to a major sporting event, but only if they agree to do business with Wiz. This would be an offence as you are making the offer to gain a commercial and contractual advantage. We may also be found to have committed an offence because the offer has been made to obtain business for Wiz. It may also be an offence for the potential client to accept your offer. Receiving a bribe: A supplier gives your nephew a job, but makes it clear that in return they expect you to use your influence at Wiz to ensure we continue to do business with them. It is an offence for a supplier to make such an offer. It would be an offence for you to accept the offer as you would be doing so to gain a personal advantage. Bribing a foreign official: You arrange for the business to pay an additional "facilitation" payment to a foreign official to speed up an administrative process for Wiz. The offence of bribing a foreign public official is committed as soon as the offer is made. This is because it is made to gain a business advantage for us. We may also be found to have committed an offence. |
It is not acceptable for you (or someone on your behalf) to:
- give, promise to give, or offer, a payment, gift or hospitality with the expectation or hope that a business advantage will be received, or to reward a business advantage already given;
- give or accept a gift or hospitality during any commercial negotiations or tender process, if this could be perceived as intended or likely to influence the outcome;
- accept a payment, gift or hospitality from a third party that you know or suspect is offered with the expectation that it will provide a business advantage for them or anyone else in return;
- offer or accept a gift to or from government officials or representatives, or politicians or political parties, without the prior approval of the legal team;
- threaten or retaliate against another individual who has refused to commit a bribery offence or who has raised concerns under this policy; or
- engage in any other activity that might lead to a breach of this policy.
- We do not make, and will not accept, facilitation payments or "kickbacks" of any kind. See clause 5 for definitions of these terms.
- You must avoid any activity that might lead to a facilitation payment or kickback being made or accepted by us or on our behalf, or that might suggest that such a payment will be made or accepted. If you are asked to make a payment on our behalf, you should always be mindful of what the payment is for and whether the amount requested is proportionate to the goods or services provided. You should always ask for a receipt which details the reason for the payment. If you have any suspicions, concerns, or queries regarding a payment, you should raise these with Wiz's legal team.
- This policy allows reasonable and appropriate hospitality or entertainment given to or received from third parties, for the purposes of:
- The giving and accepting of gifts is allowed if the following requirements are met:
- it is not made with the intention of influencing a third party to obtain or retain business or a business advantage, or to reward the provision or retention of business or a business advantage, or in explicit or implicit exchange for favors or benefits;
- it is appropriate in the circumstances, taking account of the reason for the gift, its timing and value;
- it is given openly, not secretly; and
- it complies with any applicable local law.
- Promotional gifts of low value such to or from existing customers, suppliers and business partners will usually be acceptable.
- Reimbursing a third party's expenses or accepting an offer to reimburse our expenses (for example, the costs of attending a business meeting) would not usually amount to bribery. However, in excess of genuine and reasonable business expenses (such as the cost of an extended hotel stay) is not acceptable.
- We appreciate that practice varies between countries and regions and what may be normal and acceptable in one region may not be in another. The test to be applied is whether in all the circumstances the gift, hospitality or payment is reasonable and justifiable. The intention behind it should always be considered.
- We do not make contributions to political parties.
- We only make charitable donations that are legal and ethical under local laws and practices.
- We must keep financial records and have appropriate internal controls in place which will evidence the business reason for making payments to third parties.
- You must declare and keep a written record of all hospitality or gifts given or received, which will be subject to managerial review.
- You must submit all expenses claims relating to hospitality, gifts or payments to third parties in accordance with our expenses policy and record the reason for expenditure.
- All accounts, invoices, and other records relating to dealings with third parties including suppliers and customers should be prepared with strict accuracy and completeness. Accounts must not be kept "off-book" to facilitate or conceal improper payments.
- You must ensure that you read, understand, and comply with this policy.
- The prevention, detection and reporting of bribery and other forms of corruption are the responsibility of all those working for Wiz or under Wiz's control. You are required to avoid any activity that might lead to, or suggest, a breach of this policy.
- You must notify legal team as soon as possible if you believe or suspect that a conflict with this policy has occurred, or may occur in the future. For example, if a customer or potential customer offers you something to gain a business advantage with us or indicates to you that a gift or payment is required to secure their business. Further "red flags" that may indicate bribery or corruption are set out in clause 16.
- You are encouraged to raise concerns about any issue or suspicion of bribery or corruption at the earliest possible stage.
- If you are offered a bribe, or are asked to make one, or if you believe or suspect that any bribery, corruption, or other breach of this policy has occurred or may occur, you must notify your manager, the HR team or the legal team as soon as possible.
- If you are unsure about whether a particular act constitutes bribery or corruption, raise it with your manager, the HR team or the legal team.
- Individuals who refuse to accept or offer a bribe, or who raise concerns or report another's wrongdoing, are sometimes worried about possible repercussions. We aim to encourage openness and will support anyone who raises genuine concerns in good faith under this policy, even if they turn out to be mistaken.
- We are committed to ensuring no one suffers any detrimental treatment as a result of refusing to take part in bribery or corruption, or because of reporting in good faith their suspicion that an actual or potential bribery or other corruption offence has taken place or may take place in the future. Damaging treatment includes dismissal, disciplinary action, threats or other unfavorable treatment connected with raising a concern. If you believe that you have suffered any such treatment, you should inform the legal team immediately.
- Training on this policy will be provided as necessary.
- Our zero-tolerance approach to bribery and corruption must be communicated to all suppliers, contractors, and business partners at the outset of our business relationship with them and as appropriate thereafter.
- Any employee who breaches this policy will face disciplinary action, which could result in dismissal for misconduct or gross misconduct.
- We may terminate our relationship with other individuals and organizations working on our behalf if they breach this policy.
The following is a list of possible red flags that may arise during the course of you working for or with Wiz and which may raise concerns under various anti-bribery and anti-corruption laws. The list is not intended to be exhaustive and is for illustrative purposes only.
If you encounter any of these red flags while working for or with Wiz, you must report them promptly to your manager, the HR team or legal team:
- you become aware that a third party engages in, or has been accused of engaging in, improper business practices;
- you learn that a third party has a reputation for paying bribes, or requiring that bribes are paid to them, or has a reputation for having a "special relationship" with foreign government officials;
- a third party insists on receiving a commission or fee payment before carrying out a government function or process for us;
- a third-party requests payment in cash and/or refuses to sign a formal commission or fee agreement, or to provide an invoice or receipt for a payment made;
- a third-party requests that payment is made to a country or geographic location different from where the third party resides or conducts business;
- a third party requests an unexpected additional fee or commission to "facilitate" a service;
- a third party demands lavish entertainment or gifts before commencing or continuing contractual negotiations or provision of services;
- a third-party requests that a payment is made to "overlook" potential legal violations;
- a third-party requests that you provide employment or some other advantage to a friend or relative;
- you receive an invoice from a third party that appears to be non-standard or customized;
- a third party insists on the use of side letters or refuses to put terms agreed in writing;
- you notice that we have been invoiced for a commission or fee payment that appears large given the service stated to have been provided;
- a third party requests or requires the use of an agent, intermediary, consultant, distributor or supplier that is not typically used by or known to us; or
- you are offered an unusually generous gift or offered lavish hospitality by a third party.
Effective May 24th 2023 to June 12th 2023
DownloadTable of Contents
WIZ ANTI-CORRUPTION AND BRIBERY POLICY
Contents
WIZ ANTI-CORRUPTION AND BRIBERY POLICY1
3.WHO DOES THIS POLICY APPLY TO?3
4.WHO IS RESPONSIBLE FOR THE POLICY?3
7.FACILITATION PAYMENTS AND KICKBACKS5
8.GIFTS, HOSPITALITY, AND EXPENSES5
14.TRAINING AND COMMUNICATION7
16.POTENTIAL RISK SCENARIOS: "RED FLAGS"8
- POLICY STATEMENT
- We conduct all our business in an honest and ethical manner. We take a zero-tolerance approach to bribery and corruption and are committed to acting professionally, fairly and with integrity in all our business dealings and relationships wherever we operate and implementing and enforcing effective systems to counter bribery and corruption.
- We take our legal responsibilities very seriously. We will uphold all laws relevant to countering bribery and corruption in all the jurisdictions in which we operate.
- ABOUT THIS POLICY
- WHO DOES THIS POLICY APPLY TO?
This policy applies to all persons working for Wiz or on Wiz's behalf in any capacity, including employees at all levels, directors, officers, agency workers, volunteers, interns, agents, contractors, external consultants, third-party representatives and business partners, sponsors, or any other person associated with us, wherever located.
- DEFINITIONS
- Bribery is offering, promising, giving or accepting any financial or other advantage, to induce the recipient or any other person to act improperly in the performance of their functions, or to reward them for acting improperly, or where the recipient would act improperly by accepting the advantage.
- An advantage includes money, gifts, loans, fees, hospitality, services, discounts, the award of a contract or anything else of value.
- A person acts improperly where they act illegally, unethically, or contrary to an expectation of good faith or impartiality, or where they abuse a position of trust. The improper acts may be in relation to any business or professional activities, public functions, acts in the course of employment, or other activities by or on behalf of any organization of any kind.
- Bribery is offering, promising, giving or accepting any financial or other advantage, to induce the recipient or any other person to act improperly in the performance of their functions, or to reward them for acting improperly, or where the recipient would act improperly by accepting the advantage.
It is a criminal offence to offer, promise, give, request, or accept a bribe. Individuals found guilty can be punished with imprisonment and/or fines and employers that fail to prevent bribery can face an unlimited fine, exclusion from tendering for public contracts, and damage to its reputation.
Examples: Offering a bribe: You offer a potential client tickets to a major sporting event, but only if they agree to do business with Wiz. This would be an offence as you are making the offer to gain a commercial and contractual advantage. We may also be found to have committed an offence because the offer has been made to obtain business for Wiz. It may also be an offence for the potential client to accept your offer. Receiving a bribe: A supplier gives your nephew a job, but makes it clear that in return they expect you to use your influence at Wiz to ensure we continue to do business with them. It is an offence for a supplier to make such an offer. It would be an offence for you to accept the offer as you would be doing so to gain a personal advantage. Bribing a foreign official: You arrange for the business to pay an additional "facilitation" payment to a foreign official to speed up an administrative process for Wiz. The offence of bribing a foreign public official is committed as soon as the offer is made. This is because it is made to gain a business advantage for us. We may also be found to have committed an offence. |
- Facilitation payments, also known as "back-handers" or "grease payments", are typically small, unofficial payments made to secure or expedite a routine or necessary action (for example by a government official).
- Kickbacks are typically payments made in return for a business favor or advantage.
- Third party means any individual or organization you come into contact with during the course of your work for or with Wiz, and includes actual and potential clients, customers, suppliers, distributors, business contacts, agents, advisers, and government and public bodies, including their advisors, representatives and officials, politicians and political parties.
It is not acceptable for you (or someone on your behalf) to:
- give, promise to give, or offer, a payment, gift or hospitality with the expectation or hope that a business advantage will be received, or to reward a business advantage already given;
- give or accept a gift or hospitality during any commercial negotiations or tender process, if this could be perceived as intended or likely to influence the outcome;
- accept a payment, gift or hospitality from a third party that you know or suspect is offered with the expectation that it will provide a business advantage for them or anyone else in return;
- offer or accept a gift to or from government officials or representatives, or politicians or political parties, without the prior approval of the legal team;
- threaten or retaliate against another individual who has refused to commit a bribery offence or who has raised concerns under this policy; or
- engage in any other activity that might lead to a breach of this policy.
- FACILITATION PAYMENTS AND KICKBACKS
- We do not make, and will not accept, facilitation payments or "kickbacks" of any kind. See clause 5 for definitions of these terms.
- You must avoid any activity that might lead to a facilitation payment or kickback being made or accepted by us or on our behalf, or that might suggest that such a payment will be made or accepted. If you are asked to make a payment on our behalf, you should always be mindful of what the payment is for and whether the amount requested is proportionate to the goods or services provided. You should always ask for a receipt which details the reason for the payment. If you have any suspicions, concerns, or queries regarding a payment, you should raise these with Wiz's legal team.
- GIFTS, HOSPITALITY, AND EXPENSES
- This policy allows reasonable and appropriate hospitality or entertainment given to or received from third parties, for the purposes of:
- The giving and accepting of gifts is allowed if the following requirements are met:
- it is not made with the intention of influencing a third party to obtain or retain business or a business advantage, or to reward the provision or retention of business or a business advantage, or in explicit or implicit exchange for favors or benefits;
- it is appropriate in the circumstances, taking account of the reason for the gift, its timing and value;
- it is given openly, not secretly; and
- it complies with any applicable local law.
- Promotional gifts of low value such to or from existing customers, suppliers and business partners will usually be acceptable.
- Reimbursing a third party's expenses or accepting an offer to reimburse our expenses (for example, the costs of attending a business meeting) would not usually amount to bribery. However, in excess of genuine and reasonable business expenses (such as the cost of an extended hotel stay) is not acceptable.
- We appreciate that practice varies between countries and regions and what may be normal and acceptable in one region may not be in another. The test to be applied is whether in all the circumstances the gift, hospitality or payment is reasonable and justifiable. The intention behind it should always be considered.
- DONATIONS
- RECORD-KEEPING
- We must keep financial records and have appropriate internal controls in place which will evidence the business reason for making payments to third parties.
- You must declare and keep a written record of all hospitality or gifts given or received, which will be subject to managerial review.
- You must submit all expenses claims relating to hospitality, gifts or payments to third parties in accordance with our expenses policy and record the reason for expenditure.
- All accounts, invoices, and other records relating to dealings with third parties including suppliers and customers should be prepared with strict accuracy and completeness. Accounts must not be kept "off-book" to facilitate or conceal improper payments.
- YOUR RESPONSIBILITIES
- You must ensure that you read, understand, and comply with this policy.
- The prevention, detection and reporting of bribery and other forms of corruption are the responsibility of all those working for Wiz or under Wiz's control. You are required to avoid any activity that might lead to, or suggest, a breach of this policy.
- You must notify legal team as soon as possible if you believe or suspect that a conflict with this policy has occurred, or may occur in the future. For example, if a customer or potential customer offers you something to gain a business advantage with us or indicates to you that a gift or payment is required to secure their business. Further "red flags" that may indicate bribery or corruption are set out in clause 16.
- HOW TO RAISE A CONCERN
- You are encouraged to raise concerns about any issue or suspicion of bribery or corruption at the earliest possible stage.
- If you are offered a bribe, or are asked to make one, or if you believe or suspect that any bribery, corruption, or other breach of this policy has occurred or may occur, you must notify your manager, the HR team or the legal team as soon as possible.
- If you are unsure about whether a particular act constitutes bribery or corruption, raise it with your manager, the HR team or the legal team.
- PROTECTION
- Individuals who refuse to accept or offer a bribe, or who raise concerns or report another's wrongdoing, are sometimes worried about possible repercussions. We aim to encourage openness and will support anyone who raises genuine concerns in good faith under this policy, even if they turn out to be mistaken.
- We are committed to ensuring no one suffers any detrimental treatment as a result of refusing to take part in bribery or corruption, or because of reporting in good faith their suspicion that an actual or potential bribery or other corruption offence has taken place or may take place in the future. Damaging treatment includes dismissal, disciplinary action, threats or other unfavorable treatment connected with raising a concern. If you believe that you have suffered any such treatment, you should inform the legal team immediately.
- TRAINING AND COMMUNICATION
- BREACHES OF THIS POLICY
- POTENTIAL RISK SCENARIOS: "RED FLAGS"
The following is a list of possible red flags that may arise during the course of you working for or with Wiz and which may raise concerns under various anti-bribery and anti-corruption laws. The list is not intended to be exhaustive and is for illustrative purposes only.
If you encounter any of these red flags while working for or with Wiz, you must report them promptly to your manager, the HR team or legal team:
- you become aware that a third party engages in, or has been accused of engaging in, improper business practices;
- you learn that a third party has a reputation for paying bribes, or requiring that bribes are paid to them, or has a reputation for having a "special relationship" with foreign government officials;
- a third party insists on receiving a commission or fee payment before carrying out a government function or process for us;
- a third-party requests payment in cash and/or refuses to sign a formal commission or fee agreement, or to provide an invoice or receipt for a payment made;
- a third-party requests that payment is made to a country or geographic location different from where the third party resides or conducts business;
- a third party requests an unexpected additional fee or commission to "facilitate" a service;
- a third party demands lavish entertainment or gifts before commencing or continuing contractual negotiations or provision of services;
- a third-party requests that a payment is made to "overlook" potential legal violations;
- a third-party requests that you provide employment or some other advantage to a friend or relative;
- you receive an invoice from a third party that appears to be non-standard or customized;
- a third party insists on the use of side letters or refuses to put terms agreed in writing;
- you notice that we have been invoiced for a commission or fee payment that appears large given the service stated to have been provided;
- a third party requests or requires the use of an agent, intermediary, consultant, distributor or supplier that is not typically used by or known to us; or
- you are offered an unusually generous gift or offered lavish hospitality by a third party.
Wiz Code of Conduct
Effective September 27th 2024
DownloadTable of Contents
WIZ CODE OF CONDUCT
2. RESPONSIBILITY FOR THE CODE
6. DOCUMENT OWNERSHIP AND APPROVAL
1. PURPOSE AND SCOPE
The purpose of this code of conduct is to:
- Explain Wiz's values and how they relate both to our day-to-day work and the key ethical issues Wiz faces.
- Provide information and guidance in relation to how we should conduct ourselves when carrying out business.
- Explain how we expect our employees, suppliers, partners, vendors, agents, advisors and/or our representatives (collectively, "Partners") to conduct themselves when engaging with Wiz, acting on behalf of Wiz and/or otherwise providing services to Wiz.
This code of conduct applies to all persons working for or with Wiz including all Partners and employees at all levels, directors, officers, agency workers, volunteers, interns and individual temporary or fixed term contractors, wherever located (collectively, “Representatives”).
Wiz may amend this code of conduct from time to time and shall make available such amendments to all Representatives.
1.1 Wiz Values
Be Truthful
- Strong in authentic communication
- Able to build trust with stakeholders
- Comfortable with saying “I don’t know,” and wanting to learn
- Flexibility – able to adjust quickly to change
Lead by Example
- Live up to values, not just talk
- Roll up sleeve mentality
- Solution oriented – identify the problem and then plan for moving forward
- Able to express a strong, clear point of view
Win Together
- Excellence in teamwork
- Focus on building Raving Fans
- Excited to build together
- Accessible to all – excited to interact with anyone at company to help
Execute with Excellence
- Highly accountable – we deliver on our promises
- Relentless focus – customer delight is always top of mind
- Create – think outside the box and build the Wiz playbook
Act Confident, Stay Humble
- Learn it All mentality
- Strong drive for improvement
- Able to listen and open to change
- Above and beyond for everyone – never saying “it is not my job”
2. RESPONSIBILITY FOR THE CODE
Management at all levels are responsible for ensuring those reporting to them understand and comply with this code of conduct and are given adequate and regular training on it and the issues covered by it.
3. PRINCIPLES AND ETHICS
3.1 Standards of Behavior
Wiz employees or “Wizards” are ambassadors of the Wiz brand and a critical aspect of what makes up the Wiz DNA. As such, we hold a high bar for the standard of behavior expected. Wizards have a responsibility to treat others with dignity and respect at all times and exhibit conduct that reflects inclusion during work, at work functions on or off the worksite, and all other company-sponsored events. Behavior exhibited that does not reflect the Wiz values could be deemed misconduct. Misconduct will not be tolerated and could be grounds for disciplinary action up to and including termination of employment.
Examples of misconduct include, but are not limited to, the following:
- Refusal to perform or follow reasonable directions or prescribed procedures or any form of insubordination;
- Theft or unauthorized removal of company property or the property of others;
- Any action deemed to not align with Wiz values or be considered detrimental to our culture;
- Defacing, damaging, or destroying property of the company or others;
- Possession of illegal drugs on company premises;
- Abusive or discourteous treatment of client, customers, guests, or other employees;
- Any behavior that creates an intimidating, hostile, or offensive work environment or has an adverse effect on work performance;
- Revealing, disclosing, or making available any information considered “confidential” to unauthorized persons;
- Misrepresentation or omission of facts in obtaining employment;
- Falsification of any record of hours worked or tampering with any other employee’s record;
- Failure to comply with fire, safety, and health rules, instructions, or practices;
- Fighting, serious violence, or verbal threats; or
- Possession of a firearm or other weapon on company property.
This list is for illustrative purposes only and does not constitute a complete list of behavior that is considered inappropriate. In general, based on high ethical principles, the use of good judgement will guide you with respect to lines of acceptable conduct. If a situation arises where it is difficult to determine the proper course of action, the matter should be discussed openly with your leader and/or any member of the HRBP team for advice and consultation.
Compliance with this policy of business ethics and conduct is the responsibility of every Wizard.
3.2 Human Rights
Wiz supports the fundamental human rights of all people. We respect and do not interfere with the right of our Representatives to decide whether to lawfully associate with groups of their choice, including the right to form or joint trade unions and/or to engage in collective bargaining. Wiz strives to embed human rights in existing operations by multiple means: assessing the risks, increasing awareness, fostering due diligence, strengthening the legal framework, collaborating in collective actions, opening dialogue and transparent reporting. Where faced with human rights violations, Wiz implements adequate remediation.
3.3 Equal opportunities, inclusion and diversity
Wiz is committed to diversity and equal opportunities for everyone. Wiz respects the unique attributes and perspectives of our Representatives. Wiz provides equal treatment and equal employment opportunity without regard to race, ethnicity, color, religion, gender, age, national origin or ancestry, physical or mental disability, sexual orientation, military status or any other basis protected by law.
3.4 Employment
Wiz compensates its employees in accordance with applicable laws and pays fair wages in line with applicable laws including adequate rest periods and leave. Wiz is committed to ensuring that the services we provide are delivered in a way that respects human rights and protects the fundamental dignity of workers. This includes ensuring that there is no slavery, servitude, forced or compulsory human labor, human trafficking, child labor, debt bondage and deceptive recruiting for labor or any other form of modern slavery in any part of our business or in our supply chains.
3.5 Safe Work Environment
Wiz provides a safe, healthy, and sanitary working environment. This includes the implementation of safeguards to prevent workplace hazards and work-related accidents and injuries.
3.6 Confidential Information
Confidential information is a valuable asset. In the course Wiz's operations, we may be entrusted with information that must be kept confidential. Our confidential business information must be kept secure for Wiz to remain competitive and successful. Confidential information may include, for example, unpublished sales and financial information, internal operations at Wiz, product or operating formulas and methods, information relating to Wiz's platform, roadmap, marketing plans, research results, employee data, and information about Wiz and its Representatives.
Unauthorized disclosure of Wiz's confidential information will adversely affect Wiz and its business. Wiz trusts its employees and Representatives to ensure the secrecy of Wiz's confidential information and to not disclose confidential information outside of Wiz.
Wiz also receives confidential information about third parties such as the Confidential Information of its Representatives. Wiz has an obligation to protect such third-party confidential information in the same way that it protects its own Confidential Information.
3.7 Data Privacy
The protection and responsible use of personal data is a priority for Wiz. Wiz is committed to collecting and using data in a lawful, fair, legitimate and ethical way, and will always respect the privacy of individuals in order to earn and deserve their trust. Wiz ensures that its processing of personal data by itself or by itself and its Representatives, is in compliance with laws. Representatives with access to personal data are expected to apply the privacy principles of lawful, fair and transparent data processing, respecting any purpose limitations, as well as the principles of data minimization, accuracy, storage limitation, integrity and confidentiality. Wiz implements and continuously monitors its security measures to protect individuals’ privacy rights.
3.8 Bribery and Corruption
All Wiz Representatives must comply with applicable anti-corruption laws, regardless of personal location or place of business. Representatives shall review and ensure full compliance with Wiz's Anti Corruption and Bribery Policy. Anti-corruption laws include prohibitions on bribing government officials, or engaging in kickbacks and bribery with private parties (also known as commercial bribery). Wiz prohibits all forms of bribery or kickbacks. Wiz does not tolerate violations. Representatives must not offer, directly or indirectly, any form of gift, entertainment or anything of value to any government official or his or her representatives to: (a) obtain or retain business; (b) influence business decisions; (c) expedite a process; or (d) secure an unfair advantage. Wiz also prohibits payments to government officials to expedite or ensure routine actions, such as issuing licenses, permits or visas. These prohibitions apply to Wiz's business operations and to any third parties acting on Wiz's behalf. For purposes of anti-bribery laws, government officials include elected and appointed officers or employees of national, municipal or local governments (including individuals holding legislative, administrative and judicial positions), officials of political parties and candidates for political offices, and employees of government or state-controlled companies.
3.9. Free and Fair Competition
Wiz is committed to free, fair, and open competition, which is an essential feature of healthy business markets. Competition fosters innovation, productivity and growth. Fair competition laws (often called Antitrust or Competition laws) are intended to promote and protect competition. Such laws ensure a level playing field for all businesses, which in turn support healthy local and global economies. Wiz carefully follow these laws in all of its business.
3.10 Conflicts of Interest
A conflict of interest exists when a Representative's personal interests are inconsistent with those of Wiz and create conflicting loyalties. Wiz requires that its Representatives avoid situations where their personal interests conflict, or appear to conflict, with the interests of Wiz. Representatives should not use their position at Wiz for personal benefit or to benefit relatives or close associates. Many actual or potential conflicts of interest can be resolved in an acceptable way for both the individual and Wiz. In case of a conflict of interest, the Representatives concerned should immediately inform their manager or Wiz business stakeholder in order to find an appropriate solution.
3.11. Wiz and its Community
As part of the global community, we recognize our important role in helping to address some of the world’s significant challenges. We endeavor to make our communities better places to live and work. Wiz encourages its Representatives to get involved in activities that strengthen communities. Wiz's ability to build relationships with our communities is critical to our long-term success.
3.12. Environment & Sustainability
At Wiz we strive to minimize environmental pollution and make continuous improvements in environmental protection and sustainability through our actions, including by considering environmental impact when sourcing or delivering services. Wiz and our suppliers are required to act in accordance with applicable statutory and international standards regarding the environment.
4. TRAINING AND COMPLIANCE
Wiz shall train its employees to ensure awareness and compliance with the requirements of this Code. However, Wiz believes that the sense of responsibility of each Representative is the basis of compliance. Thus, Wiz expects its Representatives to constantly and adequately identify, assess and manage the compliance risks that fall within the sphere of Wiz's business responsibilities.
Wiz encourages it Representatives to report any violations of this code of conduct to their manager or Wiz business stakeholder and/or to Wiz's legal team, including via Wiz’s anonymous hotline reporting tool.
5. RELATED DOCUMENTS
Wiz Anti Corruption and Bribery Policy
6. DOCUMENT OWNERSHIP AND APPROVAL
6.1 The Wiz Legal team is the owner of this document.
6.2 This policy is designated as critical; Wiz Legal team is responsible for ensuring the policy is reviewed and approved annually.
6.3 The current version of this document is available to all staff on the internal policy management tool.
6.4 This code of conduct was approved by Emma Berkenfeld and issued on a version-controlled basis.
Effective November 21st 2023 to September 27th 2024
DownloadTable of Contents
WIZ CODE OF CONDUCT
1. ABOUT THIS CODE OF CONDUCT
2. WHO THIS CODE APPLIES TO
3. RESPONSIBILITY FOR THE CODE
4. PRINCIPALS AND ETHICS
5. TRAINING AND ENSURING COMPLIANCE
- Explain Wiz's values and how they relate both to our day-to-day work and the key ethical issues Wiz faces.
- Provide information and guidance in relation to how we should conduct ourselves when carrying out business; and
- Explain how we expect our employees, suppliers, partners, vendors, agents, advisors and/or our representatives (collectively, "Representatives") to conduct themselves when engaging with Wiz, acting on behalf of Wiz and/or otherwise providing services to Wiz.
Effective November 17th 2023 to November 21st 2023
DownloadTable of Contents
WIZ CODE OF CONDUCT
5.TRAINING AND ENSURING COMPLIANCE
- Explain Wiz's values and how they relate both to our day-to-day work and the key ethical issues Wiz faces.
- Provide information and guidance in relation to how we should conduct ourselves when carrying out business; and
- Explain how we expect our employees, suppliers, partners, vendors, agents, advisors and/or our representatives (collectively, "Representatives") to conduct themselves when engaging with Wiz, acting on behalf of Wiz and/or otherwise providing services to Wiz.
Effective October 9th 2023 to November 17th 2023
DownloadTable of Contents
WIZ CODE OF CONDUCT
Contents
5.TRAINING AND ENSURING COMPLIANCE
- Explain Wiz's values and how they relate both to our day-to-day work and the key ethical issues Wiz faces.
- Provide information and guidance in relation to how we should conduct ourselves when carrying out business; and
- Explain how we expect our employees, suppliers, partners, vendors, agents, advisors and/or our representatives (collectively, "Representatives") to conduct themselves when engaging with Wiz, acting on behalf of Wiz and/or otherwise providing services to Wiz.
Data Processing Agreement
Effective August 26th 2024
DownloadTable of Contents
DATA PROCESSING AGREEMENT
This Data Processing Agreement (“DPA”) forms part of the Wiz Subscription Agreement or other agreement for Wiz services entered into between the Parties (the “Agreement”) between the Wiz entity that has entered into the Agreement (“Wiz”, “Us”, “We”, “Our”) and Customer (collectively, “You”, “Your”, or “Customer”) pursuant to the Agreement. Both parties shall be referred to as the “Parties” and each, a “Party”. This DPA forms a binding legal agreement to reflect the Parties’ agreement with regard to the Processing of Personal Data (as such terms are defined below).
WHEREAS, Wiz shall provide the services set forth in the Agreement (collectively, the “Services”) to Customer, as described in the Agreement; and
WHEREAS, the Parties wish to set forth the arrangements concerning the Processing of Personal Data within the context of the Services and agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
NOW THEREFORE, in consideration of the mutual promises set forth herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged by the Parties, the Parties, intending to be legally bound, agree as follows:
1. INTERPRETATION AND DEFINITIONS
1.1 The headings contained in this DPA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this DPA. References to clauses or sections are references to the clauses or sections of this DPA unless otherwise stated. Words used in the singular include the plural and vice versa, as the context may require. Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.
1.2 Definitions:
- “Controller” or “Business” as relevant under applicable Data Protection Laws, means the entity which determines the purposes and means of the Processing of Personal Data or such equivalent term under Data Protection Laws.
- “Customer Personal Data” means any Personal Data which is provided to and Processed by Wiz on behalf of Customer in order to provide the Services under the Agreement. Customer Personal Data does not include Personal Data that Wiz Processes as a Controller separately from its Processing obligations to Customer under the Agreement.
- “Data Protection Laws” means all laws and regulations of the European Union, the EEA and their Member States, Switzerland, the United Kingdom, and the United States, each to the extent applicable to the Processing of Personal Data under the Agreement.
- “Data Subject” means the identified or identifiable person to whom the Customer Personal Data relates.
- “EEA” means the European Economic Area.
- “EU Data Protection Law” means the GDPR, and the UK GDPR.
- “Extended EEA Country” means a Member State of the EEA, Switzerland or the United Kingdom, and Extended EEA Countries means the foregoing countries collectively.
- “Member State(s)” means a country that belongs to the European Union and/or the EEA.
- “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier or such equivalent term under Data Protection Laws.
- “Process(ing)” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Processor” or “Service Provider,” as relevant under applicable Data Protection Laws, means the entity which Processes Personal Data on behalf of the Controller or Business or such equivalent term under Data Protection Laws.
- “Security Addendum” means Wiz’s Security Addendum which is available via https://www.wiz.io/legal/security-addendum.
- “Standard Contractual Clauses” means the “standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission decision of 4 June 2021” and published under document number C (2021) 3972 available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32021D0914&qid=1689513765256, as may be updated, amended or superseded from time to time.
- “Sub-Processor” means any Processor or Service Provider engaged by Wiz and/or Wiz Affiliate to Process Customer Personal Data.
- “Supervisory Authority” means the competent supervisory authority pursuant to the applicable Data Protection Laws.
- “Third Country” has the meaning given in Clause 8.2 below.
- “UK GDPR” means the GDPR as incorporated into United Kingdom domestic law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR").
- “US Privacy Laws” means the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act of 2020 along with any associated regulations (“CCPA”); the Virginia Consumer Data Protection Act (“VCDPA”); the Colorado Privacy Act; and any similar U.S. laws governing data privacy and security once effective.
2. CUSTOMER’S PROCESSING OF PERSONAL DATA. Customer shall, in its use of the Services, Process Customer Personal Data in accordance with the requirements of Data Protection Laws.For the avoidance of doubt, Customer’s instructions for the Processing of Customer Personal Data shall comply with Data Protection Laws. As between the Parties, Customer shall have sole responsibility for the means by which Customer acquired Customer Personal Data. Without limitation, to the extent applicable, Customer shall comply with any and all transparency-related obligations (including, without limitation, displaying any and all relevant and required privacy notices or policies) and shall have any and all required legal basis in order to collect, Process and transfer to Wiz the Customer Personal Data and to authorize the Processing by Wiz of the Customer Personal Data which is authorized in this DPA.
3. WIZ’S PROCESSING OF PERSONAL DATA
3.1 Application. As used in clauses 3 – 9 herein, Customer Personal Data refers to Customer Personal Data that is subject to Data Protection Laws.
3.2 Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data, (i) Customer is the Controller or Business or, where Customer is acting behalf of its own customers, a Processor, (ii) Wiz is the Processor or Service Provider, and (iii) Wiz or its Affiliates may engage Sub-Processors pursuant to the requirements set forth in Clause 6 below.
3.3 Wiz and its Affiliates (as applicable) shall Process Customer Personal Data only in accordance with Customer’s documented instructions, which are set out in the Agreement, as necessary for the performance of the Services and for the performance of the Agreement and this DPA, unless required to otherwise by any applicable law, court of competent jurisdiction or other Supervisory Authority to which Wiz and its Affiliates are subject, in which case, Wiz shall inform Customer of the legal requirement before processing, unless that law prohibits such information. Customer agrees that the Agreement is its complete and final instructions to Wiz in relation to the Processing of Personal Data. Processing any Personal Data outside the scope of the Agreement will require prior written agreement between Wiz and Customer by way of an amendment to the Agreement, and may include any additional fees that may be payable by Customer to Wiz for carrying out such instructions. The duration of the Processing, the nature and purposes of the Processing, as well as the types of Customer Personal Data Processed and categories of Data Subjects under this DPA are further specified in Schedule 1 to this DPA.
3.4 To the extent that Wiz or its Affiliates cannot comply with an instruction from Customer and/or its authorized users relating to Processing of Customer Personal Data or where Wiz considers such instruction to be unlawful, Wiz (i) shall inform Customer, providing relevant details of the problem; (ii) may, without any kind of liability towards Customer, temporarily cease all Processing of the affected Customer Personal Data (other than securely storing those data); and (iii) if the Parties do not agree on a resolution to the issue in question and the costs thereof, each Party may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected Processing, and Customer shall pay to Wiz all the amounts owed to Wiz or due before the date of termination.
4. RIGHTS OF DATA SUBJECTS. If Wiz receives a request from a Data Subject to exercise its rights under Data Protection Laws (“Data Subject Request”), Wiz shall, to the extent legally permitted, promptly notify and forward such Data Subject Request to Customer. Taking into account the nature of the Processing, Wiz shall use commercially reasonable efforts to assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws.
5. WIZ PERSONNEL
5.1 Confidentiality. Wiz shall grant access to the Customer Personal Data to persons under its authority (including, without limitation, its personnel) only on a need-to-know basis and ensure that such persons engaged in the Processing of Customer Personal Data have committed themselves to confidentiality.
6. AUTHORIZATION REGARDING SUB-PROCESSORS
6.1 Customer hereby grants general written authorization to Wiz to appoint Sub-Processors to perform specific Processing activities on Customer Personal Data on its behalf. Wiz’s current list of Sub-Processors is included at https://www.wiz.io/sub-processor-list (“Sub-Processor List”) and is hereby approved by Customer.
6.2 Objection Right for Sub-Processors. Wiz offers a mechanism for Customers to subscribe to notifications of changes to Wiz’s Sub-Processor List via https://www.wiz.io/sub-processor-list. If Customer subscribes to receive such updates, Wiz shall provide notification of any intended changes concerning the addition or replacement of other Sub-Processor(s) to the email address which has subscribed thereby giving Customer the opportunity to object. Customer may reasonably object to Wiz’s use of a Sub-Processor for reasons related to the Data Protection Laws by notifying Wiz in writing within ten (10) days after receipt of Wiz’s notice including the reasons for objecting to Wiz’s use of such Sub-Processor. Failure to object to such Sub-Processor in writing within ten (10) days following Wiz’s notice shall be deemed as acceptance of the Sub-Processor. In the event Customer reasonably objects to a Sub-Processor, Wiz will use reasonable efforts to make available to Customer a change in the Services to avoid Processing of Customer Personal Data by the objected-to Sub-Processor without unreasonably burdening Customer. If Wiz is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may, as a sole remedy, terminate the Agreement and this DPA by providing written notice to Wiz provided that all amounts due under the Agreement before the termination date shall be duly paid to Wiz. Until a decision is made regarding the Sub-Processor, Wiz may temporarily suspend the Processing of the affected Customer Personal Data.
6.3 Where Wiz engages a Sub-Processor, we shall do so by way of a written contract which imposes on the Sub-Processor substantially the same data protection obligations as in this DPA.
7.SECURITY
7.1 Controls for the Protection of Customer Personal Data. Taking into account the state of the art, Wiz shall maintain industry-standard technical and organizational measures, including as required pursuant to Article 32 of the GDPR and other applicable Data Protection Laws, for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Personal Data), confidentiality and integrity of Customer Personal Data, as set forth in the Security Addendum. Upon Customer’s request, Wiz will use commercially reasonable efforts to assist Customer, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR and other applicable Data Protection Laws taking into account the nature of the processing, the state of the art, the costs of implementation, the scope, the context, the purposes of the Processing and the information available to Wiz.
7.2 Third-Party Certifications and Audits. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Wiz shall make available to Customer (or Customer’s independent, third-party auditor that is not reasonably objected to by Wiz and bound by confidentiality obligations) a copy of Wiz’s then most recent third-party audits or certifications, as applicable (provided, however, that any such documentation shall be Wiz’s confidential information and shall only be used by Customer to assess compliance with this DPA, and shall not be used for any other purpose or disclosed to any third party without Wiz’s prior written approval and, upon Wiz’s request, Customer shall return all such documentation in Customer’s possession or control). Only as required by applicable Data Protection Laws and at Customer’s cost and expense, not more than once per year, Wiz shall allow for and contribute to audits, including remote inspections, conducted by Customer (or Customer’s independent, third-party auditor that is not reasonably objected to by Wiz and that is bound by confidentiality obligations) provided that the parties shall agree on the scope, methodology, timing and conditions of such audits and inspections in advance. Notwithstanding anything to the contrary, such audits and/or inspections shall not contain any information, including without limitation, Personal Data that belongs to Wiz’s other customers.
8. TRANSFERS OF DATA
8.1 Transfers to countries that offer adequate level of data protection. Personal Data may be transferred from the Extended EEA Countries to countries or frameworks that offer adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the Extended EEA Countries (“Adequacy Decisions”), without any further safeguard being necessary.
8.2 Transfers to other countries. If, and to the extent, the Processing of Customer Personal Data which is subject to Data Protection Laws of the EEA Extended Countries includes transfers by Customer from the Extended EEA Countries to Wiz in countries outside the Extended EEA Countries which have not been subject to an Adequacy Decision (“Third Countries”), the Parties agree that such transfers shall be undertaken on the basis of the Standard Contractual Clauses, which will be deemed to have been signed by each Party on the Effective Date of this Agreement, are incorporated herein by reference and construed in accordance with Schedule 2 below, unless another mechanism provided for in the Data Protection Laws of the applicable Extended EEA Country applies.
8.3 In the event Customer enables Third Party Integrations (as defined in the Agreement) which involve transfers of Customer Personal Data between Wiz and the Third Party Integration provider, Customer acknowledges and agrees that (a) such Third Party Integration providers are not Sub-Processors of Wiz; (b) such transfers are conducted at Customer’s instruction in accordance with an agreement between the Customer and such Third Party Integration provider (which Wiz is not a party to); and (c) Customer shall be solely responsible for such transfers and their compliance with Data Protection Laws, including without limitation, executing Standard Contractual Clauses with such Third Party Integration providers as required.
9. US PRIVACY LAWS
9.1 In performing its obligations under the Agreement and this DPA, Wiz shall comply with its obligations under US Privacy Laws, including by providing the level of privacy protection as is required by US Privacy Laws to Customer Personal Data subject to the US Privacy Laws. Wiz will not: (1) “sell” or “share” for purposes of “cross-context behavioral advertising” or “targeted advertising” (as defined by applicable US Privacy Laws) any Customer Personal Data; (2) retain, use, or disclose Customer Personal Data for any purpose other than the contractual business purpose set forth herein or as otherwise permitted under US Privacy Laws or outside of the direct business relationship between Wiz and Customer; or (3) attempt to re-identify any pseudonymized, anonymized, aggregate, or de-identified Customer Personal Data.
9.2 Wiz will (1) comply with any applicable restrictions under applicable US Privacy Laws on combining Customer Personal Data with Personal Data that Wiz receives from, or on behalf of, another person or persons; and (2) promptly notify Customer if Wiz determines that it (i) can no longer meet its obligations under this DPA or applicable US Privacy Laws; or (ii) in Wiz’s opinion, an instruction from Customer infringes applicable US Privacy Laws.
9.3 To the extent required under US Privacy Laws, Customer may take reasonable and appropriate steps to help to ensure that Wiz uses Customer Personal Data in a manner consistent with Customer’s obligations under US Privacy Laws and to stop and remediate unauthorized use of the Customer Personal Data.
9.4 Wiz certifies that it understands its obligations in this Clause 9.The Parties agree that Schedule 1 hereto shall satisfy any requirement under applicable U.S. Privacy Law to provide details regarding the nature of the Processing activities related to Customer Personal Data.
10. PERSONAL DATA INCIDENT MANAGEMENT AND NOTIFICATION. To the extent required under applicable Data Protection Laws, Wiz shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data (a “Personal Data Incident”). Wiz shall make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as Wiz deems necessary, possible and reasonable in order to remediate the cause of such a Personal Data Incident. Customer (or its customers), as the Controller or Business, will be the party responsible for notifying supervisory authorities and/or concerned Data Subjects (where required by Data Protection Laws).
11. RETURN AND DELETION OF PERSONAL DATA. Subject to the Agreement, upon termination or expiry of the Services, Wiz shall, make available for return the Customer Personal Data via the Services and delete such Customer Personal Data in accordance with Wiz’s customer data retention & deletion policy unless applicable law requires storage of the Customer Personal Data. In any event, Customer agrees that Wiz may retain Customer Personal Data in accordance with its standard backup policy, for evidence purposes and/or for the establishment, exercise or defense of legal claims and/or to comply with applicable laws and regulations. Notwithstanding anything to the contrary, Customer hereby agrees and understands that, to the extent Wiz performs cloud scanning on behalf of Customer, if and when Customer wants to delete specific Customer Personal Data, Customer may delete such Customer Personal Data from its own databases, and it will automatically be erased from Wiz’s databases within a reasonable market standard timeframe. If Customer requests return of the Customer Personal Data, it shall be returned in an industry standard format generally available for Wiz’s Customers.
12. TERMINATION. This DPA shall automatically terminate upon the termination or expiration of the Agreement under which the Services are provided, provided that, to the extent Wiz retains any Customer Personal Data following termination or expiration of the Agreement, this DPA shall survive for such period that Wiz retains Customer Personal Data. Clauses 2, 3.4 and 13 shall survive the termination or expiration of this DPA for any reason. This DPA cannot, in principle, be terminated separately to the Agreement, except where the Processing ends before the termination of the Agreement, in which case, this DPA shall automatically terminate.
13. RELATIONSHIP WITH AGREEMENT. Subject to any provisions in Schedule 2 regarding governing law and choice of forum of the Standard Contractual Clauses, the governing law and choice of forum provision in the Agreement shall apply to this DPA. In the event of any conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement. For the avoidance of doubt each Party’s and its Affiliates’ liability, taken together in the aggregate, arising out of or relating to this DPA, the Standard Contractual Clauses, Data Protection Laws and any other data protection agreements in connection with the Agreement (if any), shall be subject to any aggregate limitations on liability set out in the Agreement. NOTWITHSTANDING THE FOREGOING, IF CUSTOMER IS USING THE SERVICES FOR A FREE TRIAL, WIZ’S MAXIMUM AGGREGATE LIABILITY TO CUSTOMER UNDER OR RELATED TO THIS DPA SHALL BE CAPPED AT ONE THOUSAND DOLLARS US ($1,000 US).
List of Schedules
SCHEDULE 1 – DETAILS OF THE PROCESSING
SCHEDULE 2 – STANDARD CONTRACTUAL CLAUSE
DETAILS OF THE PROCESSING
Subject matter.
Wiz will Process Customer Personal Data as necessary to perform the Services pursuant to the Agreement, as further instructed by Customer in its use of the Services.
Nature and Purpose of Processing.
Performing the Agreement, this DPA and/or other contracts executed by the Parties, including, providing the Service(s) and support and technical maintenance to Customer and complying with documented reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement.
Duration of Processing.
Subject to any section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Wiz will Process Customer Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
Types of Customer Personal Data.
Customer determines the categories of any Customer Personal Data that is made accessible to Wiz, which may include, without limitation, Customer Personal Data relating to the following categories:
- If Customer uses Wiz for scanning, Personal Data might be temporarily processed by Wiz during the scanning. The type of the Personal Data depends on Customer environment and which sources Customer connects.
- Wiz only stores metadata such as CVEs, misconfigurations, list of installed packages, cloud events, local cloud user accounts, cloud object identifiers and (depending on the features used by Customer) logs and file paths. Depending on the Customer’s environment and naming conventions and features used by Customer, some limited Personal Data may be included in the metadata findings. For example, cloud user account names, logs and artifacts could include an individual’s name, associated email address, professional phone number and IP address as well as information about device and operating system and (if specific Wiz features are enabled) pseudonymized samples of findings to enable Customer to locate, verify and remediate the finding(s).
Customer acknowledges that Wiz does not control which Customer Personal Data Customer shares with it in the context of the Services.
Categories of Data Subjects.
As part of providing the Services, Wiz may process Customer Personal Data related to Customer’s customers or users, leads, employees and service providers, the extent of which is solely determined by Customer.
STANDARD CONTRACTUAL CLAUSES
1. Incorporation and interpretation of the Standard Contractual Clauses
1.1. In relation to transfers by Customer of Customer Personal Data which are subject to Data Protection Laws of the Extended EEA Countries to Wiz in Third Countries, the parties agree that Module Two (Transfer controller to processor) or Module 3 (Transfer processor to processor) of the Standard Contractual Clauses shall apply, as applicable.
1.2. The Parties acknowledge that the information required to be provided in the Standard Contractual Clauses, including the appendices, is set out in Appendix 1 below.
1.3. If there is a conflict between the provisions of this Agreement and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail, provided that, except to the extent prohibited by applicable law, the Standard Contractual Clauses shall be interpreted in accordance with and subject to this DPA and the Agreement, including without limitation, the provisions on limitation of liability, instructions, storage, erasure and return of Personal Data, audits and engagement of Sub-Processors.
1.4. If any provision or part-provision of this DPA or the Agreement causes the Standard Contractual Clauses to become an invalid export mechanism in the relevant Extended EEA Country, it shall be deemed deleted but that shall not affect the validity and enforceability of the rest of this Agreement and the parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.
1.5 Where requested by Wiz, Customer shall provide reasonable assistance to Wiz and be responsible for issuing such communications to Data Subjects and/or the Controller (to the extent Module Three applies) as are required in order for Wiz to comply with its obligations under the Standard Contractual Clauses.
1.6. For the purpose of Section III, Clause 14 of the Standard Contractual Clauses, the parties acknowledge and agree that, as between the parties, the Customer (acting as data exporter) is responsible for: (i) assessing the laws of the country to which it transfers Personal Data; and (ii) determining whether or not the transfer meets the requirements of Section III, Clause 14(a) of the Standard Contractual Clauses. Where Wiz (as data importer) provides information to the Customer (acting as data exporter) for assisting the Customer in its assessment, such information is provided on an “as is” basis for informational purposes only. Without prejudice to Section III, Clause 14(c) of the Standard Contractual Clauses, Wiz (as data importer) shall not be liable for any losses suffered by the Customer in connection with its assessment.
1.7. Notwithstanding anything to the contrary, where the applicable Extended EEA Country where the data exporter is established or from where the transferred personal data originated is the UK, template Addendum B.1.0 issued by the UK ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses, (the “UK Approved Addendum”) shall amend the Standard Contractual Clauses in respect of such transfers and Part 1 of the UK Approved Addendum shall be populated as set out below:
Table 1. The “start date” will be the date this DPA enters into force. The “Parties” are Customer as exporter Wiz as importer.
Table 2. The “Addendum EU SCCs” are the modules and clauses of the Standard Contractual Clauses selected in relation to a particular transfer in accordance with paragraphs 1.1 and 1.2 of this Schedule.
Table 3. The “Appendix Information” is as set out in Appendix 1 to this Schedule.
Table 4. Neither party may end the UK Approved Addendum in accordance with its Section 19.
1.8. Except where paragraph 1.7 above applies, but notwithstanding anything else to the contrary, where the applicable Extended EEA Country where the data exporter is established or from where the transferred personal data originated is not a Member State of the European Union, references in the Standard Contractual Clauses to:
(a) “Member States of the European Union” shall refer to the applicable Extended EEA Country in which the data exporter is established or from where the transferred Personal Data originated (as applicable);
(b) “the GDPR” shall refer to the Data Protection Laws of the Extended EEA Country in which the data exporter is established or from where the Personal Data originated; and
(c) “supervisory authority” shall refer to the data protection authority in the Extended EEA Country as determined in Annex I(C) below.
ANNEX I
A. LIST OF THE PARTIES | |
Data Exporter: | Name and address: Customer, as set out in the Agreement Contact details: As set out in the Agreement Activities relevant to the data transferred under these Clauses: Receipt of Wiz Services, as set out in the Agreement and this DPA |
Data Importer: | Name and address: Wiz, as set out in the Agreement Contact details: Privacy Officer, privacy@wiz.io Activities relevant to the data transferred under these Clauses: Provision of Wiz Services, as set out in the Agreement and this DPA |
B. DETAILS OF PROCESSING/TRANSFER | |
CATEGORIES OF DATA SUBJECTS | As described in Schedule 1 |
CATEGORIES OF PERSONAL DATA | As described in Schedule 1 |
SPECIAL CATEGORIES OF DATA (IF APPLICABLE) | Wiz does not control which Personal Data Customer shares with it in the context of the Services. If Customer uses Wiz’s features specifically designed to scan data stores via a SaaS deployment, Wiz will temporarily Process any Special Category data included within the data source(s) that Customer connects for scanning. |
FREQUENCY OF THE TRANSFER | As regular as is required to provide the Services |
NATURE AND PURPOSE OF THE PROCESSING | As described in Schedule 1 |
RETENTION | As described in Schedule 1 |
TRANSFER TO (SUB)PROCESSORS | As set out in Wiz’s Sub-Processor List |
C. COMPETENT SUPERVISORY AUTHORITY | |
The competent supervisory authority shall be determined in accordance with Clause 13 of the Standard Contractual Clauses. Where an EU Representative has not been appointed by data exporter, the competent supervisory authority shall be the supervisory authority of the Netherlands. | |
D. GOVERNING LAW AND CHOICE OF FORUM | |
GOVERNING LAW | For the purposes of Clause 17 of the Standard Contractual Clauses the Parties select OPTION 1: the law of the Netherlands. a) |
CHOICE OF FORUM | For the purposes of Clause 18 of the SCCs: the Parties select the courts of the Netherlands. |
E. OTHER | |
Where the Standard Contractual Clauses identify optional provisions (or provisions with multiple options) the following will apply: For Clause 7 (Docking Clause), the optional provision will apply. For Clause 9(a), option 2 (General Written Authorisation) will apply and the time period for prior notice of Sub-Processor changes shall be as set out in this DPA. For Clause 11(a) (Redress) – the optional provision will not apply. |
ANNEX II – WIZ SECURITY MEASURES
The technical and organizational measures including technical and organizational measures to support the security of Personal Data incorporated into Annex II of the Standard Contractual Clauses shall be the technical and organizational security measures as described in Wiz’s Security Addendum.
In addition, Wiz agrees to the following compensating safeguards to protect such data to an equivalent level as required under the Data Protection Laws of the Extended EEA Countries to the extent required under the Standard Contractual Clauses:
- Wiz and Customer shall encrypt all transfers of the Customer Personal Data between them, and Wiz shall encrypt any onward transfers it makes of such Customer Personal Data.
- Wiz will use reasonably available legal mechanisms to challenge any demands for Customer Personal Data access through national security process it receives as well as any non-disclosure provisions attached thereto.
- Wiz will promptly notify Customer of any government demands for Customer Personal Data, unless prohibited under applicable law. To the extent Wiz is prohibited by law from providing such notification, Wiz shall: (i) review each request on a case-by-case basis; (ii) use reasonable efforts to request that the confidentiality requirement be waived to enable Wiz to notify the Customer and/or the appropriate Supervisory Authority competent for the Customer; and (iii) maintain evidence of any such attempt to have a confidentiality requirement waived.
- Wiz will promptly notify Customer if Wiz can no longer comply with the applicable clauses in this Section. Wiz shall not be required to provide Customer with specific information about why it can no longer comply, if providing such information is prohibited by applicable law. Such notice shall entitle Customer to terminate the Agreement (or, at Customer’s option, affected statements of work, order forms, and like documents thereunder) and receive a prompt pro-rata refund of any prepaid amounts thereunder.
Effective April 18th 2024 to August 26th 2024
DownloadTable of Contents
DATA PROCESSING AGREEMENT
This Data Processing Agreement (“DPA”) forms part of the Wiz Master Subscription Agreement or other agreement for Wiz services entered into between the Parties (the “Agreement”) between the Wiz entity that has entered into the Agreement (“Wiz”, “Us”, “We”, “Our”) and Customer (collectively, “You”, “Your”, or “Customer”) pursuant to the Agreement. Both parties shall be referred to as the “Parties” and each, a “Party”. This DPA forms a binding legal agreement to reflect the Parties’ agreement with regard to the Processing of Personal Data (as such terms are defined below).
WHEREAS, Wiz shall provide the services set forth in the Agreement (collectively, the “Services”) to Customer, as described in the Agreement; and
WHEREAS, the Parties wish to set forth the arrangements concerning the Processing of Personal Data within the context of the Services and agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
NOW THEREFORE, in consideration of the mutual promises set forth herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged by the Parties, the Parties, intending to be legally bound, agree as follows:
1. INTERPRETATION AND DEFINITIONS
1.1 The headings contained in this DPA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this DPA. References to clauses or sections are references to the clauses or sections of this DPA unless otherwise stated. Words used in the singular include the plural and vice versa, as the context may require. Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.
1.2 Definitions:
- “Controller” or “Business” as relevant under applicable Data Protection Laws, means the entity which determines the purposes and means of the Processing of Personal Data or such equivalent term under Data Protection Laws.
- “Customer Personal Data” means any Personal Data which is provided to and Processed by Wiz on behalf of Customer in order to provide the Services under the Agreement. Customer Personal Data does not include Personal Data that Wiz Processes as a Controller separately from its Processing obligations to Customer under the Agreement.
- “Data Protection Laws” means all laws and regulations of the European Union, the EEA and their Member States, Switzerland, the United Kingdom, and the United States, each to the extent applicable to the Processing of Personal Data under the Agreement.
- “Data Subject” means the identified or identifiable person to whom the Customer Personal Data relates.
- “EEA” means the European Economic Area.
- “EU Data Protection Law” means the GDPR, and the UK GDPR.
- “Extended EEA Country” means a Member State of the EEA, Switzerland or the United Kingdom, and Extended EEA Countries means the foregoing countries collectively.
- “Member State(s)” means a country that belongs to the European Union and/or the EEA.
- “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier or such equivalent term under Data Protection Laws.
- “Process(ing)” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Processor” or “Service Provider,” as relevant under applicable Data Protection Laws, means the entity which Processes Personal Data on behalf of the Controller or Business or such equivalent term under Data Protection Laws.
- “Security Addendum” means Wiz’s Security Addendum which is available via https://www.wiz.io/legal/security-addendum.
- “Standard Contractual Clauses” means the “standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission decision of 4 June 2021” and published under document number C (2021) 3972 available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32021D0914&qid=1689513765256, as may be updated, amended or superseded from time to time.
- “Sub-Processor” means any Processor or Service Provider engaged by Wiz and/or Wiz Affiliate to Process Customer Personal Data.
- “Supervisory Authority” means the competent supervisory authority pursuant to the applicable Data Protection Laws.
- “Third Country” has the meaning given in Clause 8.2 below.
- “UK GDPR” means the GDPR as incorporated into United Kingdom domestic law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR").
- “US Privacy Laws” means the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act of 2020 along with any associated regulations (“CCPA”); the Virginia Consumer Data Protection Act (“VCDPA”); the Colorado Privacy Act; and any similar U.S. laws governing data privacy and security once effective.
2. CUSTOMER’S PROCESSING OF PERSONAL DATA. Customer shall, in its use of the Services, Process Customer Personal Data in accordance with the requirements of Data Protection Laws.For the avoidance of doubt, Customer’s instructions for the Processing of Customer Personal Data shall comply with Data Protection Laws. As between the Parties, Customer shall have sole responsibility for the means by which Customer acquired Customer Personal Data. Without limitation, to the extent applicable, Customer shall comply with any and all transparency-related obligations (including, without limitation, displaying any and all relevant and required privacy notices or policies) and shall have any and all required legal basis in order to collect, Process and transfer to Wiz the Customer Personal Data and to authorize the Processing by Wiz of the Customer Personal Data which is authorized in this DPA.
3. WIZ’S PROCESSING OF PERSONAL DATA
3.1 Application. As used in clauses 3 – 9 herein, Customer Personal Data refers to Customer Personal Data that is subject to Data Protection Laws.
3.2 Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data, (i) Customer is the Controller or Business or, where Customer is acting behalf of its own customers, a Processor, (ii) Wiz is the Processor or Service Provider, and (iii) Wiz or its Affiliates may engage Sub-Processors pursuant to the requirements set forth in Clause 6 below.
3.3 Wiz and its Affiliates (as applicable) shall Process Customer Personal Data only in accordance with Customer’s documented instructions, which are set out in the Agreement, as necessary for the performance of the Services and for the performance of the Agreement and this DPA, unless required to otherwise by any applicable law, court of competent jurisdiction or other Supervisory Authority to which Wiz and its Affiliates are subject, in which case, Wiz shall inform Customer of the legal requirement before processing, unless that law prohibits such information. Customer agrees that the Agreement is its complete and final instructions to Wiz in relation to the Processing of Personal Data. Processing any Personal Data outside the scope of the Agreement will require prior written agreement between Wiz and Customer by way of an amendment to the Agreement, and may include any additional fees that may be payable by Customer to Wiz for carrying out such instructions. The duration of the Processing, the nature and purposes of the Processing, as well as the types of Customer Personal Data Processed and categories of Data Subjects under this DPA are further specified in Schedule 1 to this DPA.
3.4 To the extent that Wiz or its Affiliates cannot comply with an instruction from Customer and/or its authorized users relating to Processing of Customer Personal Data or where Wiz considers such instruction to be unlawful, Wiz (i) shall inform Customer, providing relevant details of the problem; (ii) may, without any kind of liability towards Customer, temporarily cease all Processing of the affected Customer Personal Data (other than securely storing those data); and (iii) if the Parties do not agree on a resolution to the issue in question and the costs thereof, each Party may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected Processing, and Customer shall pay to Wiz all the amounts owed to Wiz or due before the date of termination.
4. RIGHTS OF DATA SUBJECTS. If Wiz receives a request from a Data Subject to exercise its rights under Data Protection Laws (“Data Subject Request”), Wiz shall, to the extent legally permitted, promptly notify and forward such Data Subject Request to Customer. Taking into account the nature of the Processing, Wiz shall use commercially reasonable efforts to assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws.
5. WIZ PERSONNEL
5.1 Confidentiality. Wiz shall grant access to the Customer Personal Data to persons under its authority (including, without limitation, its personnel) only on a need-to-know basis and ensure that such persons engaged in the Processing of Customer Personal Data have committed themselves to confidentiality.
6. AUTHORIZATION REGARDING SUB-PROCESSORS
6.1 Customer hereby grants general written authorization to Wiz to appoint Sub-Processors to perform specific Processing activities on Customer Personal Data on its behalf. Wiz’s current list of Sub-Processors is included at https://www.wiz.io/sub-processor-list (“Sub-Processor List”) and is hereby approved by Customer.
6.2 Objection Right for Sub-Processors. Wiz offers a mechanism for Customers to subscribe to notifications of changes to Wiz’s Sub-Processor List via https://www.wiz.io/sub-processor-list. If Customer subscribes to receive such updates, Wiz shall provide notification of any intended changes concerning the addition or replacement of other Sub-Processor(s) to the email address which has subscribed thereby giving Customer the opportunity to object. Customer may reasonably object to Wiz’s use of a Sub-Processor for reasons related to the Data Protection Laws by notifying Wiz in writing within ten (10) days after receipt of Wiz’s notice including the reasons for objecting to Wiz’s use of such Sub-Processor. Failure to object to such Sub-Processor in writing within ten (10) days following Wiz’s notice shall be deemed as acceptance of the Sub-Processor. In the event Customer reasonably objects to a Sub-Processor, Wiz will use reasonable efforts to make available to Customer a change in the Services to avoid Processing of Customer Personal Data by the objected-to Sub-Processor without unreasonably burdening Customer. If Wiz is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may, as a sole remedy, terminate the Agreement and this DPA by providing written notice to Wiz provided that all amounts due under the Agreement before the termination date shall be duly paid to Wiz. Until a decision is made regarding the Sub-Processor, Wiz may temporarily suspend the Processing of the affected Customer Personal Data.
6.3 Where Wiz engages a Sub-Processor, we shall do so by way of a written contract which imposes on the Sub-Processor substantially the same data protection obligations as in this DPA.
7.SECURITY
7.1 Controls for the Protection of Customer Personal Data. Taking into account the state of the art, Wiz shall maintain industry-standard technical and organizational measures, including as required pursuant to Article 32 of the GDPR and other applicable Data Protection Laws, for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Personal Data), confidentiality and integrity of Customer Personal Data, as set forth in the Security Addendum. Upon Customer’s request, Wiz will use commercially reasonable efforts to assist Customer, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR and other applicable Data Protection Laws taking into account the nature of the processing, the state of the art, the costs of implementation, the scope, the context, the purposes of the Processing and the information available to Wiz.
7.2 Third-Party Certifications and Audits. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Wiz shall make available to Customer (or Customer’s independent, third-party auditor that is not reasonably objected to by Wiz and bound by confidentiality obligations) a copy of Wiz’s then most recent third-party audits or certifications, as applicable (provided, however, that any such documentation shall be Wiz’s confidential information and shall only be used by Customer to assess compliance with this DPA, and shall not be used for any other purpose or disclosed to any third party without Wiz’s prior written approval and, upon Wiz’s request, Customer shall return all such documentation in Customer’s possession or control). Only as required by applicable Data Protection Laws and at Customer’s cost and expense, not more than once per year, Wiz shall allow for and contribute to audits, including remote inspections, conducted by Customer (or Customer’s independent, third-party auditor that is not reasonably objected to by Wiz and that is bound by confidentiality obligations) provided that the parties shall agree on the scope, methodology, timing and conditions of such audits and inspections in advance. Notwithstanding anything to the contrary, such audits and/or inspections shall not contain any information, including without limitation, Personal Data that belongs to Wiz’s other customers.
8. TRANSFERS OF DATA
8.1 Transfers to countries that offer adequate level of data protection. Personal Data may be transferred from the Extended EEA Countries to countries or frameworks that offer adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the Extended EEA Countries (“Adequacy Decisions”), without any further safeguard being necessary.
8.2 Transfers to other countries. If, and to the extent, the Processing of Customer Personal Data which is subject to Data Protection Laws of the EEA Extended Countries includes transfers by Customer from the Extended EEA Countries to Wiz in countries outside the Extended EEA Countries which have not been subject to an Adequacy Decision (“Third Countries”), the Parties agree that such transfers shall be undertaken on the basis of the Standard Contractual Clauses, which will be deemed to have been signed by each Party on the Effective Date of this Agreement, are incorporated herein by reference and construed in accordance with Schedule 2 below, unless another mechanism provided for in the Data Protection Laws of the applicable Extended EEA Country applies.
8.3 In the event Customer enables Third Party Integrations (as defined in the Agreement) which involve transfers of Customer Personal Data between Wiz and the Third Party Integration provider, Customer acknowledges and agrees that (a) such Third Party Integration providers are not Sub-Processors of Wiz; (b) such transfers are conducted at Customer’s instruction in accordance with an agreement between the Customer and such Third Party Integration provider (which Wiz is not a party to); and (c) Customer shall be solely responsible for such transfers and their compliance with Data Protection Laws, including without limitation, executing Standard Contractual Clauses with such Third Party Integration providers as required.
9. US PRIVACY LAWS
9.1 In performing its obligations under the Agreement and this DPA, Wiz shall comply with its obligations under US Privacy Laws, including by providing the level of privacy protection as is required by US Privacy Laws to Customer Personal Data subject to the US Privacy Laws. Wiz will not: (1) “sell” or “share” for purposes of “cross-context behavioral advertising” or “targeted advertising” (as defined by applicable US Privacy Laws) any Customer Personal Data; (2) retain, use, or disclose Customer Personal Data for any purpose other than the contractual business purpose set forth herein or as otherwise permitted under US Privacy Laws or outside of the direct business relationship between Wiz and Customer; or (3) attempt to re-identify any pseudonymized, anonymized, aggregate, or de-identified Customer Personal Data.
9.2 Wiz will (1) comply with any applicable restrictions under applicable US Privacy Laws on combining Customer Personal Data with Personal Data that Wiz receives from, or on behalf of, another person or persons; and (2) promptly notify Customer if Wiz determines that it (i) can no longer meet its obligations under this DPA or applicable US Privacy Laws; or (ii) in Wiz’s opinion, an instruction from Customer infringes applicable US Privacy Laws.
9.3 To the extent required under US Privacy Laws, Customer may take reasonable and appropriate steps to help to ensure that Wiz uses Customer Personal Data in a manner consistent with Customer’s obligations under US Privacy Laws and to stop and remediate unauthorized use of the Customer Personal Data.
9.4 Wiz certifies that it understands its obligations in this Clause 9.The Parties agree that Schedule 1 hereto shall satisfy any requirement under applicable U.S. Privacy Law to provide details regarding the nature of the Processing activities related to Customer Personal Data.
10. PERSONAL DATA INCIDENT MANAGEMENT AND NOTIFICATION. To the extent required under applicable Data Protection Laws, Wiz shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data (a “Personal Data Incident”). Wiz shall make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as Wiz deems necessary, possible and reasonable in order to remediate the cause of such a Personal Data Incident. Customer (or its customers), as the Controller or Business, will be the party responsible for notifying supervisory authorities and/or concerned Data Subjects (where required by Data Protection Laws).
11. RETURN AND DELETION OF PERSONAL DATA. Subject to the Agreement, upon termination or expiry of the Services, Wiz shall, make available for return the Customer Personal Data via the Services and delete such Customer Personal Data in accordance with Wiz’s customer data retention & deletion policy unless applicable law requires storage of the Customer Personal Data. In any event, Customer agrees that Wiz may retain Customer Personal Data in accordance with its standard backup policy, for evidence purposes and/or for the establishment, exercise or defense of legal claims and/or to comply with applicable laws and regulations. Notwithstanding anything to the contrary, Customer hereby agrees and understands that, to the extent Wiz performs cloud scanning on behalf of Customer, if and when Customer wants to delete specific Customer Personal Data, Customer may delete such Customer Personal Data from its own databases, and it will automatically be erased from Wiz’s databases within a reasonable market standard timeframe. If Customer requests return of the Customer Personal Data, it shall be returned in an industry standard format generally available for Wiz’s Customers.
12. TERMINATION. This DPA shall automatically terminate upon the termination or expiration of the Agreement under which the Services are provided, provided that, to the extent Wiz retains any Customer Personal Data following termination or expiration of the Agreement, this DPA shall survive for such period that Wiz retains Customer Personal Data. Clauses 2, 3.4 and 13 shall survive the termination or expiration of this DPA for any reason. This DPA cannot, in principle, be terminated separately to the Agreement, except where the Processing ends before the termination of the Agreement, in which case, this DPA shall automatically terminate.
13. RELATIONSHIP WITH AGREEMENT. Subject to any provisions in Schedule 2 regarding governing law and choice of forum of the Standard Contractual Clauses, the governing law and choice of forum provision in the Agreement shall apply to this DPA. In the event of any conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement. For the avoidance of doubt each Party’s and its Affiliates’ liability, taken together in the aggregate, arising out of or relating to this DPA, the Standard Contractual Clauses, Data Protection Laws and any other data protection agreements in connection with the Agreement (if any), shall be subject to any aggregate limitations on liability set out in the Agreement. NOTWITHSTANDING THE FOREGOING, IF CUSTOMER IS USING THE SERVICES FOR A FREE TRIAL, WIZ’S MAXIMUM AGGREGATE LIABILITY TO CUSTOMER UNDER OR RELATED TO THIS DPA SHALL BE CAPPED AT ONE THOUSAND DOLLARS US ($1,000 US).
List of Schedules
SCHEDULE 1 – DETAILS OF THE PROCESSING
SCHEDULE 2 – STANDARD CONTRACTUAL CLAUSE
DETAILS OF THE PROCESSING
Subject matter.
Wiz will Process Customer Personal Data as necessary to perform the Services pursuant to the Agreement, as further instructed by Customer in its use of the Services.
Nature and Purpose of Processing.
Performing the Agreement, this DPA and/or other contracts executed by the Parties, including, providing the Service(s) and support and technical maintenance to Customer and complying with documented reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement.
Duration of Processing.
Subject to any section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Wiz will Process Customer Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
Types of Customer Personal Data.
Customer determines the categories of any Customer Personal Data that is made accessible to Wiz, which may include, without limitation, Customer Personal Data relating to the following categories:
- If Customer uses Wiz for scanning, Personal Data might be temporarily processed by Wiz during the scanning. The type of the Personal Data depends on Customer environment and which sources Customer connects.
- Wiz only stores metadata such as CVEs, misconfigurations, list of installed packages, cloud events, local cloud user accounts, cloud object identifiers and (depending on the features used by Customer) logs and file paths. Depending on the Customer’s environment and naming conventions and features used by Customer, some limited Personal Data may be included in the metadata findings. For example, cloud user account names, logs and artifacts could include an individual’s name, associated email address, professional phone number and IP address as well as information about device and operating system and (if specific Wiz features are enabled) pseudonymized samples of findings to enable Customer to locate, verify and remediate the finding(s).
Customer acknowledges that Wiz does not control which Customer Personal Data Customer shares with it in the context of the Services.
Categories of Data Subjects.
As part of providing the Services, Wiz may process Customer Personal Data related to Customer’s customers or users, leads, employees and service providers, the extent of which is solely determined by Customer.
STANDARD CONTRACTUAL CLAUSES
1. Incorporation and interpretation of the Standard Contractual Clauses
1.1. In relation to transfers by Customer of Customer Personal Data which are subject to Data Protection Laws of the Extended EEA Countries to Wiz in Third Countries, the parties agree that Module Two (Transfer controller to processor) or Module 3 (Transfer processor to processor) of the Standard Contractual Clauses shall apply, as applicable.
1.2. The Parties acknowledge that the information required to be provided in the Standard Contractual Clauses, including the appendices, is set out in Appendix 1 below.
1.3. If there is a conflict between the provisions of this Agreement and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail, provided that, except to the extent prohibited by applicable law, the Standard Contractual Clauses shall be interpreted in accordance with and subject to this DPA and the Agreement, including without limitation, the provisions on limitation of liability, instructions, storage, erasure and return of Personal Data, audits and engagement of Sub-Processors.
1.4. If any provision or part-provision of this DPA or the Agreement causes the Standard Contractual Clauses to become an invalid export mechanism in the relevant Extended EEA Country, it shall be deemed deleted but that shall not affect the validity and enforceability of the rest of this Agreement and the parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.
1.5 Where requested by Wiz, Customer shall provide reasonable assistance to Wiz and be responsible for issuing such communications to Data Subjects and/or the Controller (to the extent Module Three applies) as are required in order for Wiz to comply with its obligations under the Standard Contractual Clauses.
1.6. For the purpose of Section III, Clause 14 of the Standard Contractual Clauses, the parties acknowledge and agree that, as between the parties, the Customer (acting as data exporter) is responsible for: (i) assessing the laws of the country to which it transfers Personal Data; and (ii) determining whether or not the transfer meets the requirements of Section III, Clause 14(a) of the Standard Contractual Clauses. Where Wiz (as data importer) provides information to the Customer (acting as data exporter) for assisting the Customer in its assessment, such information is provided on an “as is” basis for informational purposes only. Without prejudice to Section III, Clause 14(c) of the Standard Contractual Clauses, Wiz (as data importer) shall not be liable for any losses suffered by the Customer in connection with its assessment.
1.7. Notwithstanding anything to the contrary, where the applicable Extended EEA Country where the data exporter is established or from where the transferred personal data originated is the UK, template Addendum B.1.0 issued by the UK ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses, (the “UK Approved Addendum”) shall amend the Standard Contractual Clauses in respect of such transfers and Part 1 of the UK Approved Addendum shall be populated as set out below:
Table 1. The “start date” will be the date this DPA enters into force. The “Parties” are Customer as exporter Wiz as importer.
Table 2. The “Addendum EU SCCs” are the modules and clauses of the Standard Contractual Clauses selected in relation to a particular transfer in accordance with paragraphs 1.1 and 1.2 of this Schedule.
Table 3. The “Appendix Information” is as set out in Appendix 1 to this Schedule.
Table 4. Neither party may end the UK Approved Addendum in accordance with its Section 19.
1.8. Except where paragraph 1.7 above applies, but notwithstanding anything else to the contrary, where the applicable Extended EEA Country where the data exporter is established or from where the transferred personal data originated is not a Member State of the European Union, references in the Standard Contractual Clauses to:
(a) “Member States of the European Union” shall refer to the applicable Extended EEA Country in which the data exporter is established or from where the transferred Personal Data originated (as applicable);
(b) “the GDPR” shall refer to the Data Protection Laws of the Extended EEA Country in which the data exporter is established or from where the Personal Data originated; and
(c) “supervisory authority” shall refer to the data protection authority in the Extended EEA Country as determined in Annex I(C) below.
ANNEX I
A. LIST OF THE PARTIES | |
Data Exporter: | Name and address: Customer, as set out in the Agreement Contact details: As set out in the Agreement Activities relevant to the data transferred under these Clauses: Receipt of Wiz Services, as set out in the Agreement and this DPA |
Data Importer: | Name and address: Wiz, as set out in the Agreement Contact details: Privacy Officer, privacy@wiz.io Activities relevant to the data transferred under these Clauses: Provision of Wiz Services, as set out in the Agreement and this DPA |
B. DETAILS OF PROCESSING/TRANSFER | |
CATEGORIES OF DATA SUBJECTS | As described in Schedule 1 |
CATEGORIES OF PERSONAL DATA | As described in Schedule 1 |
SPECIAL CATEGORIES OF DATA (IF APPLICABLE) | Wiz does not control which Personal Data Customer shares with it in the context of the Services. If Customer uses Wiz’s features specifically designed to scan data stores via a SaaS deployment, Wiz will temporarily Process any Special Category data included within the data source(s) that Customer connects for scanning. |
FREQUENCY OF THE TRANSFER | As regular as is required to provide the Services |
NATURE AND PURPOSE OF THE PROCESSING | As described in Schedule 1 |
RETENTION | As described in Schedule 1 |
TRANSFER TO (SUB)PROCESSORS | As set out in Wiz’s Sub-Processor List |
C. COMPETENT SUPERVISORY AUTHORITY | |
The competent supervisory authority shall be determined in accordance with Clause 13 of the Standard Contractual Clauses. Where an EU Representative has not been appointed by data exporter, the competent supervisory authority shall be the supervisory authority of the Netherlands. | |
D. GOVERNING LAW AND CHOICE OF FORUM | |
GOVERNING LAW | For the purposes of Clause 17 of the Standard Contractual Clauses the Parties select OPTION 1: the law of the Netherlands. a) |
CHOICE OF FORUM | For the purposes of Clause 18 of the SCCs: the Parties select the courts of the Netherlands. |
E. OTHER | |
Where the Standard Contractual Clauses identify optional provisions (or provisions with multiple options) the following will apply: For Clause 7 (Docking Clause), the optional provision will apply. For Clause 9(a), option 2 (General Written Authorisation) will apply and the time period for prior notice of Sub-Processor changes shall be as set out in this DPA. For Clause 11(a) (Redress) – the optional provision will not apply. |
ANNEX II – WIZ SECURITY MEASURES
The technical and organizational measures including technical and organizational measures to support the security of Personal Data incorporated into Annex II of the Standard Contractual Clauses shall be the technical and organizational security measures as described in Wiz’s Security Addendum.
In addition, Wiz agrees to the following compensating safeguards to protect such data to an equivalent level as required under the Data Protection Laws of the Extended EEA Countries to the extent required under the Standard Contractual Clauses:
- Wiz and Customer shall encrypt all transfers of the Customer Personal Data between them, and Wiz shall encrypt any onward transfers it makes of such Customer Personal Data.
- Wiz will use reasonably available legal mechanisms to challenge any demands for Customer Personal Data access through national security process it receives as well as any non-disclosure provisions attached thereto.
- Wiz will promptly notify Customer of any government demands for Customer Personal Data, unless prohibited under applicable law. To the extent Wiz is prohibited by law from providing such notification, Wiz shall: (i) review each request on a case-by-case basis; (ii) use reasonable efforts to request that the confidentiality requirement be waived to enable Wiz to notify the Customer and/or the appropriate Supervisory Authority competent for the Customer; and (iii) maintain evidence of any such attempt to have a confidentiality requirement waived.
- Wiz will promptly notify Customer if Wiz can no longer comply with the applicable clauses in this Section. Wiz shall not be required to provide Customer with specific information about why it can no longer comply, if providing such information is prohibited by applicable law. Such notice shall entitle Customer to terminate the Agreement (or, at Customer’s option, affected statements of work, order forms, and like documents thereunder) and receive a prompt pro-rata refund of any prepaid amounts thereunder.
Effective November 20th 2023 to April 18th 2024
DownloadTable of Contents
DATA PROCESSING AGREEMENT
This Data Processing Agreement (“DPA”) forms part of the Wiz Master Subscription Agreement or other agreement for Wiz services entered into between the Parties (the “Agreement”) between the Wiz entity that has entered into the Agreement (“Wiz”, “Us”, “We”, “Our”) and Customer (collectively, “You”, “Your”, or “Customer”) pursuant to the Agreement. Both parties shall be referred to as the “Parties” and each, a “Party”. This DPA forms a binding legal agreement to reflect the Parties’ agreement with regard to the Processing of Personal Data (as such terms are defined below).
WHEREAS, Wiz shall provide the services set forth in the Agreement (collectively, the “Services”) to Customer, as described in the Agreement; and
WHEREAS, the Parties wish to set forth the arrangements concerning the Processing of Personal Data within the context of the Services and agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
NOW THEREFORE, in consideration of the mutual promises set forth herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged by the Parties, the Parties, intending to be legally bound, agree as follows:
1. INTERPRETATION AND DEFINITIONS
1.1 The headings contained in this DPA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this DPA. References to clauses or sections are references to the clauses or sections of this DPA unless otherwise stated. Words used in the singular include the plural and vice versa, as the context may require. Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.
1.2 Definitions:
- “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
- “Controller” or “Business” as relevant under applicable Data Protection Laws, means the entity which determines the purposes and means of the Processing of Personal Data or such equivalent term under Data Protection Laws.
- “Customer Personal Data” means any Personal Data which is provided to and Processed by Wiz on behalf of Customer in order to provide the Services under the Agreement. Customer Personal Data does not include Personal Data that Wiz Processes as a Controller separately from its Processing obligations to Customer under the Agreement.
- “Data Protection Laws” means all laws and regulations of the European Union, the EEA and their Member States, Switzerland, the United Kingdom, and the United States, each to the extent applicable to the Processing of Personal Data under the Agreement.
- “Data Subject” means the identified or identifiable person to whom the Customer Personal Data relates.
- “EEA” means the European Economic Area.
- “EU Data Protection Law” means the GDPR, and the UK GDPR.
- “Extended EEA Country” means a Member State of the EEA, Switzerland or the United Kingdom, and Extended EEA Countries means the foregoing countries collectively.
- “Member State(s)” means a country that belongs to the European Union and/or the EEA.
- “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier or such equivalent term under Data Protection Laws.
- “Process(ing)” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Processor” or “Service Provider,” as relevant under applicable Data Protection Laws, means the entity which Processes Personal Data on behalf of the Controller or Business or such equivalent term under Data Protection Laws.
- “Security Addendum” means Wiz’s Security Addendum which is available via https://www.wiz.io/legal/security-addendum.
- “Standard Contractual Clauses” means the “standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission decision of 4 June 2021” and published under document number C (2021) 3972 available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914&qid=1689513765256, as may be updated, amended or superseded from time to time.
- “Sub-Processor” means any Processor or Service Provider engaged by Wiz and/or Wiz Affiliate to Process Customer Personal Data.
- “Supervisory Authority” means the competent supervisory authority pursuant to the applicable Data Protection Laws.
- “Third Country” has the meaning given in Clause 8.2 below.
- “UK GDPR” means the GDPR as incorporated into United Kingdom domestic law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR").
- “US Privacy Laws” means the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act of 2020 along with any associated regulations (“CCPA”); the Virginia Consumer Data Protection Act (“VCDPA”); the Colorado Privacy Act; and any similar U.S. laws governing data privacy and security once effective.
2. CUSTOMER’S PROCESSING OF PERSONAL DATA. Customer shall, in its use of the Services, Process Customer Personal Data in accordance with the requirements of Data Protection Laws and comply at all times with the obligations applicable to Controllers or Businesses, as applicable. For the avoidance of doubt, Customer’s instructions for the Processing of Customer Personal Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the means by which Customer acquired Customer Personal Data. Without limitation, Customer shall comply with any and all transparency-related obligations (including, without limitation, displaying any and all relevant and required privacy notices or policies) and shall have any and all required legal basis in order to collect, Process and transfer to Wiz the Customer Personal Data and to authorize the Processing by Wiz of the Customer Personal Data which is authorized in this DPA.
3. WIZ’S PROCESSING OF PERSONAL DATA
3.1 Application. As used in clauses 3 – 9 herein, Customer Personal Data refers to Customer Personal Data that is subject to Data Protection Laws.
3.2 Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data, (i) Customer is the Controller or Business, (ii) Wiz is the Processor or Service Provider, and (iii) Wiz or its Affiliates may engage Sub-Processors pursuant to the requirements set forth in Clause 6 below.
3.3 Wiz and its Affiliates (as applicable) shall Process Customer Personal Data only in accordance with Customer’s documented instructions, which are set out in the Agreement, as necessary for the performance of the Services and for the performance of the Agreement and this DPA, unless required to otherwise by any applicable law, court of competent jurisdiction or other Supervisory Authority to which Wiz and its Affiliates are subject, in which case, Wiz shall inform Customer of the legal requirement before processing, unless that law prohibits such information. Customer agrees that the Agreement is its complete and final instructions to Wiz in relation to the Processing of Personal Data. Processing any Personal Data outside the scope of the Agreement will require prior written agreement between Wiz and Customer by way of an amendment to the Agreement, and may include any additional fees that may be payable by Customer to Wiz for carrying out such instructions. The duration of the Processing, the nature and purposes of the Processing, as well as the types of Customer Personal Data Processed and categories of Data Subjects under this DPA are further specified in Schedule 1 to this DPA.
3.4 To the extent that Wiz or its Affiliates cannot comply with an instruction from Customer and/or its authorized users relating to Processing of Customer Personal Data or where Wiz considers such instruction to be unlawful, Wiz (i) shall inform Customer, providing relevant details of the problem; (ii) may, without any kind of liability towards Customer, temporarily cease all Processing of the affected Customer Personal Data (other than securely storing those data); and (iii) if the Parties do not agree on a resolution to the issue in question and the costs thereof, each Party may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected Processing, and Customer shall pay to Wiz all the amounts owed to Wiz or due before the date of termination.
4. RIGHTS OF DATA SUBJECTS. If Wiz receives a request from a Data Subject to exercise its rights under Data Protection Laws (“Data Subject Request”), Wiz shall, to the extent legally permitted, promptly notify and forward such Data Subject Request to Customer. Taking into account the nature of the Processing, Wiz shall use commercially reasonable efforts to assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws.
5. WIZ PERSONNEL
5.1 Confidentiality. Wiz shall grant access to the Customer Personal Data to persons under its authority (including, without limitation, its personnel) only on a need-to-know basis and ensure that such persons engaged in the Processing of Customer Personal Data have committed themselves to confidentiality.
6. AUTHORIZATION REGARDING SUB-PROCESSORS
6.1 Customer hereby grants general written authorization to Wiz to appoint Sub-Processors to perform specific Processing activities on Customer Personal Data on its behalf. Wiz’s current list of Sub-Processors is included at https://www.wiz.io/sub-processor-list (“Sub-Processor List”) and is hereby approved by Customer.
6.2 Objection Right for Sub-Processors. Wiz offers a mechanism for Customers to subscribe to notifications of changes to Wiz’s Sub-Processor List via https://www.wiz.io/sub-processor-list. If Customer subscribes to receive such updates, Wiz shall provide notification of any intended changes concerning the addition or replacement of other Sub-Processor(s) to the email address which has subscribed thereby giving Customer the opportunity to object. Customer may reasonably object to Wiz’s use of a Sub-Processor for reasons related to the Data Protection Laws by notifying Wiz in writing within ten (10) days after receipt of Wiz’s notice including the reasons for objecting to Wiz’s use of such Sub-Processor. Failure to object to such Sub-Processor in writing within ten (10) days following Wiz’s notice shall be deemed as acceptance of the Sub-Processor. In the event Customer reasonably objects to a Sub-Processor, Wiz will use reasonable efforts to make available to Customer a change in the Services to avoid Processing of Customer Personal Data by the objected-to Sub-Processor without unreasonably burdening Customer. If Wiz is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may, as a sole remedy, terminate the Agreement and this DPA by providing written notice to Wiz provided that all amounts due under the Agreement before the termination date shall be duly paid to Wiz. Until a decision is made regarding the Sub-Processor, Wiz may temporarily suspend the Processing of the affected Customer Personal Data.
6.3 Where Wiz engages a Sub-Processor, we shall do so by way of a written contract which imposes on the Sub-Processor substantially the same data protection obligations as in this DPA.
7.SECURITY
7.1 Controls for the Protection of Customer Personal Data. Taking into account the state of the art, Wiz shall maintain industry-standard technical and organizational measures, including as required pursuant to Article 32 of the GDPR and other applicable Data Protection Laws, for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Personal Data), confidentiality and integrity of Customer Personal Data, as set forth in the Security Addendum. Upon Customer’s request, Wiz will use commercially reasonable efforts to assist Customer, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR and other applicable Data Protection Laws taking into account the nature of the processing, the state of the art, the costs of implementation, the scope, the context, the purposes of the Processing and the information available to Wiz.
7.2 Third-Party Certifications and Audits. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Wiz shall make available to Customer (or Customer’s independent, third-party auditor that is not reasonably objected to by Wiz and bound by confidentiality obligations) a copy of Wiz’s then most recent third-party audits or certifications, as applicable (provided, however, that any such documentation shall be Wiz’s confidential information and shall only be used by Customer to assess compliance with this DPA, and shall not be used for any other purpose or disclosed to any third party without Wiz’s prior written approval and, upon Wiz’s request, Customer shall return all such documentation in Customer’s possession or control). Only as required by applicable Data Protection Laws and at Customer’s cost and expense, not more than once per year, Wiz shall allow for and contribute to audits, including remote inspections, conducted by Customer (or Customer’s independent, third-party auditor that is not reasonably objected to by Wiz and that is bound by confidentiality obligations) provided that the parties shall agree on the scope, methodology, timing and conditions of such audits and inspections in advance. Notwithstanding anything to the contrary, such audits and/or inspections shall not contain any information, including without limitation, Personal Data that belongs to Wiz’s other customers.
8. TRANSFERS OF DATA
8.1 Transfers to countries that offer adequate level of data protection. Personal Data may be transferred from the Extended EEA Countries to countries or frameworks that offer adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the Extended EEA Countries (“Adequacy Decisions”), without any further safeguard being necessary.
8.2 Transfers to other countries. If, and to the extent, the Processing of Customer Personal Data which is subject to Data Protection Laws of the EEA Extended Countries includes transfers by Customer from the Extended EEA Countries to Wiz in countries outside the Extended EEA Countries which have not been subject to an Adequacy Decision (“Third Countries”), the Parties agree that such transfers shall be undertaken on the basis of the Standard Contractual Clauses, which will be deemed to have been signed by each Party on the Effective Date of this Agreement, are incorporated herein by reference and construed in accordance with Schedule 2 below, unless another mechanism provided for in the Data Protection Laws of the applicable Extended EEA Country applies.
8.3 In the event Customer enables Third Party Integrations (as defined in the Agreement) which involve transfers of Customer Personal Data between Wiz and the Third Party Integration provider, Customer acknowledges and agrees that (a) such Third Party Integration providers are not Sub-Processors of Wiz; (b) such transfers are conducted at Customer’s instruction in accordance with an agreement between the Customer and such Third Party Integration provider (which Wiz is not a party to); and (c) Customer shall be solely responsible for such transfers and their compliance with Data Protection Laws, including without limitation, executing Standard Contractual Clauses with such Third Party Integration providers as required.
9. US PRIVACY LAWS
9.1 In performing its obligations under the Agreement and this DPA, Wiz will not: (1) “sell” or “share” for purposes of “cross-context behavioral advertising” or “targeted advertising” (as defined by applicable US Privacy Laws) any Customer Personal Data; (2) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Wiz and Customer; or (3) attempt to re-identify any pseudonymized, anonymized, aggregate, or de-identified Customer Personal Data.
9.2 Wiz will (1) comply with any applicable restrictions under applicable US Privacy Laws on combining Customer Personal Data with Personal Data that Wiz receives from, or on behalf of, another person or persons; and (2) promptly notify Customer if Wiz determines that it (i) can no longer meet its obligations under this DPA or applicable US Privacy Laws; or (ii) in Wiz’s opinion, an instruction from Customer infringes applicable US Privacy Laws.
9.3 To the extent required under US Privacy Laws, Customer may take reasonable and appropriate steps to help to ensure that Wiz uses Customer Personal Data in a manner consistent with Customer’s obligations under US Privacy Laws and to stop and remediate unauthorized use of the Customer Personal Data.
9.4 Wiz certifies that it understands its obligations in this Clause 9.The Parties agree that Schedule 1 hereto shall satisfy any requirement under applicable U.S. Privacy Law to provide details regarding the nature of the Processing activities related to Customer Personal Data.
10. PERSONAL DATA INCIDENT MANAGEMENT AND NOTIFICATION. To the extent required under applicable Data Protection Laws, Wiz shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data (a “Personal Data Incident”). Wiz shall make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as Wiz deems necessary, possible and reasonable in order to remediate the cause of such a Personal Data Incident. Customer (or its customers), as the Controller or Business, will be the party responsible for notifying supervisory authorities and/or concerned Data Subjects (where required by Data Protection Laws).
11. RETURN AND DELETION OF PERSONAL DATA. Subject to the Agreement, upon termination or expiry of the Services, Wiz shall, make available for return the Customer Personal Data via the Services and delete such Customer Personal Data in accordance with Wiz’s customer data retention & deletion policy unless applicable law requires storage of the Customer Personal Data. In any event, Customer agrees that Wiz may retain Customer Personal Data in accordance with its standard backup policy, for evidence purposes and/or for the establishment, exercise or defence of legal claims and/or to comply with applicable laws and regulations. Notwithstanding anything to the contrary, Customer hereby agrees and understands that, to the extent Wiz performs cloud scanning on behalf of Customer, if and when Customer wants to delete specific Customer Personal Data, Customer may delete such Customer Personal Data from its own databases, and it will automatically be erased from Wiz’s databases within a reasonable market standard timeframe. If Customer requests return of the Customer Personal Data, it shall be returned in an industry standard format generally available for Wiz’s Customers.
12. TERMINATION. This DPA shall automatically terminate upon the termination or expiration of the Agreement under which the Services are provided, provided that, to the extent Wiz retains any Customer Personal Data following termination or expiration of the Agreement, this DPA shall survive for such period that Wiz retains Customer Personal Data. Clauses 2, 3.4 and 13 shall survive the termination or expiration of this DPA for any reason. This DPA cannot, in principle, be terminated separately to the Agreement, except where the Processing ends before the termination of the Agreement, in which case, this DPA shall automatically terminate.
13. RELATIONSHIP WITH AGREEMENT. Subject to any provisions in Schedule 2 regarding governing law and choice of forum of the Standard Contractual Clauses, the governing law and choice of forum provision in the Agreement shall apply to this DPA. In the event of any conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement. For the avoidance of doubt each Party’s and its Affiliates’ liability, taken together in the aggregate, arising out of or relating to this DPA, the Standard Contractual Clauses, Data Protection Laws and any other data protection agreements in connection with the Agreement (if any), shall be subject to any aggregate limitations on liability set out in the Agreement. NOTWITHSTANDING THE FOREGOING, IF CUSTOMER IS USING THE SERVICES FOR A FREE TRIAL, WIZ’S MAXIMUM AGGREGATE LIABILITY TO CUSTOMER UNDER OR RELATED TO THIS DPA SHALL BE CAPPED AT ONE THOUSAND DOLLARS US ($1,000 US).
14. MISCELLANEOUS. Any Wiz obligation hereunder may be performed (in whole or in part), and any Wiz right (including invoice and payment rights) or remedy may be exercised (in whole or in part), by an Affiliate of Wiz. This DPA may be amended by Wiz from time to time in its sole discretion, with such updated version posted to Wiz’s website, provided, however, that no such update shall materially diminish the privacy or security of Customer Personal Data.
List of Schedules
SCHEDULE 1 – DETAILS OF THE PROCESSING
SCHEDULE 2 – STANDARD CONTRACTUAL CLAUSE
SCHEDULE 1
DETAILS OF THE PROCESSING
Subject matter.
Wiz will Process Customer Personal Data as necessary to perform the Services pursuant to the Agreement, as further instructed by Customer in its use of the Services.
Nature and Purpose of Processing.
1. Performing the Agreement, this DPA and/or other contracts executed by the Parties, including, providing the Service(s) and support and technical maintenance to Customer.
2. To comply with documented reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement.
3. Resolving disputes, enforcing the Agreement, this DPA and/or defending Wiz’s rights.
4. Complying with applicable laws and regulations, including for cooperating with local and foreign tax authorities, preventing fraud, money laundering and terrorist financing.
Duration of Processing.
Subject to any section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Wiz will Process Customer Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
Types of Customer Personal Data.
Customer determines the categories of any Customer Personal Data that is made accessible to Wiz, which may include, without limitation, Customer Personal Data relating to the following categories:
- If Customer uses Wiz for scanning, Personal Data might be temporarily processed by Wiz during the scanning. The type of the Personal Data depends on Customer environment and which sources Customer connects.
- Wiz only stores metadata such as CVEs, misconfigurations, list of installed packages, cloud events, local cloud user accounts, cloud object identifiers and (depending on the features used by Customer) logs and file paths. Such metadata does not generally contain Personal Data, however, depending on the Customer’s environment and naming conventions and the features used by Customer, some limited Personal Data may be included. For example, cloud user account names, logs and artifacts could include an individual’s name, logs could contain names, associated email address and IP address and (if specific Wiz features are enabled) pseudonymized samples of findings to enable Customer to locate, verify and remediate the finding(s).
Customer acknowledges that Wiz does not control which Customer Personal Data Customer shares with it in the context of the Services.
Categories of Data Subjects.
As part of providing the Services, Wiz may process Customer Personal Data related to Customer’s customers or users, leads, employees and service providers, the extent of which is solely determined by Customer.
SCHEDULE 2
STANDARD CONTRACTUAL CLAUSES
1 Incorporation and interpretation of the Standard Contractual Clauses
1.1 In relation to transfers by Customer of Customer Personal Data which are subject to Data Protection Laws of the Extended EEA Countries to Wiz in Third Countries, the parties agree that Module Two (Transfer controller to processor) or Module 3 (Transfer processor to processor) of the Standard Contractual Clauses shall apply, as applicable.
1.2 The Parties acknowledge that the information required to be provided in the Standard Contractual Clauses, including the appendices, is set out in Appendix 1 below.
1.3 If there is a conflict between the provisions of this Agreement and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail, provided that, except to the extent prohibited by applicable law, the Standard Contractual Clauses shall be interpreted in accordance with and subject to this DPA and the Agreement, including without limitation, the provisions on limitation of liability, instructions, storage, erasure and return of Personal Data, audits and engagement of Sub-Processors.
1.4 If any provision or part-provision of this DPA or the Agreement causes the Standard Contractual Clauses to become an invalid export mechanism in the relevant Extended EEA Country, it shall be deemed deleted but that shall not affect the validity and enforceability of the rest of this Agreement and the parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.
1.5 Where requested by Wiz, Customer shall provide reasonable assistance to Wiz and be responsible for issuing such communications to Data Subjects and/or the Controller (to the extent Module Three applies) as are required in order for Wiz to comply with its obligations under the Standard Contractual Clauses.
1.6 For the purpose of Section III, Clause 14 of the Standard Contractual Clauses, the parties acknowledge and agree that, as between the parties, the Customer (acting as data exporter) is responsible for: (i) assessing the laws of the country to which it transfers Personal Data; and (ii) determining whether or not the transfer meets the requirements of Section III, Clause 14(a) of the Standard Contractual Clauses. Where Wiz (as data importer) provides information to the Customer (acting as data exporter) for assisting the Customer in its assessment, such information is provided on an “as is” basis for informational purposes only. Without prejudice to Section III, Clause 14(c) of the Standard Contractual Clauses, Wiz (as data importer) shall not be liable for any losses suffered by the Customer in connection with its assessment.
1.7 Notwithstanding anything to the contrary, where the applicable Extended EEA Country where the data exporter is established or from where the transferred personal data originated is the UK, template Addendum B.1.0 issued by the UK ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses, (the “UK Approved Addendum”) shall amend the Standard Contractual Clauses in respect of such transfers and Part 1 of the UK Approved Addendum shall be populated as set out below:
Table 1. The “start date” will be the date this DPA enters into force. The “Parties” are Customer as exporter Wiz as importer.
Table 2. The “Addendum EU SCCs” are the modules and clauses of the Standard Contractual Clauses selected in relation to a particular transfer in accordance with paragraphs 1.1 and 1.2 of this Schedule.
Table 3. The “Appendix Information” is as set out in Appendix 1 to this Schedule.
Table 4. Neither party may end the UK Approved Addendum in accordance with its Section 19.
1.8 Except where paragraph 1.9 above applies, but notwithstanding anything else to the contrary, where the applicable Extended EEA Country where the data exporter is established or from where the transferred personal data originated is not a Member State of the European Union, references in the Standard Contractual Clauses to:
(a)“Member States of the European Union” shall refer to the applicable Extended EEA Country in which the data exporter is established or from where the transferred Personal Data originated (as applicable);
(b)“the GDPR” shall refer to the Data Protection Laws of the Extended EEA Country in which the data exporter is established or from where the Personal Data originated; and
(c)“supervisory authority” shall refer to the data protection authority in the Extended EEA Country as determined in Annex I(C) below.
Appendix 1 – Completion of the Standard Contractual Clauses
ANNEX I
A. LIST OF THE PARTIES | |
Data Exporter: | Name and address: Customer, as set out in the Agreement Contact details: As set out in the Agreement Activities relevant to the data transferred under these Clauses: Receipt of Wiz Services, as set out in the Agreement and this DPA |
Data Importer: | Name and address: Wiz, as set out in the Agreement Contact details: Privacy Officer, privacy@wiz.io Activities relevant to the data transferred under these Clauses: Provision of Wiz Services, as set out in the Agreement and this DPA |
B. DETAILS OF PROCESSING/TRANSFER | |
CATEGORIES OF DATA SUBJECTS | As described in Schedule 1 |
CATEGORIES OF PERSONAL DATA | As described in Schedule 1 |
SPECIAL CATEGORIES OF DATA (IF APPLICABLE) | Wiz does not control which Personal Data Customer shares with it in the context of the Services |
FREQUENCY OF THE TRANSFER | As regular as is required to provide the Services |
NATURE AND PURPOSE OF THE PROCESSING | As described in Schedule 1 |
RETENTION | As described in Schedule 1 |
TRANSFER TO (SUB)PROCESSORS | As set out in Wiz’s Sub-Processor List |
C. COMPETENT SUPERVISORY AUTHORITY | |
The competent supervisory authority shall be determined in accordance with Clause 13 of the Standard Contractual Clauses. Where an EU Representative has not been appointed by data exporter, the competent supervisory authority shall be the supervisory authority of the Netherlands. | |
D. GOVERNING LAW AND CHOICE OF FORUM | |
GOVERNING LAW | For the purposes of Clause 17 of the Standard Contractual Clauses the Parties select OPTION 1: the law of the Netherlands. a) |
CHOICE OF FORUM | For the purposes of Clause 18 of the SCCs: the Parties select the courts of the Netherlands. |
E. OTHER | |
Where the Standard Contractual Clauses identify optional provisions (or provisions with multiple options) the following will apply: For Clause 7 (Docking Clause), the optional provision will apply. For Clause 9(a), option 2 (General Written Authorisation) will apply and the time period for prior notice of Sub-Processor changes shall be as set out in this DPA. For Clause 11(a) (Redress) – the optional provision will not apply. |
ANNEX II – WIZ SECURITY MEASURES
The technical and organizational measures including technical and organizational measures to support the security of Personal Data incorporated into Annex II of the Standard Contractual Clauses shall be the technical and organizational security measures as described in Wiz’s Security Addendum.
In addition, Wiz agrees to the following compensating safeguards to protect such data to an equivalent level as required under the Data Protection Laws of the Extended EEA Countries to the extent required under the Standard Contractual Clauses:
- Wiz and Customer shall encrypt all transfers of the Customer Personal Data between them, and Wiz shall encrypt any onward transfers it makes of such Customer Personal Data.
- Wiz will use reasonably available legal mechanisms to challenge any demands for Customer Personal Data access through national security process it receives as well as any non-disclosure provisions attached thereto.
- Wiz will promptly notify Customer of any government demands for Customer Personal Data, unless prohibited under applicable law. To the extent Wiz is prohibited by law from providing such notification, Wiz shall: (i) review each request on a case-by-case basis; (ii) use reasonable efforts to request that the confidentiality requirement be waived to enable Wiz to notify the Customer and/or the appropriate Supervisory Authority competent for the Customer; and (iii) maintain evidence of any such attempt to have a confidentiality requirement waived.
- Wiz will promptly notify Customer if Wiz can no longer comply with the applicable clauses in this Section. Wiz shall not be required to provide Customer with specific information about why it can no longer comply, if providing such information is prohibited by applicable law. Such notice shall entitle Customer to terminate the Agreement (or, at Customer’s option, affected statements of work, order forms, and like documents thereunder) and receive a prompt pro-rata refund of any prepaid amounts thereunder.
Effective November 17th 2023 to November 20th 2023
DownloadTable of Contents
DATA PROCESSING AGREEMENT
This Data Processing Agreement (“DPA”) forms part of the Wiz Master Subscription Agreement or other agreement for Wiz services entered into between the Parties (the “Agreement”) between the Wiz entity that has entered into the Agreement (“Wiz”, “Us”, “We”, “Our”) and Customer (collectively, “You”, “Your”, or “Customer”) pursuant to the Agreement. Both parties shall be referred to as the “Parties” and each, a “Party”. This DPA forms a binding legal agreement to reflect the Parties’ agreement with regard to the Processing of Personal Data (as such terms are defined below).
WHEREAS, Wiz shall provide the services set forth in the Agreement (collectively, the “Services”) to Customer, as described in the Agreement; and
WHEREAS, the Parties wish to set forth the arrangements concerning the Processing of Personal Data within the context of the Services and agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
NOW THEREFORE, in consideration of the mutual promises set forth herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged by the Parties, the Parties, intending to be legally bound, agree as follows:
1. INTERPRETATION AND DEFINITIONS
1.1 The headings contained in this DPA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this DPA. References to clauses or sections are references to the clauses or sections of this DPA unless otherwise stated. Words used in the singular include the plural and vice versa, as the context may require. Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.
1.2Definitions:
- “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
- “Controller” or “Business” as relevant under applicable Data Protection Laws, means the entity which determines the purposes and means of the Processing of Personal Data or such equivalent term under Data Protection Laws.
- “Customer Personal Data” means any Personal Data which is provided to and Processed by Wiz on behalf of Customer in order to provide the Services under the Agreement. Customer Personal Data does not include Personal Data that Wiz Processes as a Controller separately from its Processing obligations to Customer under the Agreement.
- “Data Protection Laws” means all laws and regulations of the European Union, the EEA and their Member States, Switzerland, the United Kingdom, and the United States, each to the extent applicable to the Processing of Personal Data under the Agreement.
- “Data Subject” means the identified or identifiable person to whom the Customer Personal Data relates.
- “EEA” means the European Economic Area.
- “EU Data Protection Law” means the GDPR, and the UK GDPR.
- “Extended EEA Country” means a Member State of the EEA, Switzerland or the United Kingdom, and Extended EEA Countries means the foregoing countries collectively.
- “Member State(s)” means a country that belongs to the European Union and/or the EEA.
- “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier or such equivalent term under Data Protection Laws.
- “Process(ing)” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Processor” or “Service Provider,” as relevant under applicable Data Protection Laws, means the entity which Processes Personal Data on behalf of the Controller or Business or such equivalent term under Data Protection Laws.
- “Security Addendum” means Wiz’s Security Addendum which is available via https://www.wiz.io/legal/security-addendum.
- “Standard Contractual Clauses” means the “standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission decision of 4 June 2021” and published under document number C (2021) 3972 available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914&qid=1689513765256, as may be updated, amended or superseded from time to time.
- “Sub-Processor” means any Processor or Service Provider engaged by Wiz and/or Wiz Affiliate to Process Customer Personal Data.
- “Supervisory Authority” means the competent supervisory authority pursuant to the applicable Data Protection Laws.
- “Third Country” has the meaning given in Clause 8.2 below.
- “UK GDPR” means the GDPR as incorporated into United Kingdom domestic law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR").
- “US Privacy Laws” means the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act of 2020 along with any associated regulations (“CCPA”); the Virginia Consumer Data Protection Act (“VCDPA”); the Colorado Privacy Act; and any similar U.S. laws governing data privacy and security once effective.
2.CUSTOMER’S PROCESSING OF PERSONAL DATA. Customer shall, in its use of the Services, Process Customer Personal Data in accordance with the requirements of Data Protection Laws and comply at all times with the obligations applicable to Controllers or Businesses, as applicable. For the avoidance of doubt, Customer’s instructions for the Processing of Customer Personal Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the means by which Customer acquired Customer Personal Data. Without limitation, Customer shall comply with any and all transparency-related obligations (including, without limitation, displaying any and all relevant and required privacy notices or policies) and shall have any and all required legal basis in order to collect, Process and transfer to Wiz the Customer Personal Data and to authorize the Processing by Wiz of the Customer Personal Data which is authorized in this DPA.
3.WIZ’S PROCESSING OF PERSONAL DATA
3.1Application. As used in clauses 3 – 9 herein, Customer Personal Data refers to Customer Personal Data that is subject to Data Protection Laws.
3.2Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data, (i) Customer is the Controller or Business, (ii) Wiz is the Processor or Service Provider, and (iii) Wiz or its Affiliates may engage Sub-Processors pursuant to the requirements set forth in Clause 6 below.
3.3Wiz and its Affiliates (as applicable) shall Process Customer Personal Data only in accordance with Customer’s documented instructions, which are set out in the Agreement, as necessary for the performance of the Services and for the performance of the Agreement and this DPA, unless required to otherwise by any applicable law, court of competent jurisdiction or other Supervisory Authority to which Wiz and its Affiliates are subject, in which case, Wiz shall inform Customer of the legal requirement before processing, unless that law prohibits such information. Customer agrees that the Agreement is its complete and final instructions to Wiz in relation to the Processing of Personal Data. Processing any Personal Data outside the scope of the Agreement will require prior written agreement between Wiz and Customer by way of an amendment to the Agreement, and may include any additional fees that may be payable by Customer to Wiz for carrying out such instructions. The duration of the Processing, the nature and purposes of the Processing, as well as the types of Customer Personal Data Processed and categories of Data Subjects under this DPA are further specified in Schedule 1 to this DPA.
3.4To the extent that Wiz or its Affiliates cannot comply with an instruction from Customer and/or its authorized users relating to Processing of Customer Personal Data or where Wiz considers such instruction to be unlawful, Wiz (i) shall inform Customer, providing relevant details of the problem; (ii) may, without any kind of liability towards Customer, temporarily cease all Processing of the affected Customer Personal Data (other than securely storing those data); and (iii) if the Parties do not agree on a resolution to the issue in question and the costs thereof, each Party may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected Processing, and Customer shall pay to Wiz all the amounts owed to Wiz or due before the date of termination.
4.RIGHTS OF DATA SUBJECTS. If Wiz receives a request from a Data Subject to exercise its rights under Data Protection Laws (“Data Subject Request”), Wiz shall, to the extent legally permitted, promptly notify and forward such Data Subject Request to Customer. Taking into account the nature of the Processing, Wiz shall use commercially reasonable efforts to assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws.
5.WIZ PERSONNEL
5.1Confidentiality. Wiz shall grant access to the Customer Personal Data to persons under its authority (including, without limitation, its personnel) only on a need-to-know basis and ensure that such persons engaged in the Processing of Customer Personal Data have committed themselves to confidentiality.
6.AUTHORIZATION REGARDING SUB-PROCESSORS
6.1Customer hereby grants general written authorization to Wiz to appoint Sub-Processors to perform specific Processing activities on Customer Personal Data on its behalf. Wiz’s current list of Sub-Processors is included at https://www.wiz.io/sub-processor-list (“Sub-Processor List”) and is hereby approved by Customer.
6.2 Objection Right for Sub-Processors. Wiz offers a mechanism for Customers to subscribe to notifications of changes to Wiz’s Sub-Processor List via https://www.wiz.io/sub-processor-list. If Customer subscribes to receive such updates, Wiz shall provide notification of any intended changes concerning the addition or replacement of other Sub-Processor(s) to the email address which has subscribed thereby giving Customer the opportunity to object. Customer may reasonably object to Wiz’s use of a Sub-Processor for reasons related to the Data Protection Laws by notifying Wiz in writing within ten (10) days after receipt of Wiz’s notice including the reasons for objecting to Wiz’s use of such Sub-Processor. Failure to object to such Sub-Processor in writing within ten (10) days following Wiz’s notice shall be deemed as acceptance of the Sub-Processor. In the event Customer reasonably objects to a Sub-Processor, Wiz will use reasonable efforts to make available to Customer a change in the Services to avoid Processing of Customer Personal Data by the objected-to Sub-Processor without unreasonably burdening Customer. If Wiz is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may, as a sole remedy, terminate the Agreement and this DPA by providing written notice to Wiz provided that all amounts due under the Agreement before the termination date shall be duly paid to Wiz. Until a decision is made regarding the Sub-Processor, Wiz may temporarily suspend the Processing of the affected Customer Personal Data.
6.3Where Wiz engages a Sub-Processor, we shall do so by way of a written contract which imposes on the Sub-Processor substantially the same data protection obligations as in this DPA.
7.SECURITY
7.1Controls for the Protection of Customer Personal Data. Taking into account the state of the art, Wiz shall maintain industry-standard technical and organizational measures, including as required pursuant to Article 32 of the GDPR and other applicable Data Protection Laws, for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Personal Data), confidentiality and integrity of Customer Personal Data, as set forth in the Security Addendum. Upon Customer’s request, Wiz will use commercially reasonable efforts to assist Customer, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR and other applicable Data Protection Laws taking into account the nature of the processing, the state of the art, the costs of implementation, the scope, the context, the purposes of the Processing and the information available to Wiz.
7.2Third-Party Certifications and Audits. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Wiz shall make available to Customer (or Customer’s independent, third-party auditor that is not reasonably objected to by Wiz and bound by confidentiality obligations) a copy of Wiz’s then most recent third-party audits or certifications, as applicable (provided, however, that any such documentation shall be Wiz’s confidential information and shall only be used by Customer to assess compliance with this DPA, and shall not be used for any other purpose or disclosed to any third party without Wiz’s prior written approval and, upon Wiz’s request, Customer shall return all such documentation in Customer’s possession or control). Only as required by applicable Data Protection Laws and at Customer’s cost and expense, not more than once per year, Wiz shall allow for and contribute to audits, including remote inspections, conducted by Customer (or Customer’s independent, third-party auditor that is not reasonably objected to by Wiz and that is bound by confidentiality obligations) provided that the parties shall agree on the scope, methodology, timing and conditions of such audits and inspections in advance. Notwithstanding anything to the contrary, such audits and/or inspections shall not contain any information, including without limitation, Personal Data that belongs to Wiz’s other customers.
8.TRANSFERS OF DATA
8.1Transfers to countries that offer adequate level of data protection. Personal Data may be transferred from the Extended EEA Countries to countries or frameworks that offer adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the Extended EEA Countries (“Adequacy Decisions”), without any further safeguard being necessary.
8.2 Transfers to other countries. If, and to the extent, the Processing of Customer Personal Data which is subject to Data Protection Laws of the EEA Extended Countries includes transfers by Customer from the Extended EEA Countries to Wiz in countries outside the Extended EEA Countries which have not been subject to an Adequacy Decision (“Third Countries”), the Parties agree that such transfers shall be undertaken on the basis of the Standard Contractual Clauses, which will be deemed to have been signed by each Party on the Effective Date of this Agreement, are incorporated herein by reference and construed in accordance with Schedule 2 below, unless another mechanism provided for in the Data Protection Laws of the applicable Extended EEA Country applies.
8.3In the event Customer enables Third Party Integrations (as defined in the Agreement) which involve transfers of Customer Personal Data between Wiz and the Third Party Integration provider, Customer acknowledges and agrees that (a) such Third Party Integration providers are not Sub-Processors of Wiz; (b) such transfers are conducted at Customer’s instruction in accordance with an agreement between the Customer and such Third Party Integration provider (which Wiz is not a party to); and (c) Customer shall be solely responsible for such transfers and their compliance with Data Protection Laws, including without limitation, executing Standard Contractual Clauses with such Third Party Integration providers as required.
9. US PRIVACY LAWS
9.1 In performing its obligations under the Agreement and this DPA, Wiz will not: (1) “sell” or “share” for purposes of “cross-context behavioral advertising” or “targeted advertising” (as defined by applicable US Privacy Laws) any Customer Personal Data; (2) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Wiz and Customer; or (3) attempt to re-identify any pseudonymized, anonymized, aggregate, or de-identified Customer Personal Data.
9.2Wiz will (1) comply with any applicable restrictions under applicable US Privacy Laws on combining Customer Personal Data with Personal Data that Wiz receives from, or on behalf of, another person or persons; and (2) promptly notify Customer if Wiz determines that it (i) can no longer meet its obligations under this DPA or applicable US Privacy Laws; or (ii) in Wiz’s opinion, an instruction from Customer infringes applicable US Privacy Laws.
9.3 Wiz certifies that it understands its obligations in this Clause 9.
9.4The Parties agree that Schedule 1 hereto shall satisfy any requirement under applicable U.S. Privacy Law to provide details regarding the nature of the Processing activities related to Customer Personal Data.
10.PERSONAL DATA INCIDENT MANAGEMENT AND NOTIFICATION. To the extent required under applicable Data Protection Laws, Wiz shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data (a “Personal Data Incident”). Wiz shall make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as Wiz deems necessary, possible and reasonable in order to remediate the cause of such a Personal Data Incident. Customer (or its customers), as the Controller or Business, will be the party responsible for notifying supervisory authorities and/or concerned Data Subjects (where required by Data Protection Laws).
11.RETURN AND DELETION OF PERSONAL DATA. Subject to the Agreement, upon termination or expiry of the Services, Wiz shall, make available for return the Customer Personal Data via the Services and delete such Customer Personal Data in accordance with Wiz’s customer data retention & deletion policy unless applicable law requires storage of the Customer Personal Data. In any event, Customer agrees that Wiz may retain Customer Personal Data in accordance with its standard backup policy, for evidence purposes and/or for the establishment, exercise or defence of legal claims and/or to comply with applicable laws and regulations. Notwithstanding anything to the contrary, Customer hereby agrees and understands that, to the extent Wiz performs cloud scanning on behalf of Customer, if and when Customer wants to delete specific Customer Personal Data, Customer may delete such Customer Personal Data from its own databases, and it will automatically be erased from Wiz’s databases within a reasonable market standard timeframe. If Customer requests return of the Customer Personal Data, it shall be returned in an industry standard format generally available for Wiz’s Customers.
12.TERMINATION. This DPA shall automatically terminate upon the termination or expiration of the Agreement under which the Services are provided, provided that, to the extent Wiz retains any Customer Personal Data following termination or expiration of the Agreement, this DPA shall survive for such period that Wiz retains Customer Personal Data. Clauses 2, 3.4 and 13 shall survive the termination or expiration of this DPA for any reason. This DPA cannot, in principle, be terminated separately to the Agreement, except where the Processing ends before the termination of the Agreement, in which case, this DPA shall automatically terminate.
13.RELATIONSHIP WITH AGREEMENT. Subject to any provisions in Schedule 2 regarding governing law and choice of forum of the Standard Contractual Clauses, the governing law and choice of forum provision in the Agreement shall apply to this DPA. In the event of any conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement. For the avoidance of doubt each Party’s and its Affiliates’ liability, taken together in the aggregate, arising out of or relating to this DPA, the Standard Contractual Clauses, Data Protection Laws and any other data protection agreements in connection with the Agreement (if any), shall be subject to any aggregate limitations on liability set out in the Agreement. NOTWITHSTANDING THE FOREGOING, IF CUSTOMER IS USING THE SERVICES FOR A FREE TRIAL, WIZ’S MAXIMUM AGGREGATE LIABILITY TO CUSTOMER UNDER OR RELATED TO THIS DPA SHALL BE CAPPED AT ONE THOUSAND DOLLARS US ($1,000 US).
14.MISCELLANEOUS. Any Wiz obligation hereunder may be performed (in whole or in part), and any Wiz right (including invoice and payment rights) or remedy may be exercised (in whole or in part), by an Affiliate of Wiz. This DPA may be amended by Wiz from time to time in its sole discretion, with such updated version posted to Wiz’s website, provided, however, that no such update shall materially diminish the privacy or security of Customer Personal Data.
List of Schedules
SCHEDULE 1 – DETAILS OF THE PROCESSING
SCHEDULE 2 – STANDARD CONTRACTUAL CLAUSE
SCHEDULE 1
DETAILS OF THE PROCESSING
Subject matter.
Wiz will Process Customer Personal Data as necessary to perform the Services pursuant to the Agreement, as further instructed by Customer in its use of the Services.
Nature and Purpose of Processing.
1.Performing the Agreement, this DPA and/or other contracts executed by the Parties, including, providing the Service(s) and support and technical maintenance to Customer.
2.To comply with documented reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement.
3.Resolving disputes, enforcing the Agreement, this DPA and/or defending Wiz’s rights.
4.Complying with applicable laws and regulations, including for cooperating with local and foreign tax authorities, preventing fraud, money laundering and terrorist financing.
Duration of Processing.
Subject to any section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Wiz will Process Customer Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
Types of Customer Personal Data.
Customer determines the categories of any Customer Personal Data that is made accessible to Wiz, which may include, without limitation, Customer Personal Data relating to the following categories:
- If Customer uses Wiz for scanning, Personal Data might be temporarily processed by Wiz during the scanning. The type of the Personal Data depends on Customer environment and which sources Customer connects.
- Wiz only stores metadata such as CVEs, misconfigurations, list of installed packages, cloud events, local cloud user accounts, cloud object identifiers and (depending on the features used by Customer) logs and file paths. Such metadata does not generally contain Personal Data, however, depending on the Customer’s environment and naming conventions and the features used by Customer, some limited Personal Data may be included. For example, cloud user account names, logs and artifacts could include an individual’s name, logs could contain names, associated email address and IP address and (if specific Wiz features are enabled) pseudonymized samples of findings to enable Customer to locate, verify and remediate the finding(s).
Customer acknowledges that Wiz does not control which Customer Personal Data Customer shares with it in the context of the Services.
Categories of Data Subjects.
As part of providing the Services, Wiz may process Customer Personal Data related to Customer’s customers or users, leads, employees and service providers, the extent of which is solely determined by Customer.
SCHEDULE 2
STANDARD CONTRACTUAL CLAUSES
1Incorporation and interpretation of the Standard Contractual Clauses
1.1In relation to transfers by Customer of Customer Personal Data which are subject to Data Protection Laws of the EEA Extended Countries to Wiz in Third Countries, the parties agree that Module Two (Transfer controller to processor) or Module 3 (Transfer processor to processor) of the Standard Contractual Clauses shall apply, as applicable.
1.2The Parties acknowledge that the information required to be provided in the Standard Contractual Clauses, including the appendices, is set out in Appendix 1 below.
1.3If there is a conflict between the provisions of this Agreement and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail, provided that, except to the extent prohibited by applicable law, the Standard Contractual Clauses shall be interpreted in accordance with and subject to this DPA and the Agreement, including without limitation, the provisions on limitation of liability, instructions, storage, erasure and return of Personal Data, audits and engagement of Sub-Processors.
1.4If any provision or part-provision of this DPA or the Agreement causes the Standard Contractual Clauses to become an invalid export mechanism in the relevant Extended EEA Country, it shall be deemed deleted but that shall not affect the validity and enforceability of the rest of this Agreement and the parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.
1.5Where requested by Wiz, Customer shall provide reasonable assistance to Wiz and be responsible for issuing such communications to Data Subjects and/or the Controller (to the extent Module Three applies) as are required in order for Wiz to comply with its obligations under the Standard Contractual Clauses.
1.6For the purpose of Section III, Clause 14 of the Standard Contractual Clauses, the parties acknowledge and agree that, as between the parties, the Customer (acting as data exporter) is responsible for: (i) assessing the laws of the country to which it transfers Personal Data; and (ii) determining whether or not the transfer meets the requirements of Section III, Clause 14(a) of the Standard Contractual Clauses. Where Wiz (as data importer) provides information to the Customer (acting as data exporter) for assisting the Customer in its assessment, such information is provided on an “as is” basis for informational purposes only. Without prejudice to Section III, Clause 14(c) of the Standard Contractual Clauses, Wiz (as data importer) shall not be liable for any losses suffered by the Customer in connection with its assessment.
1.7 Notwithstanding anything to the contrary, where the applicable Extended EEA Country where the data exporter is established or from where the transferred personal data originated is the UK, template Addendum B.1.0 issued by the UK ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses, (the “UK Approved Addendum”) shall amend the Standard Contractual Clauses in respect of such transfers and Part 1 of the UK Approved Addendum shall be populated as set out below:
Table 1. The “start date” will be the date this DPA enters into force. The “Parties” are Customer as exporter Wiz as importer.
Table 2. The “Addendum EU SCCs” are the modules and clauses of the Standard Contractual Clauses selected in relation to a particular transfer in accordance with paragraphs 1.1 and 1.2 of this Schedule.
Table 3. The “Appendix Information” is as set out in Appendix 1 to this Schedule.
Table 4. Neither party may end the UK Approved Addendum in accordance with its Section 19.
1.8 Except where paragraph 1.9 above applies, but notwithstanding anything else to the contrary, where the applicable Extended EEA Country where the data exporter is established or from where the transferred personal data originated is not a Member State of the European Union, references in the Standard Contractual Clauses to:
(a)“Member States of the European Union” shall refer to the applicable Extended EEA Country in which the data exporter is established or from where the transferred Personal Data originated (as applicable);
(b)“the GDPR” shall refer to the Data Protection Laws of the Extended EEA Country in which the data exporter is established or from where the Personal Data originated; and
(c)“supervisory authority” shall refer to the data protection authority in the Extended EEA Country as determined in Annex I(C) below.
Appendix 1 – Completion of the Standard Contractual Clauses
ANNEX I
A. LIST OF THE PARTIES | |
Data Exporter: | Name and address: Customer, as set out in the Agreement Contact details: As set out in the Agreement Activities relevant to the data transferred under these Clauses: Receipt of Wiz Services, as set out in the Agreement and this DPA |
Data Importer: | Name and address: Wiz, as set out in the Agreement Contact details: Privacy Officer, privacy@wiz.io Activities relevant to the data transferred under these Clauses: Provision of Wiz Services, as set out in the Agreement and this DPA |
B. DETAILS OF PROCESSING/TRANSFER | |
CATEGORIES OF DATA SUBJECTS | As described in Schedule 1 |
CATEGORIES OF PERSONAL DATA | As described in Schedule 1 |
SPECIAL CATEGORIES OF DATA (IF APPLICABLE) | Wiz does not control which Personal Data Customer shares with it in the context of the Services |
FREQUENCY OF THE TRANSFER | As regular as is required to provide the Services |
NATURE AND PURPOSE OF THE PROCESSING | As described in Schedule 1 |
RETENTION | As described in Schedule 1 |
TRANSFER TO (SUB)PROCESSORS | As set out in Wiz’s Sub-Processor List |
C. COMPETENT SUPERVISORY AUTHORITY | |
The competent supervisory authority shall be determined in accordance with Clause 13 of the Standard Contractual Clauses. Where an EU Representative has not been appointed by data exporter, the competent supervisory authority shall be the supervisory authority of the Netherlands. | |
D. GOVERNING LAW AND CHOICE OF FORUM | |
GOVERNING LAW | For the purposes of Clause 17 of the Standard Contractual Clauses the Parties select OPTION 1: the law of the Netherlands. a) |
CHOICE OF FORUM | For the purposes of Clause 18 of the SCCs: the Parties select the courts of the Netherlands. |
E. OTHER | |
Where the Standard Contractual Clauses identify optional provisions (or provisions with multiple options) the following will apply: For Clause 7 (Docking Clause), the optional provision will apply. For Clause 9(a), option 2 (General Written Authorisation) will apply and the time period for prior notice of Sub-Processor changes shall be as set out in this DPA. For Clause 11(a) (Redress) – the optional provision will not apply. |
ANNEX II – WIZ SECURITY MEASURES
The technical and organizational measures including technical and organizational measures to support the security of Personal Data incorporated into Annex II of the Standard Contractual Clauses shall be the technical and organizational security measures as described in Wiz’s Security Addendum.
In addition, Wiz agrees to the following compensating safeguards to protect such data to an equivalent level as required under the Data Protection Laws of the Extended EEA Countries to the extent required under the Standard Contractual Clauses:
- Wiz and Customer shall encrypt all transfers of the Customer Personal Data between them, and Wiz shall encrypt any onward transfers it makes of such Customer Personal Data.
- Wiz will use reasonably available legal mechanisms to challenge any demands for Customer Personal Data access through national security process it receives as well as any non-disclosure provisions attached thereto.
- Wiz will promptly notify Customer of any government demands for Customer Personal Data, unless prohibited under applicable law. To the extent Wiz is prohibited by law from providing such notification, Wiz shall: (i) review each request on a case-by-case basis; (ii) use reasonable efforts to request that the confidentiality requirement be waived to enable Wiz to notify the Customer and/or the appropriate Supervisory Authority competent for the Customer; and (iii) maintain evidence of any such attempt to have a confidentiality requirement waived.
- Wiz will promptly notify Customer if Wiz can no longer comply with the applicable clauses in this Section. Wiz shall not be required to provide Customer with specific information about why it can no longer comply, if providing such information is prohibited by applicable law. Such notice shall entitle Customer to terminate the Agreement (or, at Customer’s option, affected statements of work, order forms, and like documents thereunder) and receive a prompt pro-rata refund of any prepaid amounts thereunder.
Effective November 13th 2023 to November 17th 2023
DownloadTable of Contents
DATA PROCESSING AGREEMENT
This Data Processing Agreement (“DPA”) forms part of the Wiz Master Subscription Agreement or other agreement for Wiz services entered into between the Parties (the “Agreement”) between the Wiz entity that has entered into the Agreement (“Wiz”, “Us”, “We”, “Our”) and Customer (collectively, “You”, “Your”, or “Customer”) pursuant to the Agreement. Both parties shall be referred to as the “Parties” and each, a “Party”. This DPA forms a binding legal agreement to reflect the Parties’ agreement with regard to the Processing of Personal Data (as such terms are defined below).
WHEREAS, Wiz shall provide the services set forth in the Agreement (collectively, the “Services”) to Customer, as described in the Agreement; and
WHEREAS, the Parties wish to set forth the arrangements concerning the Processing of Personal Data within the context of the Services and agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
NOW THEREFORE, in consideration of the mutual promises set forth herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged by the Parties, the Parties, intending to be legally bound, agree as follows:
1. INTERPRETATION AND DEFINITIONS
1.1 The headings contained in this DPA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this DPA. References to clauses or sections are references to the clauses or sections of this DPA unless otherwise stated. Words used in the singular include the plural and vice versa, as the context may require. Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.
1.2Definitions:
- “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
- “Controller” or “Business” as relevant under applicable Data Protection Laws, means the entity which determines the purposes and means of the Processing of Personal Data or such equivalent term under Data Protection Laws.
- “Customer Personal Data” means any Personal Data which is provided to and Processed by Wiz on behalf of Customer in order to provide the Services under the Agreement. Customer Personal Data does not include Personal Data that Wiz Processes as a Controller separately from its Processing obligations to Customer under the Agreement.
- “Data Protection Laws” means all laws and regulations of the European Union, the EEA and their Member States, Switzerland, the United Kingdom, and the United States, each to the extent applicable to the Processing of Personal Data under the Agreement.
- “Data Subject” means the identified or identifiable person to whom the Customer Personal Data relates.
- “EEA” means the European Economic Area.
- “EU Data Protection Law” means the GDPR, and the UK GDPR.
- “Extended EEA Country” means a Member State of the EEA, Switzerland or the United Kingdom, and Extended EEA Countries means the foregoing countries collectively.
- “Member State(s)” means a country that belongs to the European Union and/or the EEA.
- “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier or such equivalent term under Data Protection Laws.
- “Process(ing)” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Processor” or “Service Provider,” as relevant under applicable Data Protection Laws, means the entity which Processes Personal Data on behalf of the Controller or Business or such equivalent term under Data Protection Laws.
- “Security Addendum” means Wiz’s Security Addendum which is available via https://www.wiz.io/legal/security-addendum.
- “Standard Contractual Clauses” means the “standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission decision of 4 June 2021” and published under document number C (2021) 3972 available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914&qid=1689513765256, as may be updated, amended or superseded from time to time.
- “Sub-Processor” means any Processor or Service Provider engaged by Wiz and/or Wiz Affiliate to Process Customer Personal Data.
- “Supervisory Authority” means the competent supervisory authority pursuant to the applicable Data Protection Laws.
- “Third Country” has the meaning given in Clause 8.2 below.
- “UK GDPR” means the GDPR as incorporated into United Kingdom domestic law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR").
- “US Privacy Laws” means the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act of 2020 along with any associated regulations (“CCPA”); the Virginia Consumer Data Protection Act (“VCDPA”); the Colorado Privacy Act; and any similar U.S. laws governing data privacy and security once effective.
2.CUSTOMER’S PROCESSING OF PERSONAL DATA. Customer shall, in its use of the Services, Process Customer Personal Data in accordance with the requirements of Data Protection Laws and comply at all times with the obligations applicable to Controllers or Businesses, as applicable. For the avoidance of doubt, Customer’s instructions for the Processing of Customer Personal Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the means by which Customer acquired Customer Personal Data. Without limitation, Customer shall comply with any and all transparency-related obligations (including, without limitation, displaying any and all relevant and required privacy notices or policies) and shall have any and all required legal basis in order to collect, Process and transfer to Wiz the Customer Personal Data and to authorize the Processing by Wiz of the Customer Personal Data which is authorized in this DPA.
3.WIZ’S PROCESSING OF PERSONAL DATA
3.1Application. As used in clauses 3 – 9 herein, Customer Personal Data refers to Customer Personal Data that is subject to Data Protection Laws.
3.2Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data, (i) Customer is the Controller or Business, (ii) Wiz is the Processor or Service Provider, and (iii) Wiz or its Affiliates may engage Sub-Processors pursuant to the requirements set forth in Clause 6 below.
3.3Wiz and its Affiliates (as applicable) shall Process Customer Personal Data only in accordance with Customer’s documented instructions, which are set out in the Agreement, as necessary for the performance of the Services and for the performance of the Agreement and this DPA, unless required to otherwise by any applicable law, court of competent jurisdiction or other Supervisory Authority to which Wiz and its Affiliates are subject, in which case, Wiz shall inform Customer of the legal requirement before processing, unless that law prohibits such information. Customer agrees that the Agreement is its complete and final instructions to Wiz in relation to the Processing of Personal Data. Processing any Personal Data outside the scope of the Agreement will require prior written agreement between Wiz and Customer by way of an amendment to the Agreement, and may include any additional fees that may be payable by Customer to Wiz for carrying out such instructions. The duration of the Processing, the nature and purposes of the Processing, as well as the types of Customer Personal Data Processed and categories of Data Subjects under this DPA are further specified in Schedule 1 to this DPA.
3.4To the extent that Wiz or its Affiliates cannot comply with an instruction from Customer and/or its authorized users relating to Processing of Customer Personal Data or where Wiz considers such instruction to be unlawful, Wiz (i) shall inform Customer, providing relevant details of the problem; (ii) may, without any kind of liability towards Customer, temporarily cease all Processing of the affected Customer Personal Data (other than securely storing those data); and (iii) if the Parties do not agree on a resolution to the issue in question and the costs thereof, each Party may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected Processing, and Customer shall pay to Wiz all the amounts owed to Wiz or due before the date of termination.
4.RIGHTS OF DATA SUBJECTS. If Wiz receives a request from a Data Subject to exercise its rights under Data Protection Laws (“Data Subject Request”), Wiz shall, to the extent legally permitted, promptly notify and forward such Data Subject Request to Customer. Taking into account the nature of the Processing, Wiz shall use commercially reasonable efforts to assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws.
5.WIZ PERSONNEL
5.1Confidentiality. Wiz shall grant access to the Customer Personal Data to persons under its authority (including, without limitation, its personnel) only on a need-to-know basis and ensure that such persons engaged in the Processing of Customer Personal Data have committed themselves to confidentiality.
6.AUTHORIZATION REGARDING SUB-PROCESSORS
6.1Customer hereby grants general written authorization to Wiz to appoint Sub-Processors to perform specific Processing activities on Customer Personal Data on its behalf. Wiz’s current list of Sub-Processors is included at https://www.wiz.io/sub-processor-list (“Sub-Processor List”) and is hereby approved by Customer.
6.2 Objection Right for Sub-Processors. Wiz offers a mechanism for Customers to subscribe to notifications of changes to Wiz’s Sub-Processor List via https://www.wiz.io/sub-processor-list. If Customer subscribes to receive such updates, Wiz shall provide notification of any intended changes concerning the addition or replacement of other Sub-Processor(s) to the email address which has subscribed thereby giving Customer the opportunity to object. Customer may reasonably object to Wiz’s use of a Sub-Processor for reasons related to the Data Protection Laws by notifying Wiz in writing within ten (10) days after receipt of Wiz’s notice including the reasons for objecting to Wiz’s use of such Sub-Processor. Failure to object to such Sub-Processor in writing within ten (10) days following Wiz’s notice shall be deemed as acceptance of the Sub-Processor. In the event Customer reasonably objects to a Sub-Processor, Wiz will use reasonable efforts to make available to Customer a change in the Services to avoid Processing of Customer Personal Data by the objected-to Sub-Processor without unreasonably burdening Customer. If Wiz is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may, as a sole remedy, terminate the Agreement and this DPA by providing written notice to Wiz provided that all amounts due under the Agreement before the termination date shall be duly paid to Wiz. Until a decision is made regarding the Sub-Processor, Wiz may temporarily suspend the Processing of the affected Customer Personal Data.
6.3Where Wiz engages a Sub-Processor, we shall do so by way of a written contract which imposes on the Sub-Processor substantially the same data protection obligations as in this DPA.
7.SECURITY
7.1Controls for the Protection of Customer Personal Data. Taking into account the state of the art, Wiz shall maintain industry-standard technical and organizational measures, including as required pursuant to Article 32 of the GDPR and other applicable Data Protection Laws, for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Personal Data), confidentiality and integrity of Customer Personal Data, as set forth in the Security Addendum. Upon Customer’s request, Wiz will use commercially reasonable efforts to assist Customer, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR and other applicable Data Protection Laws taking into account the nature of the processing, the state of the art, the costs of implementation, the scope, the context, the purposes of the Processing and the information available to Wiz.
7.2Third-Party Certifications and Audits. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Wiz shall make available to Customer (or Customer’s independent, third-party auditor that is not reasonably objected to by Wiz and bound by confidentiality obligations) a copy of Wiz’s then most recent third-party audits or certifications, as applicable (provided, however, that any such documentation shall be Wiz’s confidential information and shall only be used by Customer to assess compliance with this DPA, and shall not be used for any other purpose or disclosed to any third party without Wiz’s prior written approval and, upon Wiz’s request, Customer shall return all such documentation in Customer’s possession or control). Only as required by applicable Data Protection Laws and at Customer’s cost and expense, not more than once per year, Wiz shall allow for and contribute to audits, including remote inspections, conducted by Customer (or Customer’s independent, third-party auditor that is not reasonably objected to by Wiz and that is bound by confidentiality obligations) provided that the parties shall agree on the scope, methodology, timing and conditions of such audits and inspections in advance. Notwithstanding anything to the contrary, such audits and/or inspections shall not contain any information, including without limitation, Personal Data that belongs to Wiz’s other customers.
8.TRANSFERS OF DATA
8.1Transfers to countries that offer adequate level of data protection. Personal Data may be transferred from the Extended EEA Countries to countries or frameworks that offer adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the Extended EEA Countries (“Adequacy Decisions”), without any further safeguard being necessary.
8.2 Transfers to other countries. If, and to the extent, the Processing of Customer Personal Data which is subject to Data Protection Laws of the EEA Extended Countries includes transfers by Customer from the Extended EEA Countries to Wiz in countries outside the Extended EEA Countries which have not been subject to an Adequacy Decision (“Third Countries”), the Parties agree that such transfers shall be undertaken on the basis of the Standard Contractual Clauses, which will be deemed to have been signed by each Party on the Effective Date of this Agreement, are incorporated herein by reference and construed in accordance with Schedule 2 below, unless another mechanism provided for in the Data Protection Laws of the applicable Extended EEA Country applies.
8.3In the event Customer enables Third Party Integrations (as defined in the Agreement) which involve transfers of Customer Personal Data between Wiz and the Third Party Integration provider, Customer acknowledges and agrees that (a) such Third Party Integration providers are not Sub-Processors of Wiz; (b) such transfers are conducted at Customer’s instruction in accordance with an agreement between the Customer and such Third Party Integration provider (which Wiz is not a party to); and (c) Customer shall be solely responsible for such transfers and their compliance with Data Protection Laws, including without limitation, executing Standard Contractual Clauses with such Third Party Integration providers as required.
9. US PRIVACY LAWS
9.1 In performing its obligations under the Agreement and this DPA, Wiz will not: (1) “sell” or “share” for purposes of “cross-context behavioral advertising” or “targeted advertising” (as defined by applicable US Privacy Laws) any Customer Personal Data; (2) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Wiz and Customer; or (3) attempt to re-identify any pseudonymized, anonymized, aggregate, or de-identified Customer Personal Data.
9.2Wiz will (1) comply with any applicable restrictions under applicable US Privacy Laws on combining Customer Personal Data with Personal Data that Wiz receives from, or on behalf of, another person or persons; and (2) promptly notify Customer if Wiz determines that it (i) can no longer meet its obligations under this DPA or applicable US Privacy Laws; or (ii) in Wiz’s opinion, an instruction from Customer infringes applicable US Privacy Laws.
9.3 Wiz certifies that it understands its obligations in this Clause 9.
9.4The Parties agree that Schedule 1 hereto shall satisfy any requirement under applicable U.S. Privacy Law to provide details regarding the nature of the Processing activities related to Customer Personal Data.
10.PERSONAL DATA INCIDENT MANAGEMENT AND NOTIFICATION. To the extent required under applicable Data Protection Laws, Wiz shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data (a “Personal Data Incident”). Wiz shall make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as Wiz deems necessary, possible and reasonable in order to remediate the cause of such a Personal Data Incident. Customer (or its customers), as the Controller or Business, will be the party responsible for notifying supervisory authorities and/or concerned Data Subjects (where required by Data Protection Laws).
11.RETURN AND DELETION OF PERSONAL DATA. Subject to the Agreement, upon termination or expiry of the Services, Wiz shall, make available for return the Customer Personal Data via the Services and delete such Customer Personal Data in accordance with Wiz’s customer data retention & deletion policy unless applicable law requires storage of the Customer Personal Data. In any event, Customer agrees that Wiz may retain Customer Personal Data in accordance with its standard backup policy, for evidence purposes and/or for the establishment, exercise or defence of legal claims and/or to comply with applicable laws and regulations. Notwithstanding anything to the contrary, Customer hereby agrees and understands that, to the extent Wiz performs cloud scanning on behalf of Customer, if and when Customer wants to delete specific Customer Personal Data, Customer may delete such Customer Personal Data from its own databases, and it will automatically be erased from Wiz’s databases within a reasonable market standard timeframe. If Customer requests return of the Customer Personal Data, it shall be returned in an industry standard format generally available for Wiz’s Customers.
12.TERMINATION. This DPA shall automatically terminate upon the termination or expiration of the Agreement under which the Services are provided, provided that, to the extent Wiz retains any Customer Personal Data following termination or expiration of the Agreement, this DPA shall survive for such period that Wiz retains Customer Personal Data. Clauses 2, 3.4 and 13 shall survive the termination or expiration of this DPA for any reason. This DPA cannot, in principle, be terminated separately to the Agreement, except where the Processing ends before the termination of the Agreement, in which case, this DPA shall automatically terminate.
13.RELATIONSHIP WITH AGREEMENT. Subject to any provisions in Schedule 2 regarding governing law and choice of forum of the Standard Contractual Clauses, the governing law and choice of forum provision in the Agreement shall apply to this DPA. In the event of any conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement. For the avoidance of doubt each Party’s and its Affiliates’ liability, taken together in the aggregate, arising out of or relating to this DPA, the Standard Contractual Clauses, Data Protection Laws and any other data protection agreements in connection with the Agreement (if any), shall be subject to any aggregate limitations on liability set out in the Agreement. NOTWITHSTANDING THE FOREGOING, IF CUSTOMER IS USING THE SERVICES FOR A FREE TRIAL, WIZ’S MAXIMUM AGGREGATE LIABILITY TO CUSTOMER UNDER OR RELATED TO THIS DPA SHALL BE CAPPED AT ONE THOUSAND DOLLARS US ($1,000 US).
14.MISCELLANEOUS. Any Wiz obligation hereunder may be performed (in whole or in part), and any Wiz right (including invoice and payment rights) or remedy may be exercised (in whole or in part), by an Affiliate of Wiz. This DPA may be amended by Wiz from time to time in its sole discretion, with such updated version posted to Wiz’s website, provided, however, that no such update shall materially diminish the privacy or security of Customer Personal Data.
List of Schedules
SCHEDULE 1 – DETAILS OF THE PROCESSING
SCHEDULE 2 – STANDARD CONTRACTUAL CLAUSE
SCHEDULE 1
DETAILS OF THE PROCESSING
Subject matter.
Wiz will Process Customer Personal Data as necessary to perform the Services pursuant to the Agreement, as further instructed by Customer in its use of the Services.
Nature and Purpose of Processing.
1.Performing the Agreement, this DPA and/or other contracts executed by the Parties, including, providing the Service(s) and support and technical maintenance to Customer.
2.To comply with documented reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement.
3.Resolving disputes, enforcing the Agreement, this DPA and/or defending Wiz’s rights.
4.Complying with applicable laws and regulations, including for cooperating with local and foreign tax authorities, preventing fraud, money laundering and terrorist financing.
Duration of Processing.
Subject to any section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Wiz will Process Customer Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
Types of Customer Personal Data.
Customer determines the categories of any Customer Personal Data that is made accessible to Wiz, which may include, without limitation, Customer Personal Data relating to the following categories:
- If Customer uses Wiz for scanning, Personal Data might be temporarily processed by Wiz during the scanning. The type of the Personal Data depends on Customer environment and which sources Customer connects.
- Wiz only stores metadata such as CVEs, misconfigurations, list of installed packages, cloud events, local cloud user accounts, cloud object identifiers and (depending on the features used by Customer) logs and file paths. Such metadata does not generally contain Personal Data, however, depending on the Customer’s environment and naming conventions and the features used by Customer, some limited Personal Data may be included. For example, cloud user account names, logs and artifacts could include an individual’s name, logs could contain names, associated email address and IP address and (if specific Wiz features are enabled) pseudonymized samples of findings to enable Customer to locate, verify and remediate the finding(s).
Customer acknowledges that Wiz does not control which Customer Personal Data Customer shares with it in the context of the Services.
Categories of Data Subjects.
As part of providing the Services, Wiz may process Customer Personal Data related to Customer’s customers or users, leads, employees and service providers, the extent of which is solely determined by Customer.
SCHEDULE 2
STANDARD CONTRACTUAL CLAUSES
1Incorporation and interpretation of the Standard Contractual Clauses
1.1In relation to transfers by Customer of Customer Personal Data which are subject to Data Protection Laws of the EEA Extended Countries to Wiz in Third Countries, the parties agree that Module Two (Transfer controller to processor) or Module 3 (Transfer processor to processor) of the Standard Contractual Clauses shall apply, as applicable.
1.2The Parties acknowledge that the information required to be provided in the Standard Contractual Clauses, including the appendices, is set out in Appendix 1 below.
1.3If there is a conflict between the provisions of this Agreement and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail, provided that, except to the extent prohibited by applicable law, the Standard Contractual Clauses shall be interpreted in accordance with and subject to this DPA and the Agreement, including without limitation, the provisions on limitation of liability, instructions, storage, erasure and return of Personal Data, audits and engagement of Sub-Processors.
1.4If any provision or part-provision of this DPA or the Agreement causes the Standard Contractual Clauses to become an invalid export mechanism in the relevant Extended EEA Country, it shall be deemed deleted but that shall not affect the validity and enforceability of the rest of this Agreement and the parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.
1.5Where requested by Wiz, Customer shall provide reasonable assistance to Wiz and be responsible for issuing such communications to Data Subjects and/or the Controller (to the extent Module Three applies) as are required in order for Wiz to comply with its obligations under the Standard Contractual Clauses.
1.6For the purpose of Section III, Clause 14 of the Standard Contractual Clauses, the parties acknowledge and agree that, as between the parties, the Customer (acting as data exporter) is responsible for: (i) assessing the laws of the country to which it transfers Personal Data; and (ii) determining whether or not the transfer meets the requirements of Section III, Clause 14(a) of the Standard Contractual Clauses. Where Wiz (as data importer) provides information to the Customer (acting as data exporter) for assisting the Customer in its assessment, such information is provided on an “as is” basis for informational purposes only. Without prejudice to Section III, Clause 14(c) of the Standard Contractual Clauses, Wiz (as data importer) shall not be liable for any losses suffered by the Customer in connection with its assessment.
1.7 Notwithstanding anything to the contrary, where the applicable Extended EEA Country where the data exporter is established or from where the transferred personal data originated is the UK, template Addendum B.1.0 issued by the UK ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses, (the “UK Approved Addendum”) shall amend the Standard Contractual Clauses in respect of such transfers and Part 1 of the UK Approved Addendum shall be populated as set out below:
Table 1. The “start date” will be the date this DPA enters into force. The “Parties” are Customer as exporter Wiz as importer.
Table 2. The “Addendum EU SCCs” are the modules and clauses of the Standard Contractual Clauses selected in relation to a particular transfer in accordance with paragraphs 1.1 and 1.2 of this Schedule.
Table 3. The “Appendix Information” is as set out in Appendix 1 to this Schedule.
Table 4. Neither party may end the UK Approved Addendum in accordance with its Section 19.
1.8 Except where paragraph 1.9 above applies, but notwithstanding anything else to the contrary, where the applicable Extended EEA Country where the data exporter is established or from where the transferred personal data originated is not a Member State of the European Union, references in the Standard Contractual Clauses to:
(a)“Member States of the European Union” shall refer to the applicable Extended EEA Country in which the data exporter is established or from where the transferred Personal Data originated (as applicable);
(b)“the GDPR” shall refer to the Data Protection Laws of the Extended EEA Country in which the data exporter is established or from where the Personal Data originated; and
(c)“supervisory authority” shall refer to the data protection authority in the Extended EEA Country as determined in Annex I(C) below.
Appendix 1 – Completion of the Standard Contractual Clauses
ANNEX I
A. LIST OF THE PARTIES | |
Data Exporter: | Name and address: Customer, as set out in the Agreement Contact details: As set out in the Agreement Activities relevant to the data transferred under these Clauses: Receipt of Wiz Services, as set out in the Agreement and this DPA |
Data Importer: | Name and address: Wiz, as set out in the Agreement Contact details: Privacy Officer, privacy@wiz.io Activities relevant to the data transferred under these Clauses: Provision of Wiz Services, as set out in the Agreement and this DPA |
B. DETAILS OF PROCESSING/TRANSFER | |
CATEGORIES OF DATA SUBJECTS | As described in Schedule 1 |
CATEGORIES OF PERSONAL DATA | As described in Schedule 1 |
SPECIAL CATEGORIES OF DATA (IF APPLICABLE) | Wiz does not control which Personal Data Customer shares with it in the context of the Services |
FREQUENCY OF THE TRANSFER | As regular as is required to provide the Services |
NATURE AND PURPOSE OF THE PROCESSING | As described in Schedule 1 |
RETENTION | As described in Schedule 1 |
TRANSFER TO (SUB)PROCESSORS | As set out in Wiz’s Sub-Processor List |
C. COMPETENT SUPERVISORY AUTHORITY | |
The competent supervisory authority shall be determined in accordance with Clause 13 of the Standard Contractual Clauses. Where an EU Representative has not been appointed by data exporter, the competent supervisory authority shall be the supervisory authority of the Netherlands. | |
D. GOVERNING LAW AND CHOICE OF FORUM | |
GOVERNING LAW | For the purposes of Clause 17 of the Standard Contractual Clauses the Parties select OPTION 1: the law of the Netherlands. a) |
CHOICE OF FORUM | For the purposes of Clause 18 of the SCCs: the Parties select the courts of the Netherlands. |
E. OTHER | |
Where the Standard Contractual Clauses identify optional provisions (or provisions with multiple options) the following will apply: For Clause 7 (Docking Clause), the optional provision will apply. For Clause 9(a), option 2 (General Written Authorisation) will apply and the time period for prior notice of Sub-Processor changes shall be as set out in this DPA. For Clause 11(a) (Redress) – the optional provision will not apply. |
ANNEX II – WIZ SECURITY MEASURES
The technical and organizational measures including technical and organizational measures to support the security of Personal Data incorporated into Annex II of the Standard Contractual Clauses shall be the technical and organizational security measures as described in Wiz’s Security Addendum.
In addition, Wiz agrees to the following compensating safeguards to protect such data to an equivalent level as required under the Data Protection Laws of the Extended EEA Countries to the extent required under the Standard Contractual Clauses:
- Wiz and Customer shall encrypt all transfers of the Customer Personal Data between them, and Wiz shall encrypt any onward transfers it makes of such Customer Personal Data.
- Wiz will use reasonably available legal mechanisms to challenge any demands for Customer Personal Data access through national security process it receives as well as any non-disclosure provisions attached thereto.
- Wiz will promptly notify Customer of any government demands for Customer Personal Data, unless prohibited under applicable law. To the extent Wiz is prohibited by law from providing such notification, Wiz shall: (i) review each request on a case-by-case basis; (ii) use reasonable efforts to request that the confidentiality requirement be waived to enable Wiz to notify the Customer and/or the appropriate Supervisory Authority competent for the Customer; and (iii) maintain evidence of any such attempt to have a confidentiality requirement waived.
- Wiz will promptly notify Customer if Wiz can no longer comply with the applicable clauses in this Section. Wiz shall not be required to provide Customer with specific information about why it can no longer comply, if providing such information is prohibited by applicable law. Such notice shall entitle Customer to terminate the Agreement (or, at Customer’s option, affected statements of work, order forms, and like documents thereunder) and receive a prompt pro-rata refund of any prepaid amounts thereunder.
Effective October 29th 2023 to November 13th 2023
DownloadTable of Contents
DATA PROCESSING AGREEMENT
This Data Processing Agreement (“DPA”) forms part of the Wiz Master Subscription Agreement or other agreement for Wiz services entered into between the Parties (the “Agreement”) between the Wiz entity that has entered into the Agreement (“Wiz”, “Us”, “We”, “Our”) and Customer (collectively, “You”, “Your”, or “Customer”) pursuant to the Agreement. Both parties shall be referred to as the “Parties” and each, a “Party”. This DPA forms a binding legal agreement to reflect the Parties’ agreement with regard to the Processing of Personal Data (as such terms are defined below).
WHEREAS, 	Wiz shall provide the services set forth in the Agreement (collectively, the “Services”) to Customer, as described in the Agreement; and
WHEREAS, 	the Parties wish to set forth the arrangements concerning the Processing of Personal Data within the context of the Services and agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
NOW THEREFORE, in consideration of the mutual promises set forth herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged by the Parties, the Parties, intending to be legally bound, agree as follows:
1. 	INTERPRETATION AND DEFINITIONS
1.1 	The headings contained in this DPA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this DPA. References to clauses or sections are references to the clauses or sections of this DPA unless otherwise stated. Words used in the singular include the plural and vice versa, as the context may require. Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.
1.2	Definitions:
- “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
- “Controller” or “Business” as relevant under applicable Data Protection Laws, means the entity which determines the purposes and means of the Processing of Personal Data or such equivalent term under Data Protection Laws.
- “Customer Personal Data” means any Personal Data which is provided to and Processed by Wiz on behalf of Customer in order to provide the Services under the Agreement. Customer Personal Data does not include Personal Data that Wiz Processes as a Controller separately from its Processing obligations to Customer under the Agreement.
- “Data Protection Laws” means all laws and regulations of the European Union, the EEA and their Member States, Switzerland, the United Kingdom, and the United States, each to the extent applicable to the Processing of Personal Data under the Agreement.
- “Data Subject” means the identified or identifiable person to whom the Customer Personal Data relates.
- “EEA” means the European Economic Area.
- “EU Data Protection Law” means the GDPR, and the UK GDPR.
- “Extended EEA Country” means a Member State of the EEA, Switzerland or the United Kingdom, and Extended EEA Countries means the foregoing countries collectively.
- “Member State(s)” means a country that belongs to the European Union and/or the EEA.
- “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier or such equivalent term under Data Protection Laws.
- “Process(ing)” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Processor” or “Service Provider,” as relevant under applicable Data Protection Laws, means the entity which Processes Personal Data on behalf of the Controller or Business or such equivalent term under Data Protection Laws.
- “Security Addendum” means Wiz’s Security Addendum which is available via https://www.wiz.io/security-addendum.
- “Standard Contractual Clauses” means the “standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission decision of 4 June 2021” and published under document number C (2021) 3972 available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914&qid=1689513765256, as may be updated, amended or superseded from time to time.
- “Sub-Processor” means any Processor or Service Provider engaged by Wiz and/or Wiz Affiliate to Process Customer Personal Data.
- “Supervisory Authority” means the competent supervisory authority pursuant to the applicable Data Protection Laws.
- “Third Country” has the meaning given in Clause 8.2 below.
- “UK GDPR” means the GDPR as incorporated into United Kingdom domestic law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR").
- “US Privacy Laws” means the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act of 2020 along with any associated regulations (“CCPA”); the Virginia Consumer Data Protection Act (“VCDPA”); the Colorado Privacy Act; and any similar U.S. laws governing data privacy and security once effective.
2.	CUSTOMER’S PROCESSING OF PERSONAL DATA. Customer shall, in its use of the Services, Process Customer Personal Data in accordance with the requirements of Data Protection Laws and comply at all times with the obligations applicable to Controllers or Businesses, as applicable. For the avoidance of doubt, Customer’s instructions for the Processing of Customer Personal Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the means by which Customer acquired Customer Personal Data. Without limitation, Customer shall comply with any and all transparency-related obligations (including, without limitation, displaying any and all relevant and required privacy notices or policies) and shall have any and all required legal basis in order to collect, Process and transfer to Wiz the Customer Personal Data and to authorize the Processing by Wiz of the Customer Personal Data which is authorized in this DPA.
3.	WIZ’S PROCESSING OF PERSONAL DATA
3.1	Application. As used in clauses 3 – 9 herein, Customer Personal Data refers to Customer Personal Data that is subject to Data Protection Laws.
3.2	Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data, (i) Customer is the Controller or Business, (ii) Wiz is the Processor or Service Provider, and (iii) Wiz or its Affiliates may engage Sub-Processors pursuant to the requirements set forth in Clause 6 below.
3.3	Wiz and its Affiliates (as applicable) shall Process Customer Personal Data only in accordance with Customer’s documented instructions, which are set out in the Agreement, as necessary for the performance of the Services and for the performance of the Agreement and this DPA, unless required to otherwise by any applicable law, court of competent jurisdiction or other Supervisory Authority to which Wiz and its Affiliates are subject, in which case, Wiz shall inform Customer of the legal requirement before processing, unless that law prohibits such information. Customer agrees that the Agreement is its complete and final instructions to Wiz in relation to the Processing of Personal Data. Processing any Personal Data outside the scope of the Agreement will require prior written agreement between Wiz and Customer by way of an amendment to the Agreement, and may include any additional fees that may be payable by Customer to Wiz for carrying out such instructions. The duration of the Processing, the nature and purposes of the Processing, as well as the types of Customer Personal Data Processed and categories of Data Subjects under this DPA are further specified in Schedule 1 to this DPA.
3.4	To the extent that Wiz or its Affiliates cannot comply with an instruction from Customer and/or its authorized users relating to Processing of Customer Personal Data or where Wiz considers such instruction to be unlawful, Wiz (i) shall inform Customer, providing relevant details of the problem; (ii) may, without any kind of liability towards Customer, temporarily cease all Processing of the affected Customer Personal Data (other than securely storing those data); and (iii) if the Parties do not agree on a resolution to the issue in question and the costs thereof, each Party may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected Processing, and Customer shall pay to Wiz all the amounts owed to Wiz or due before the date of termination.
4.	RIGHTS OF DATA SUBJECTS. If Wiz receives a request from a Data Subject to exercise its rights under Data Protection Laws (“Data Subject Request”), Wiz shall, to the extent legally permitted, promptly notify and forward such Data Subject Request to Customer. Taking into account the nature of the Processing, Wiz shall use commercially reasonable efforts to assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws.
5.	WIZ PERSONNEL
5.1	Confidentiality. Wiz shall grant access to the Customer Personal Data to persons under its authority (including, without limitation, its personnel) only on a need-to-know basis and ensure that such persons engaged in the Processing of Customer Personal Data have committed themselves to confidentiality.
6.	AUTHORIZATION REGARDING SUB-PROCESSORS
6.1	Customer hereby grants general written authorization to Wiz to appoint Sub-Processors to perform specific Processing activities on Customer Personal Data on its behalf. Wiz’s current list of Sub-Processors is included at https://www.wiz.io/sub-processor-list (“Sub-Processor List”) and is hereby approved by Customer.
6.2	Objection Right for Sub-Processors. Wiz offers a mechanism for Customers to subscribe to notifications of changes to Wiz’s Sub-Processor List via https://www.wiz.io/legal/sub-processor-list. If Customer subscribes to receive such updates, Wiz shall provide notification of any intended changes concerning the addition or replacement of other Sub-Processor(s) to the email address which has subscribed thereby giving Customer the opportunity to object. Customer may reasonably object to Wiz’s use of a Sub-Processor for reasons related to the Data Protection Laws by notifying Wiz in writing within ten (10) days after receipt of Wiz’s notice including the reasons for objecting to Wiz’s use of such Sub-Processor. Failure to object to such Sub-Processor in writing within ten (10) days following Wiz’s notice shall be deemed as acceptance of the Sub-Processor. In the event Customer reasonably objects to a Sub-Processor, Wiz will use reasonable efforts to make available to Customer a change in the Services to avoid Processing of Customer Personal Data by the objected-to Sub-Processor without unreasonably burdening Customer. If Wiz is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may, as a sole remedy, terminate the Agreement and this DPA by providing written notice to Wiz provided that all amounts due under the Agreement before the termination date shall be duly paid to Wiz. Until a decision is made regarding the Sub-Processor, Wiz may temporarily suspend the Processing of the affected Customer Personal Data.
6.3	Where Wiz engages a Sub-Processor, we shall do so by way of a written contract which imposes on the Sub-Processor substantially the same data protection obligations as in this DPA.
7.	SECURITY
7.1	Controls for the Protection of Customer Personal Data. Taking into account the state of the art, Wiz shall maintain industry-standard technical and organizational measures, including as required pursuant to Article 32 of the GDPR and other applicable Data Protection Laws, for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Personal Data), confidentiality and integrity of Customer Personal Data, as set forth in the Security Addendum. Upon Customer’s request, Wiz will use commercially reasonable efforts to assist Customer, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR and other applicable Data Protection Laws taking into account the nature of the processing, the state of the art, the costs of implementation, the scope, the context, the purposes of the Processing and the information available to Wiz.
7.2	Third-Party Certifications and Audits. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Wiz shall make available to Customer (or Customer’s independent, third-party auditor that is not reasonably objected to by Wiz and bound by confidentiality obligations) a copy of Wiz’s then most recent third-party audits or certifications, as applicable (provided, however, that any such documentation shall be Wiz’s confidential information and shall only be used by Customer to assess compliance with this DPA, and shall not be used for any other purpose or disclosed to any third party without Wiz’s prior written approval and, upon Wiz’s request, Customer shall return all such documentation in Customer’s possession or control). Only as required by applicable Data Protection Laws and at Customer’s cost and expense, not more than once per year, Wiz shall allow for and contribute to audits, including remote inspections, conducted by Customer (or Customer’s independent, third-party auditor that is not reasonably objected to by Wiz and that is bound by confidentiality obligations) provided that the parties shall agree on the scope, methodology, timing and conditions of such audits and inspections in advance. Notwithstanding anything to the contrary, such audits and/or inspections shall not contain any information, including without limitation, Personal Data that belongs to Wiz’s other customers.
8.	TRANSFERS OF DATA
8.1	Transfers to countries that offer adequate level of data protection. Personal Data may be transferred from the Extended EEA Countries to countries or frameworks that offer adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the Extended EEA Countries (“Adequacy Decisions”), without any further safeguard being necessary.
8.2 	Transfers to other countries. If, and to the extent, the Processing of Customer Personal Data which is subject to Data Protection Laws of the EEA Extended Countries includes transfers by Customer from the Extended EEA Countries to Wiz in countries outside the Extended EEA Countries which have not been subject to an Adequacy Decision (“Third Countries”), the Parties agree that such transfers shall be undertaken on the basis of the Standard Contractual Clauses, which will be deemed to have been signed by each Party on the Effective Date of this Agreement, are incorporated herein by reference and construed in accordance with Schedule 2 below, unless another mechanism provided for in the Data Protection Laws of the applicable Extended EEA Country applies.
8.3	In the event Customer enables Third Party Integrations (as defined in the Agreement) which involve transfers of Customer Personal Data between Wiz and the Third Party Integration provider, Customer acknowledges and agrees that (a) such Third Party Integration providers are not Sub-Processors of Wiz; (b) such transfers are conducted at Customer’s instruction in accordance with an agreement between the Customer and such Third Party Integration provider (which Wiz is not a party to); and (c) Customer shall be solely responsible for such transfers and their compliance with Data Protection Laws, including without limitation, executing Standard Contractual Clauses with such Third Party Integration providers as required.
9. 	US PRIVACY LAWS
9.1 	In performing its obligations under the Agreement and this DPA, Wiz will not: (1) “sell” or “share” for purposes of “cross-context behavioral advertising” or “targeted advertising” (as defined by applicable US Privacy Laws) any Customer Personal Data; (2) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Wiz and Customer; or (3) attempt to re-identify any pseudonymized, anonymized, aggregate, or de-identified Customer Personal Data.
9.2	Wiz will (1) comply with any applicable restrictions under applicable US Privacy Laws on combining Customer Personal Data with Personal Data that Wiz receives from, or on behalf of, another person or persons; and (2) promptly notify Customer if Wiz determines that it (i) can no longer meet its obligations under this DPA or applicable US Privacy Laws; or (ii) in Wiz’s opinion, an instruction from Customer infringes applicable US Privacy Laws.
9.3 Wiz certifies that it understands its obligations in this Clause 9.
9.4	The Parties agree that Schedule 1 hereto shall satisfy any requirement under applicable U.S. Privacy Law to provide details regarding the nature of the Processing activities related to Customer Personal Data.
10.	PERSONAL DATA INCIDENT MANAGEMENT AND NOTIFICATION. To the extent required under applicable Data Protection Laws, Wiz shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data (a “Personal Data Incident”). Wiz shall make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as Wiz deems necessary, possible and reasonable in order to remediate the cause of such a Personal Data Incident. Customer (or its customers), as the Controller or Business, will be the party responsible for notifying supervisory authorities and/or concerned Data Subjects (where required by Data Protection Laws).
11.	RETURN AND DELETION OF PERSONAL DATA. Subject to the Agreement, upon termination or expiry of the Services, Wiz shall, make available for return the Customer Personal Data via the Services and delete such Customer Personal Data in accordance with Wiz’s customer data retention & deletion policy unless applicable law requires storage of the Customer Personal Data. In any event, Customer agrees that Wiz may retain Customer Personal Data in accordance with its standard backup policy, for evidence purposes and/or for the establishment, exercise or defence of legal claims and/or to comply with applicable laws and regulations. Notwithstanding anything to the contrary, Customer hereby agrees and understands that, to the extent Wiz performs cloud scanning on behalf of Customer, if and when Customer wants to delete specific Customer Personal Data, Customer may delete such Customer Personal Data from its own databases, and it will automatically be erased from Wiz’s databases within a reasonable market standard timeframe. If Customer requests return of the Customer Personal Data, it shall be returned in an industry standard format generally available for Wiz’s Customers.
12.	TERMINATION. This DPA shall automatically terminate upon the termination or expiration of the Agreement under which the Services are provided, provided that, to the extent Wiz retains any Customer Personal Data following termination or expiration of the Agreement, this DPA shall survive for such period that Wiz retains Customer Personal Data. Clauses 2, 3.4 and 13 shall survive the termination or expiration of this DPA for any reason. This DPA cannot, in principle, be terminated separately to the Agreement, except where the Processing ends before the termination of the Agreement, in which case, this DPA shall automatically terminate.
13.	RELATIONSHIP WITH AGREEMENT. Subject to any provisions in Schedule 2 regarding governing law and choice of forum of the Standard Contractual Clauses, the governing law and choice of forum provision in the Agreement shall apply to this DPA. In the event of any conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement. For the avoidance of doubt each Party’s and its Affiliates’ liability, taken together in the aggregate, arising out of or relating to this DPA, the Standard Contractual Clauses, Data Protection Laws and any other data protection agreements in connection with the Agreement (if any), shall be subject to any aggregate limitations on liability set out in the Agreement. NOTWITHSTANDING THE FOREGOING, IF CUSTOMER IS USING THE SERVICES FOR A FREE TRIAL, WIZ’S MAXIMUM AGGREGATE LIABILITY TO CUSTOMER UNDER OR RELATED TO THIS DPA SHALL BE CAPPED AT ONE THOUSAND DOLLARS US ($1,000 US).
14.	MISCELLANEOUS. Any Wiz obligation hereunder may be performed (in whole or in part), and any Wiz right (including invoice and payment rights) or remedy may be exercised (in whole or in part), by an Affiliate of Wiz. This DPA may be amended by Wiz from time to time in its sole discretion, with such updated version posted to Wiz’s website, provided, however, that no such update shall materially diminish the privacy or security of Customer Personal Data.
List of Schedules
SCHEDULE 1 – DETAILS OF THE PROCESSING
SCHEDULE 2 – STANDARD CONTRACTUAL CLAUSE
SCHEDULE 1
DETAILS OF THE PROCESSING
Subject matter.
Wiz will Process Customer Personal Data as necessary to perform the Services pursuant to the Agreement, as further instructed by Customer in its use of the Services.
Nature and Purpose of Processing.
1.	Performing the Agreement, this DPA and/or other contracts executed by the Parties, including, providing the Service(s) and support and technical maintenance to Customer.
2.	To comply with documented reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement.
3.	Resolving disputes, enforcing the Agreement, this DPA and/or defending Wiz’s rights.
4.	Complying with applicable laws and regulations, including for cooperating with local and foreign tax authorities, preventing fraud, money laundering and terrorist financing.
Duration of Processing.
Subject to any section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Wiz will Process Customer Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
Types of Customer Personal Data.
Customer determines the categories of any Customer Personal Data that is made accessible to Wiz, which may include, without limitation, Customer Personal Data relating to the following categories:
- If Customer uses Wiz for scanning, Personal Data might be temporarily processed by Wiz during the scanning. The type of the Personal Data depends on Customer environment and which sources Customer connects.
- Wiz only stores metadata such as CVEs, misconfigurations, list of installed packages, cloud events, local cloud user accounts, cloud object identifiers and (depending on the features used by Customer) logs and file paths. Such metadata does not generally contain Personal Data, however, depending on the Customer’s environment and naming conventions and the features used by Customer, some limited Personal Data may be included. For example, cloud user account names, logs and artifacts could include an individual’s name, logs could contain names, associated email address and IP address and (if specific Wiz features are enabled) pseudonymized samples of findings to enable Customer to locate, verify and remediate the finding(s).
Customer acknowledges that Wiz does not control which Customer Personal Data Customer shares with it in the context of the Services.
Categories of Data Subjects.
As part of providing the Services, Wiz may process Customer Personal Data related to Customer’s customers or users, leads, employees and service providers, the extent of which is solely determined by Customer.
SCHEDULE 2
STANDARD CONTRACTUAL CLAUSES
1	Incorporation and interpretation of the Standard Contractual Clauses
1.1	In relation to transfers by Customer of Customer Personal Data which are subject to Data Protection Laws of the EEA Extended Countries to Wiz in Third Countries, the parties agree that Module Two (Transfer controller to processor) or Module 3 (Transfer processor to processor) of the Standard Contractual Clauses shall apply, as applicable.
1.2	The Parties acknowledge that the information required to be provided in the Standard Contractual Clauses, including the appendices, is set out in Appendix 1 below.
1.3	If there is a conflict between the provisions of this Agreement and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail, provided that, except to the extent prohibited by applicable law, the Standard Contractual Clauses shall be interpreted in accordance with and subject to this DPA and the Agreement, including without limitation, the provisions on limitation of liability, instructions, storage, erasure and return of Personal Data, audits and engagement of Sub-Processors.
1.4	If any provision or part-provision of this DPA or the Agreement causes the Standard Contractual Clauses to become an invalid export mechanism in the relevant Extended EEA Country, it shall be deemed deleted but that shall not affect the validity and enforceability of the rest of this Agreement and the parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.
1.5	Where requested by Wiz, Customer shall provide reasonable assistance to Wiz and be responsible for issuing such communications to Data Subjects and/or the Controller (to the extent Module Three applies) as are required in order for Wiz to comply with its obligations under the Standard Contractual Clauses.
1.6	For the purpose of Section III, Clause 14 of the Standard Contractual Clauses, the parties acknowledge and agree that, as between the parties, the Customer (acting as data exporter) is responsible for: (i) assessing the laws of the country to which it transfers Personal Data; and (ii) determining whether or not the transfer meets the requirements of Section III, Clause 14(a) of the Standard Contractual Clauses. Where Wiz (as data importer) provides information to the Customer (acting as data exporter) for assisting the Customer in its assessment, such information is provided on an “as is” basis for informational purposes only. Without prejudice to Section III, Clause 14(c) of the Standard Contractual Clauses, Wiz (as data importer) shall not be liable for any losses suffered by the Customer in connection with its assessment.
1.7 	Notwithstanding anything to the contrary, where the applicable Extended EEA Country where the data exporter is established or from where the transferred personal data originated is the UK, template Addendum B.1.0 issued by the UK ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses, (the “UK Approved Addendum”) shall amend the Standard Contractual Clauses in respect of such transfers and Part 1 of the UK Approved Addendum shall be populated as set out below:
Table 1. The “start date” will be the date this DPA enters into force. The “Parties” are Customer as exporter Wiz as importer.
Table 2. The “Addendum EU SCCs” are the modules and clauses of the Standard Contractual Clauses selected in relation to a particular transfer in accordance with paragraphs 1.1 and 1.2 of this Schedule.
Table 3. The “Appendix Information” is as set out in Appendix 1 to this Schedule.
Table 4. Neither party may end the UK Approved Addendum in accordance with its Section 19.
1.8 	Except where paragraph 1.9 above applies, but notwithstanding anything else to the contrary, where the applicable Extended EEA Country where the data exporter is established or from where the transferred personal data originated is not a Member State of the European Union, references in the Standard Contractual Clauses to:
(a)	“Member States of the European Union” shall refer to the applicable Extended EEA Country in which the data exporter is established or from where the transferred Personal Data originated (as applicable);
(b)	“the GDPR” shall refer to the Data Protection Laws of the Extended EEA Country in which the data exporter is established or from where the Personal Data originated; and
(c)	“supervisory authority” shall refer to the data protection authority in the Extended EEA Country as determined in Annex I(C) below.
Appendix 1 – Completion of the Standard Contractual Clauses
ANNEX I
A. LIST OF THE PARTIES | |
Data Exporter: | Name and address: Customer, as set out in the Agreement Contact details: As set out in the Agreement Activities relevant to the data transferred under these Clauses: Receipt of Wiz Services, as set out in the Agreement and this DPA |
Data Importer:	 | Name and address: Wiz, as set out in the Agreement Contact details: Privacy Officer, privacy@wiz.io Activities relevant to the data transferred under these Clauses: Provision of Wiz Services, as set out in the Agreement and this DPA |
B. DETAILS OF PROCESSING/TRANSFER | |
CATEGORIES OF DATA SUBJECTS | As described in Schedule 1 |
CATEGORIES OF PERSONAL DATA	 | As described in Schedule 1 |
SPECIAL CATEGORIES OF DATA (IF APPLICABLE) | Wiz does not control which Personal Data Customer shares with it in the context of the Services |
FREQUENCY OF THE TRANSFER | As regular as is required to provide the Services |
NATURE AND PURPOSE OF THE PROCESSING	 | As described in Schedule 1 |
RETENTION | As described in Schedule 1 |
TRANSFER TO (SUB)PROCESSORS | As set out in Wiz’s Sub-Processor List |
C. COMPETENT SUPERVISORY AUTHORITY | |
The competent supervisory authority shall be determined in accordance with Clause 13 of the Standard Contractual Clauses. Where an EU Representative has not been appointed by data exporter, the competent supervisory authority shall be the supervisory authority of the Netherlands. | |
D. GOVERNING LAW AND CHOICE OF FORUM | |
GOVERNING LAW | For the purposes of Clause 17 of the Standard Contractual Clauses the Parties select OPTION 1: the law of the Netherlands. a)	 |
CHOICE OF FORUM | For the purposes of Clause 18 of the SCCs: the Parties select the courts of the Netherlands. |
E. OTHER | |
Where the Standard Contractual Clauses identify optional provisions (or provisions with multiple options) the following will apply:	 For Clause 7 (Docking Clause), the optional provision will apply. For Clause 9(a), option 2 (General Written Authorisation) will apply and the time period for prior notice of Sub-Processor changes shall be as set out in this DPA. For Clause 11(a) (Redress) – the optional provision will not apply. |
ANNEX II – WIZ SECURITY MEASURES
The technical and organizational measures including technical and organizational measures to support the security of Personal Data incorporated into Annex II of the Standard Contractual Clauses shall be the technical and organizational security measures as described in Wiz’s Security Addendum.
In addition, Wiz agrees to the following compensating safeguards to protect such data to an equivalent level as required under the Data Protection Laws of the Extended EEA Countries to the extent required under the Standard Contractual Clauses:
- Wiz and Customer shall encrypt all transfers of the Customer Personal Data between them, and Wiz shall encrypt any onward transfers it makes of such Customer Personal Data.
- Wiz will use reasonably available legal mechanisms to challenge any demands for Customer Personal Data access through national security process it receives as well as any non-disclosure provisions attached thereto.
- Wiz will promptly notify Customer of any government demands for Customer Personal Data, unless prohibited under applicable law. To the extent Wiz is prohibited by law from providing such notification, Wiz shall: (i) review each request on a case-by-case basis; (ii) use reasonable efforts to request that the confidentiality requirement be waived to enable Wiz to notify the Customer and/or the appropriate Supervisory Authority competent for the Customer; and (iii) maintain evidence of any such attempt to have a confidentiality requirement waived.
- Wiz will promptly notify Customer if Wiz can no longer comply with the applicable clauses in this Section. Wiz shall not be required to provide Customer with specific information about why it can no longer comply, if providing such information is prohibited by applicable law. Such notice shall entitle Customer to terminate the Agreement (or, at Customer’s option, affected statements of work, order forms, and like documents thereunder) and receive a prompt pro-rata refund of any prepaid amounts thereunder.
Effective September 19th 2023 to October 29th 2023
DownloadTable of Contents
DATA PROCESSING AGREEMENT
This Data Processing Agreement (“DPA”) forms part of the Wiz Master Subscription Agreement or other agreement for Wiz services entered into between the Parties (the “Agreement”) between the Wiz entity that has entered into the Agreement (“Wiz”, “Us”, “We”, “Our”) and Customer (collectively, “You”, “Your”, or “Customer”) pursuant to the Agreement. Both parties shall be referred to as the “Parties” and each, a “Party”. This DPA forms a binding legal agreement to reflect the Parties’ agreement with regard to the Processing of Personal Data (as such terms are defined below).
WHEREAS, Wiz shall provide the services set forth in the Agreement (collectively, the “Services”) to Customer, as described in the Agreement; and
WHEREAS, the Parties wish to set forth the arrangements concerning the Processing of Personal Data within the context of the Services and agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
NOW THEREFORE, in consideration of the mutual promises set forth herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged by the Parties, the Parties, intending to be legally bound, agree as follows:
1. INTERPRETATION AND DEFINITIONS
1.1 The headings contained in this DPA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this DPA. References to clauses or sections are references to the clauses or sections of this DPA unless otherwise stated. Words used in the singular include the plural and vice versa, as the context may require. Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.
1.2 Definitions:
2. CUSTOMER’S PROCESSING OF PERSONAL DATA. Customer shall, in its use of the Services, Process Customer Personal Data in accordance with the requirements of Data Protection Laws and comply at all times with the obligations applicable to Controllers or Businesses, as applicable. For the avoidance of doubt, Customer’s instructions for the Processing of Customer Personal Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the means by which Customer acquired Customer Personal Data. Without limitation, Customer shall comply with any and all transparency-related obligations (including, without limitation, displaying any and all relevant and required privacy notices or policies) and shall have any and all required legal basis in order to collect, Process and transfer to Wiz the Customer Personal Data and to authorize the Processing by Wiz of the Customer Personal Data which is authorized in this DPA.
3. WIZ’S PROCESSING OF PERSONAL DATA
3.1 Application. As used in clauses 3 – 9 herein, Customer Personal Data refers to Customer Personal Data that is subject to Data Protection Laws.
3.2 Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data, (i) Customer is the Controller or Business, (ii) Wiz is the Processor or Service Provider, and (iii) Wiz or its Affiliates may engage Sub-Processors pursuant to the requirements set forth in Clause 6 below.
3.3 Wiz and its Affiliates (as applicable) shall Process Customer Personal Data only in accordance with Customer’s documented instructions, which are set out in this DPA, the Agreement, as necessary for the performance of the Services and for the performance of the Agreement and this DPA, unless required to otherwise by any applicable law, court of competent jurisdiction or other Supervisory Authority to which Wiz and its Affiliates are subject, in which case, Wiz shall inform Customer of the legal requirement before processing, unless that law prohibits such information. Customer agrees that the Agreement is its complete and final instructions to Wiz in relation to the Processing of Personal Data. Processing any Personal Data outside the scope of the Agreement will require prior written agreement between Wiz and Customer by way of an amendment to the Agreement, and may include any additional fees that may be payable by Customer to Wiz for carrying out such instructions. The duration of the Processing, the nature and purposes of the Processing, as well as the types of Customer Personal Data Processed and categories of Data Subjects under this DPA are further specified in Schedule 1 to this DPA.
3.4 To the extent that Wiz or its Affiliates cannot comply with an instruction from Customer and/or its authorized users relating to Processing of Customer Personal Data or where Wiz considers such instruction to be unlawful, Wiz (i) shall inform Customer, providing relevant details of the problem; (ii) may, without any kind of liability towards Customer, temporarily cease all Processing of the affected Customer Personal Data (other than securely storing those data); and (iii) if the Parties do not agree on a resolution to the issue in question and the costs thereof, each Party may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected Processing, and Customer shall pay to Wiz all the amounts owed to Wiz or due before the date of termination.
4. RIGHTS OF DATA SUBJECTS. If Wiz receives a request from a Data Subject to exercise its rights under Data Protection Laws (“Data Subject Request”), Wiz shall, to the extent legally permitted, promptly notify and forward such Data Subject Request to Customer. Taking into account the nature of the Processing, Wiz shall use commercially reasonable efforts to assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws.
5. WIZ PERSONNEL
5.1 Confidentiality. Wiz shall grant access to the Customer Personal Data to persons under its authority (including, without limitation, its personnel) only on a need-to-know basis and ensure that such persons engaged in the Processing of Customer Personal Data have committed themselves to confidentiality.
6. AUTHORIZATION REGARDING SUB-PROCESSORS
6.1 Customer hereby grants general written authorization to Wiz to appoint Sub-Processors to perform specific Processing activities on Customer Personal Data on its behalf. Wiz’s current list of Sub-Processors is included at https://www.wiz.io/sub-processor-list (“Sub-Processor List”) and is hereby approved by Customer.
6.2. Objection Right for Sub-Processors. Wiz offers a mechanism for Customers to subscribe to notifications of changes to Wiz’s Sub-Processor List via https://www.wiz.io/legal/sub-processor-list. If Customer subscribes to receive such updates, Wiz shall provide notification of any intended changes concerning the addition or replacement of other Sub-Processor(s) to the email address which has subscribed thereby giving Customer the opportunity to object. Customer may reasonably object to Wiz’s use of a Sub-Processor for reasons related to the Data Protection Laws by notifying Wiz in writing within ten (10) days after receipt of Wiz’s notice including the reasons for objecting to Wiz’s use of such Sub-Processor. Failure to object to such Sub-Processor in writing within ten (10) days following Wiz’s notice shall be deemed as acceptance of the Sub-Processor. In the event Customer reasonably objects to a Sub-Processor, Wiz will use reasonable efforts to make available to Customer a change in the Services to avoid Processing of Customer Personal Data by the objected-to Sub-Processor without unreasonably burdening Customer. If Wiz is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may, as a sole remedy, terminate the Agreement and this DPA by providing written notice to Wiz provided that all amounts due under the Agreement before the termination date shall be duly paid to Wiz. Until a decision is made regarding the Sub-Processor, Wiz may temporarily suspend the Processing of the affected Customer Personal Data.
6.3. Where Wiz engages a Sub-Processor, we shall do so by way of a written contract which imposes on the Sub-Processor substantially the same data protection obligations as in this DPA.
7. SECURITY
7.1 Controls for the Protection of Customer Personal Data. Taking into account the state of the art, Wiz shall maintain industry-standard technical and organizational measures, including as required pursuant to Article 32 of the GDPR and other applicable Data Protection Laws, for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Personal Data), confidentiality and integrity of Customer Personal Data, as set forth in the Security Documentation. Upon Customer’s request, Wiz will use commercially reasonable efforts to assist Customer, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR and other applicable Data Protection Laws taking into account the nature of the processing, the state of the art, the costs of implementation, the scope, the context, the purposes of the Processing and the information available to Wiz.
7.2 Third-Party Certifications and Audits. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Wiz shall make available to Customer (or Customer’s independent, third-party auditor that is not reasonably objected to by Wiz and bound by confidentiality obligations) a copy of Wiz’s then most recent third-party audits or certifications, as applicable (provided, however, that any such documentation shall be Wiz’s confidential information and shall only be used by Customer to assess compliance with this DPA, and shall not be used for any other purpose or disclosed to any third party without Wiz’s prior written approval and, upon Wiz’s request, Customer shall return all such documentation in Customer’s possession or control). Only as required by applicable Data Protection Laws and at Customer’s cost and expense, not more than once per year, Wiz shall allow for and contribute to audits, including remote inspections, conducted by Customer (or Customer’s independent, third-party auditor that is not reasonably objected to by Wiz and that is bound by confidentiality obligations) provided that the parties shall agree on the scope, methodology, timing and conditions of such audits and inspections in advance. Notwithstanding anything to the contrary, such audits and/or inspections shall not contain any information, including without limitation, Personal Data that belongs to Wiz’s other customers.
8. TRANSFERS OF DATA
8.1 Transfers to countries that offer adequate level of data protection. Personal Data may be transferred from the Extended EEA Countries to countries or frameworks that offer adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the Extended EEA Countries (“Adequacy Decisions”), without any further safeguard being necessary.
8.2 Transfers to other countries. If, and to the extent, the Processing of Customer Personal Data which is subject to Data Protection Laws of the EEA Extended Countries includes transfers by Customer from the Extended EEA Countries to Wiz in countries outside the Extended EEA Countries which have not been subject to an Adequacy Decision (“Third Countries”), the Parties agree that such transfers shall be undertaken on the basis of the Standard Contractual Clauses, which will be deemed to have been signed by each Party on the Effective Date of this Agreement, are incorporated herein by reference and construed in accordance with Schedule 2 below, unless another mechanism provided for in the Data Protection Laws of the applicable Extended EEA Country applies.
8.3 In the event Customer enables Third Party Integrations (as defined in the Agreement) which involve transfers of Customer Personal Data between Wiz and the Third Party Integration provider, Customer acknowledges and agrees that (a) such Third Party Integration providers are not Sub-Processors of Wiz; (b) such transfers are conducted at Customer’s instruction in accordance with an agreement between the Customer and such Third Party Integration provider (which Wiz is not a party to); and (c) Customer shall be solely responsible for such transfers and their compliance with Data Protection Laws, including without limitation, executing Standard Contractual Clauses with such Third Party Integration providers as required.
9. US PRIVACY LAWS
9.1 In performing its obligations under the Agreement and this DPA, Wiz will not: (1) “sell” or “share” for purposes of “cross-context behavioral advertising” or “targeted advertising” (as defined by applicable US Privacy Laws) any Customer Personal Data; (2) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Wiz and Customer; or (3) attempt to re-identify any pseudonymized, anonymized, aggregate, or de-identified Customer Personal Data.
9.2 Wiz will (1) comply with any applicable restrictions under applicable US Privacy Laws on combining Customer Personal Data with Personal Data that Wiz receives from, or on behalf of, another person or persons; and (2) promptly notify Customer if Wiz determines that it (i) can no longer meet its obligations under this DPA or applicable US Privacy Laws; or (ii) in Wiz’s opinion, an instruction from Customer infringes applicable US Privacy Laws.
9.3 Wiz certifies that it understands its obligations in this Clause 9.
9.4 The Parties agree that Schedule 1 hereto shall satisfy any requirement under applicable U.S. Privacy Law to provide details regarding the nature of the Processing activities related to Customer Personal Data.
10. PERSONAL DATA INCIDENT MANAGEMENT AND NOTIFICATION. To the extent required under applicable Data Protection Laws, Wiz shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data (a “Personal Data Incident”). Wiz shall make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as Wiz deems necessary, possible and reasonable in order to remediate the cause of such a Personal Data Incident. Customer (or its customers), as the Controller or Business, will be the party responsible for notifying supervisory authorities and/or concerned Data Subjects (where required by Data Protection Laws).
11. RETURN AND DELETION OF PERSONAL DATA. Subject to the Agreement, upon termination or expiry of the Services, Wiz shall, make available for return the Customer Personal Data via the Services and delete such Customer Personal Data in accordance with Wiz’s customer data retention & deletion policy unless applicable law requires storage of the Customer Personal Data. In any event, Customer agrees that Wiz may retain Customer Personal Data in accordance with its standard backup policy, for evidence purposes and/or for the establishment, exercise or defence of legal claims and/or to comply with applicable laws and regulations. Notwithstanding anything to the contrary, Customer hereby agrees and understands that, to the extent Wiz performs cloud scanning on behalf of Customer, if and when Customer wants to delete specific Customer Personal Data, Customer may delete such Customer Personal Data from its own databases, and it will automatically be erased from Wiz’s databases within a reasonable market standard timeframe. If Customer requests return of the Customer Personal Data, it shall be returned in an industry standard format generally available for Wiz’s Customers.
12. TERMINATION. This DPA shall automatically terminate upon the termination or expiration of the Agreement under which the Services are provided, provided that, to the extent Wiz retains any Customer Personal Data following termination or expiration of the Agreement, this DPA shall survive for such period that Wiz retains Customer Personal Data. Clauses 2, 3.4 and 13 shall survive the termination or expiration of this DPA for any reason. This DPA cannot, in principle, be terminated separately to the Agreement, except where the Processing ends before the termination of the Agreement, in which case, this DPA shall automatically terminate.
13. RELATIONSHIP WITH AGREEMENT. Subject to any provisions in Schedule 2 regarding governing law and choice of forum of the Standard Contractual Clauses, the governing law and choice of forum provision in the Agreement shall apply to this DPA. In the event of any conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement. For the avoidance of doubt each Party’s and its Affiliates’ liability, taken together in the aggregate, arising out of or relating to this DPA, the Standard Contractual Clauses, Data Protection Laws and any other data protection agreements in connection with the Agreement (if any), shall be subject to any aggregate limitations on liability set out in the Agreement. NOTWITHSTANDING THE FOREGOING, IF CUSTOMER IS USING THE SERVICES FOR A FREE TRIAL, WIZ’S MAXIMUM AGGREGATE LIABILITY TO CUSTOMER UNDER OR RELATED TO THIS DPA SHALL BE CAPPED AT ONE THOUSAND DOLLARS US ($1,000 US).
14. MISCELLANEOUS. Any Wiz obligation hereunder may be performed (in whole or in part), and any Wiz right (including invoice and payment rights) or remedy may be exercised (in whole or in part), by an Affiliate of Wiz. This DPA may be amended by Wiz from time to time in its sole discretion, with such updated version posted to Wiz’s website, provided, however, that no such update shall materially diminish the privacy or security of Customer Personal Data.
List of Schedules
SCHEDULE 1 – DETAILS OF THE PROCESSING
SCHEDULE 2 – STANDARD CONTRACTUAL CLAUSE
SCHEDULE 1
DETAILS OF THE PROCESSING
Subject matter.
Wiz will Process Customer Personal Data as necessary to perform the Services pursuant to the Agreement, as further instructed by Customer in its use of the Services.
Nature and Purpose of Processing.
1. Performing the Agreement, this DPA and/or other contracts executed by the Parties, including, providing the Service(s) and support and technical maintenance to Customer.
2. To comply with documented reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement.
3. Resolving disputes, enforcing the Agreement, this DPA and/or defending Wiz’s rights.
4. Complying with applicable laws and regulations, including for cooperating with local and foreign tax authorities, preventing fraud, money laundering and terrorist financing.
Duration of Processing.
Subject to any section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Wiz will Process Customer Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
Types of Customer Personal Data.
Customer determines the categories of any Customer Personal Data that is made accessible to Wiz, which may include, without limitation, Customer Personal Data relating to the following categories:
- If Customer uses Wiz for scanning, Personal Data might be temporarily processed by Wiz during the scanning. The type of the Personal Data depends on Customer environment and which sources Customer connects.
- Wiz only stores metadata such as CVEs, misconfigurations, list of installed packages, cloud events, local cloud user accounts, cloud object identifiers and (depending on the features used by Customer) logs and file paths. Such metadata does not generally contain Personal Data, however, depending on the Customer’s environment and naming conventions and the features used by Customer, some limited Personal Data may be included. For example, cloud user account names, logs and artifacts could include an individual’s name, logs could contain names, associated email address and IP address and (if specific Wiz features are enabled) pseudonymized samples of findings to enable Customer to locate, verify and remediate the finding(s).
Customer acknowledges that Wiz does not control which Customer Personal Data Customer shares with it in the context of the Services.
Categories of Data Subjects.
As part of providing the Services, Wiz may process Customer Personal Data related to Customer’s customers or users, leads, employees and service providers, the extent of which is solely determined by Customer.
SCHEDULE 2
STANDARD CONTRACTUAL CLAUSES
1. Incorporation and interpretation of the Standard Contractual Clauses
1.1 In relation to transfers by Customer of Customer Personal Data which are subject to Data Protection Laws of the EEA Extended Countries to Wiz in Third Countries, the parties agree that Module Two (Transfer controller to processor) or Module 3 (Transfer processor to processor) of the Standard Contractual Clauses shall apply, as applicable.
1.2 The Parties acknowledge that the information required to be provided in the Standard Contractual Clauses, including the appendices, is set out in Appendix 1 below.
1.3 If there is a conflict between the provisions of this Agreement and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail, provided that, except to the extent prohibited by applicable law, the Standard Contractual Clauses shall be interpreted in accordance with and subject to this DPA and the Agreement, including without limitation, the provisions on limitation of liability, instructions, storage, erasure and return of Personal Data, audits and engagement of Sub-Processors.
1.4 If any provision or part-provision of this DPA or the Agreement causes the Standard Contractual Clauses to become an invalid export mechanism in the relevant Extended EEA Country, it shall be deemed deleted but that shall not affect the validity and enforceability of the rest of this Agreement and the parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.
1.5 Where requested by Wiz, Customer shall provide reasonable assistance to Wiz and be responsible for issuing such communications to Data Subjects and/or the Controller (to the extent Module Three applies) as are required in order for Wiz to comply with its obligations under the Standard Contractual Clauses.
1.6 For the purpose of Section III, Clause 14 of the Standard Contractual Clauses, the parties acknowledge and agree that, as between the parties, the Customer (acting as data exporter) is responsible for: (i) assessing the laws of the country to which it transfers Personal Data; and (ii) determining whether or not the transfer meets the requirements of Section III, Clause 14(a) of the Standard Contractual Clauses. Where Wiz (as data importer) provides information to the Customer (acting as data exporter) for assisting the Customer in its assessment, such information is provided on an “as is” basis for informational purposes only. Without prejudice to Section III, Clause 14(c) of the Standard Contractual Clauses, Wiz (as data importer) shall not be liable for any losses suffered by the Customer in connection with its assessment.
1.7 Notwithstanding anything to the contrary, where the applicable Extended EEA Country where the data exporter is established or from where the transferred personal data originated is the UK, template Addendum B.1.0 issued by the UK ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses, (the “UK Approved Addendum”) shall amend the Standard Contractual Clauses in respect of such transfers and Part 1 of the UK Approved Addendum shall be populated as set out below:
Table 1. The “start date” will be the date this DPA enters into force. The “Parties” are Customer as exporter Wiz as importer.
Table 2. The “Addendum EU SCCs” are the modules and clauses of the Standard Contractual Clauses selected in relation to a particular transfer in accordance with paragraphs 1.1 and 1.2 of this Schedule.
Table 3. The “Appendix Information” is as set out in Appendix 1 to this Schedule.
Table 4. Neither party may end the UK Approved Addendum in accordance with its Section 19.
1.8 Except where paragraph 1.9 above applies, but notwithstanding anything else to the contrary, where the applicable Extended EEA Country where the data exporter is established or from where the transferred personal data originated is not a Member State of the European Union, references in the Standard Contractual Clauses to:
(a)“Member States of the European Union” shall refer to the applicable Extended EEA Country in which the data exporter is established or from where the transferred Personal Data originated (as applicable);
(b)“the GDPR” shall refer to the Data Protection Laws of the Extended EEA Country in which the data exporter is established or from where the Personal Data originated; and
(c)“supervisory authority” shall refer to the data protection authority in the Extended EEA Country as determined in Annex I(C) below.
Appendix 1 – Completion of the Standard Contractual Clauses
ANNEX I
A. LIST OF THE PARTIES | |
Data Exporter: | Name and address: Customer, as set out in the Agreement Contact details: As set out in the Agreement Activities relevant to the data transferred under these Clauses: Receipt of Wiz Services, as set out in the Agreement and this DPA |
Data Importer: | Name and address: Wiz, as set out in the Agreement Contact details: Privacy Officer, privacy@wiz.io Activities relevant to the data transferred under these Clauses: Provision of Wiz Services, as set out in the Agreement and this DPA |
B. DETAILS OF PROCESSING/TRANSFER | |
CATEGORIES OF DATA SUBJECTS | As described in Schedule 1 |
CATEGORIES OF PERSONAL DATA | As described in Schedule 1 |
SPECIAL CATEGORIES OF DATA (IF APPLICABLE) | Wiz does not control which Personal Data Customer shares with it in the context of the Services |
FREQUENCY OF THE TRANSFER | As regular as is required to provide the Services |
NATURE AND PURPOSE OF THE PROCESSING | As described in Schedule 1 |
RETENTION | As described in Schedule 1 |
TRANSFER TO (SUB)PROCESSORS | As set out in Wiz’s Sub-Processor List |
C. COMPETENT SUPERVISORY AUTHORITY | |
The competent supervisory authority shall be determined in accordance with Clause 13 of the Standard Contractual Clauses. Where an EU Representative has not been appointed by data exporter, the competent supervisory authority shall be the supervisory authority of the Netherlands. | |
D. GOVERNING LAW AND CHOICE OF FORUM | |
GOVERNING LAW | For the purposes of Clause 17 of the Standard Contractual Clauses the Parties select OPTION 1: the law of the Netherlands. a |
CHOICE OF FORUM | For the purposes of Clause 18 of the SCCs: the Parties select the courts of the Netherlands. |
E. OTHER | |
Where the Standard Contractual Clauses identify optional provisions (or provisions with multiple options) the following will apply: For Clause 7 (Docking Clause), the optional provision will apply. For Clause 9(a), option 2 (General Written Authorisation) will apply and the time period for prior notice of Sub-Processor changes shall be as set out in this DPA. For Clause 11(a) (Redress) – the optional provision will not apply. |
ANNEX II – WIZ SECURITY MEASURES
The technical and organizational measures including technical and organizational measures to support the security of Personal Data incorporated into Annex II of the Standard Contractual Clauses shall be the technical and organizational security measures as described in Wiz’s Security Documentation.
In addition, Wiz agrees to the following compensating safeguards to protect such data to an equivalent level as required under the Data Protection Laws of the Extended EEA Countries to the extent required under the Standard Contractual Clauses:
- Wiz and Customer shall encrypt all transfers of the Customer Personal Data between them, and Wiz shall encrypt any onward transfers it makes of such Customer Personal Data.
- Wiz will use reasonably available legal mechanisms to challenge any demands for Customer Personal Data access through national security process it receives as well as any non-disclosure provisions attached thereto.
- Wiz will promptly notify Customer of any government demands for Customer Personal Data, unless prohibited under applicable law. To the extent Wiz is prohibited by law from providing such notification, Wiz shall: (i) review each request on a case-by-case basis; (ii) use reasonable efforts to request that the confidentiality requirement be waived to enable Wiz to notify the Customer and/or the appropriate Supervisory Authority competent for the Customer; and (iii) maintain evidence of any such attempt to have a confidentiality requirement waived.
- Wiz will promptly notify Customer if Wiz can no longer comply with the applicable clauses in this Section. Wiz shall not be required to provide Customer with specific information about why it can no longer comply, if providing such information is prohibited by applicable law. Such notice shall entitle Customer to terminate the Agreement (or, at Customer’s option, affected statements of work, order forms, and like documents thereunder) and receive a prompt pro-rata refund of any prepaid amounts thereunder.
Effective September 11th 2023 to September 19th 2023
DownloadTable of Contents
DATA PROCESSING AGREEMENT
This Data Processing Agreement (“DPA”) forms part of the Wiz Master Subscription Agreement or other agreement for Wiz services entered into between the Parties (the “Agreement”) between the Wiz entity that has entered into the Agreement (“Wiz”, “Us”, “We”, “Our”) and Customer (collectively, “You”, “Your”, or “Customer”) pursuant to the Agreement. Both parties shall be referred to as the “Parties” and each, a “Party”. This DPA forms a binding legal agreement to reflect the Parties’ agreement with regard to the Processing of Personal Data (as such terms are defined below).
WHEREAS, Wiz shall provide the services set forth in the Agreement (collectively, the “Services”) to Customer, as described in the Agreement; and
WHEREAS, the Parties wish to set forth the arrangements concerning the Processing of Personal Data within the context of the Services and agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
NOW THEREFORE, in consideration of the mutual promises set forth herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged by the Parties, the Parties, intending to be legally bound, agree as follows:
1. INTERPRETATION AND DEFINITIONS
1.1 The headings contained in this DPA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this DPA. References to clauses or sections are references to the clauses or sections of this DPA unless otherwise stated. Words used in the singular include the plural and vice versa, as the context may require. Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.
1.2 Definitions:
2. CUSTOMER’S PROCESSING OF PERSONAL DATA. Customer shall, in its use of the Services, Process Customer Personal Data in accordance with the requirements of Data Protection Laws and comply at all times with the obligations applicable to Controllers or Businesses, as applicable. For the avoidance of doubt, Customer’s instructions for the Processing of Customer Personal Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the means by which Customer acquired Customer Personal Data. Without limitation, Customer shall comply with any and all transparency-related obligations (including, without limitation, displaying any and all relevant and required privacy notices or policies) and shall have any and all required legal basis in order to collect, Process and transfer to Wiz the Customer Personal Data and to authorize the Processing by Wiz of the Customer Personal Data which is authorized in this DPA.
3. WIZ’S PROCESSING OF PERSONAL DATA
3.1 Application. As used in clauses 3 – 9 herein, Customer Personal Data refers to Customer Personal Data that is subject to Data Protection Laws.
3.2 Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data, (i) Customer is the Controller or Business, (ii) Wiz is the Processor or Service Provider, and (iii) Wiz or its Affiliates may engage Sub-Processors pursuant to the requirements set forth in Clause 6 below.
3.3 Wiz and its Affiliates (as applicable) shall Process Customer Personal Data only in accordance with Customer’s documented instructions, which are set out in this DPA, the Agreement, as necessary for the performance of the Services and for the performance of the Agreement and this DPA, unless required to otherwise by any applicable law, court of competent jurisdiction or other Supervisory Authority to which Wiz and its Affiliates are subject, in which case, Wiz shall inform Customer of the legal requirement before processing, unless that law prohibits such information. Customer agrees that the Agreement is its complete and final instructions to Company in relation to the Processing of Personal Data. Processing any Personal Data outside the scope of the Agreement will require prior written agreement between Wiz and Customer by way of an amendment to the Agreement, and may include any additional fees that may be payable by Customer to Wiz for carrying out such instructions. The duration of the Processing, the nature and purposes of the Processing, as well as the types of Customer Personal Data Processed and categories of Data Subjects under this DPA are further specified in Schedule 1 to this DPA.
3.4 To the extent that Wiz or its Affiliates cannot comply with an instruction from Customer and/or its authorized users relating to Processing of Customer Personal Data or where Wiz considers such instruction to be unlawful, Wiz (i) shall inform Customer, providing relevant details of the problem; (ii) may, without any kind of liability towards Customer, temporarily cease all Processing of the affected Customer Personal Data (other than securely storing those data); and (iii) if the Parties do not agree on a resolution to the issue in question and the costs thereof, each Party may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected Processing, and Customer shall pay to Wiz all the amounts owed to Wiz or due before the date of termination.
4. RIGHTS OF DATA SUBJECTS. If Wiz receives a request from a Data Subject to exercise its rights under Data Protection Laws (“Data Subject Request”), Wiz shall, to the extent legally permitted, promptly notify and forward such Data Subject Request to Customer. Taking into account the nature of the Processing, Wiz shall use commercially reasonable efforts to assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws.
5. WIZ PERSONNEL
5.1 Confidentiality. Wiz shall grant access to the Customer Personal Data to persons under its authority (including, without limitation, its personnel) only on a need-to-know basis and ensure that such persons engaged in the Processing of Customer Personal Data have committed themselves to confidentiality.
6. AUTHORIZATION REGARDING SUB-PROCESSORS
6.1 Customer hereby grants general written authorization to Wiz to appoint Sub-Processors to perform specific Processing activities on Customer Personal Data on its behalf. Wiz’s current list of Sub-Processors is included at https://www.wiz.io/sub-processor-list (“Sub-Processor List”) and is hereby approved by Customer.
6.2. Objection Right for Sub-Processors. Wiz offers a mechanism for Customers to subscribe to notifications of changes to Wiz’s Sub-Processor List via https://www.wiz.io/legal/sub-processor-list. If Customer subscribes to receive such updates, Wiz shall provide notification of any intended changes concerning the addition or replacement of other Sub-Processor(s) to the email address which has subscribed thereby giving Customer the opportunity to object. Customer may reasonably object to Wiz’s use of a Sub-Processor for reasons related to the Data Protection Laws by notifying Wiz in writing within ten (10) days after receipt of Wiz’s notice including the reasons for objecting to Wiz’s use of such Sub-Processor. Failure to object to such Sub-Processor in writing within ten (10) days following Wiz’s notice shall be deemed as acceptance of the Sub-Processor. In the event Customer reasonably objects to a Sub-Processor, Wiz will use reasonable efforts to make available to Customer a change in the Services to avoid Processing of Customer Personal Data by the objected-to Sub-Processor without unreasonably burdening Customer. If Wiz is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may, as a sole remedy, terminate the Agreement and this DPA by providing written notice to Wiz provided that all amounts due under the Agreement before the termination date shall be duly paid to Wiz. Until a decision is made regarding the Sub-Processor, Wiz may temporarily suspend the Processing of the affected Customer Personal Data.
6.3. Where Wiz engages a Sub-Processor, we shall do so by way of a written contract which imposes on the Sub-Processor substantially the same data protection obligations as in this DPA.
7. SECURITY
7.1 Controls for the Protection of Customer Personal Data. Taking into account the state of the art, Wiz shall maintain industry-standard technical and organizational measures, including as required pursuant to Article 32 of the GDPR and other applicable Data Protection Laws, for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Personal Data), confidentiality and integrity of Customer Personal Data, as set forth in the Security Documentation. Upon Customer’s request, Wiz will use commercially reasonable efforts to assist Customer, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR and other applicable Data Protection Laws taking into account the nature of the processing, the state of the art, the costs of implementation, the scope, the context, the purposes of the Processing and the information available to Wiz.
7.2 Third-Party Certifications and Audits. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Wiz shall make available to Customer (or Customer’s independent, third-party auditor that is not reasonably objected to by Wiz and bound by confidentiality obligations) a copy of Wiz’s then most recent third-party audits or certifications, as applicable (provided, however, that any such documentation shall be Wiz’s confidential information and shall only be used by Customer to assess compliance with this DPA, and shall not be used for any other purpose or disclosed to any third party without Wiz’s prior written approval and, upon Wiz’s request, Customer shall return all such documentation in Customer’s possession or control). Only as required by applicable Data Protection Laws and at Customer’s cost and expense, not more than once per year, Wiz shall allow for and contribute to audits, including remote inspections, conducted by Customer (or Customer’s independent, third-party auditor that is not reasonably objected to by Wiz and that is bound by confidentiality obligations) provided that the parties shall agree on the scope, methodology, timing and conditions of such audits and inspections in advance. Notwithstanding anything to the contrary, such audits and/or inspections shall not contain any information, including without limitation, Personal Data that belongs to Wiz’s other customers.
8. TRANSFERS OF DATA
8.1 Transfers to countries that offer adequate level of data protection. Personal Data may be transferred from the Extended EEA Countries to countries or frameworks that offer adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the Extended EEA Countries (“Adequacy Decisions”), without any further safeguard being necessary.
8.2 Transfers to other countries. If, and to the extent, the Processing of Customer Personal Data which is subject to Data Protection Laws of the EEA Extended Countries includes transfers by Customer from the Extended EEA Countries to Wiz in countries outside the Extended EEA Countries which have not been subject to an Adequacy Decision (“Third Countries”), the Parties agree that such transfers shall be undertaken on the basis of the Standard Contractual Clauses, which will be deemed to have been signed by each Party on the Effective Date of this Agreement, are incorporated herein by reference and construed in accordance with Schedule 2 below, unless another mechanism provided for in the Data Protection Laws of the applicable Extended EEA Country applies.
8.3 In the event Customer enables Third Party Integrations (as defined in the Agreement) which involve transfers of Customer Personal Data between Wiz and the Third Party Integration provider, Customer acknowledges and agrees that (a) such Third Party Integration providers are not Sub-Processors of Wiz; (b) such transfers are conducted at Customer’s instruction in accordance with an agreement between the Customer and such Third Party Integration provider (which Wiz is not a party to); and (c) Customer shall be solely responsible for such transfers and their compliance with Data Protection Laws, including without limitation, executing Standard Contractual Clauses with such Third Party Integration providers as required.
9. US PRIVACY LAWS
9.1 In performing its obligations under the Agreement and this DPA, Wiz will not: (1) “sell” or “share” for purposes of “cross-context behavioral advertising” or “targeted advertising” (as defined by applicable US Privacy Laws) any Customer Personal Data; (2) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Wiz and Customer; or (3) attempt to re-identify any pseudonymized, anonymized, aggregate, or de-identified Customer Personal Data.
9.2 Wiz will (1) comply with any applicable restrictions under applicable US Privacy Laws on combining Customer Personal Data with Personal Data that Wiz receives from, or on behalf of, another person or persons; and (2) promptly notify Customer if Wiz determines that it (i) can no longer meet its obligations under this DPA or applicable US Privacy Laws; or (ii) in Wiz’s opinion, an instruction from Customer infringes applicable US Privacy Laws.
9.3 Wiz certifies that it understands its obligations in this Clause 9.
9.4 The Parties agree that Schedule 1 hereto shall satisfy any requirement under applicable U.S. Privacy Law to provide details regarding the nature of the Processing activities related to Customer Personal Data.
10. PERSONAL DATA INCIDENT MANAGEMENT AND NOTIFICATION. To the extent required under applicable Data Protection Laws, Wiz shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data (a “Personal Data Incident”). Wiz shall make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as Wiz deems necessary, possible and reasonable in order to remediate the cause of such a Personal Data Incident. Customer (or its customers), as the Controller or Business, will be the party responsible for notifying supervisory authorities and/or concerned Data Subjects (where required by Data Protection Laws).
11. RETURN AND DELETION OF PERSONAL DATA. Subject to the Agreement, upon termination or expiry of the Services, Wiz shall, make available for return the Customer Personal Data via the Services and delete such Customer Personal Data in accordance with Wiz’s customer data retention & deletion policy unless applicable law requires storage of the Customer Personal Data. In any event, Customer agrees that Wiz may retain Customer Personal Data in accordance with its standard backup policy, for evidence purposes and/or for the establishment, exercise or defence of legal claims and/or to comply with applicable laws and regulations. Notwithstanding anything to the contrary, Customer hereby agrees and understands that, to the extent Wiz performs cloud scanning on behalf of Customer, if and when Customer wants to delete specific Customer Personal Data, Customer may delete such Customer Personal Data from its own databases, and it will automatically be erased from Wiz’s databases within a reasonable market standard timeframe. If Customer requests return of the Customer Personal Data, it shall be returned in an industry standard format generally available for Wiz’s Customers.
12. TERMINATION. This DPA shall automatically terminate upon the termination or expiration of the Agreement under which the Services are provided, provided that, to the extent Wiz retains any Customer Personal Data following termination or expiration of the Agreement, this DPA shall survive for such period that Wiz retains Customer Personal Data. Clauses 2, 3.4 and 13 shall survive the termination or expiration of this DPA for any reason. This DPA cannot, in principle, be terminated separately to the Agreement, except where the Processing ends before the termination of the Agreement, in which case, this DPA shall automatically terminate.
13. RELATIONSHIP WITH AGREEMENT. Subject to any provisions in Schedule 2 regarding governing law and choice of forum of the Standard Contractual Clauses, the governing law and choice of forum provision in the Agreement shall apply to this DPA. In the event of any conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement. For the avoidance of doubt each Party’s and its Affiliates’ liability, taken together in the aggregate, arising out of or relating to this DPA, the Standard Contractual Clauses, Data Protection Laws and any other data protection agreements in connection with the Agreement (if any), shall be subject to any aggregate limitations on liability set out in the Agreement. NOTWITHSTANDING THE FOREGOING, IF CUSTOMER IS USING THE SERVICES FOR A FREE TRIAL, WIZ’S MAXIMUM AGGREGATE LIABILITY TO CUSTOMER UNDER OR RELATED TO THIS DPA SHALL BE CAPPED AT ONE THOUSAND DOLLARS US ($1,000 US).
14. MISCELLANEOUS. Any Wiz obligation hereunder may be performed (in whole or in part), and any Wiz right (including invoice and payment rights) or remedy may be exercised (in whole or in part), by an Affiliate of Wiz. This DPA may be amended by Wiz from time to time in its sole discretion, with such updated version posted to Wiz’s website, provided, however, that no such update shall materially diminish the privacy or security of Customer Personal Data.
List of Schedules
SCHEDULE 1 – DETAILS OF THE PROCESSING
SCHEDULE 2 – STANDARD CONTRACTUAL CLAUSE
SCHEDULE 1
DETAILS OF THE PROCESSING
Subject matter.
Wiz will Process Customer Personal Data as necessary to perform the Services pursuant to the Agreement, as further instructed by Customer in its use of the Services.
Nature and Purpose of Processing.
1. Performing the Agreement, this DPA and/or other contracts executed by the Parties, including, providing the Service(s) and support and technical maintenance to Customer.
2. To comply with documented reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement.
3. Resolving disputes, enforcing the Agreement, this DPA and/or defending Wiz’s rights.
4. Complying with applicable laws and regulations, including for cooperating with local and foreign tax authorities, preventing fraud, money laundering and terrorist financing.
Duration of Processing.
Subject to any section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Wiz will Process Customer Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
Types of Customer Personal Data.
Customer determines the categories of any Customer Personal Data that is made accessible to Wiz, which may include, without limitation, Customer Personal Data relating to the following categories:
- If Customer uses Wiz for scanning, Personal Data might be temporarily processed by Wiz during the scanning. The type of the Personal Data depends on Customer environment and which sources Customer connects.
- Wiz only stores metadata such as CVEs, misconfigurations, list of installed packages, cloud events, local cloud user accounts, cloud object identifiers and (depending on the features used by Customer) logs and file paths. Such metadata does not generally contain Personal Data, however, depending on the Customer’s environment and naming conventions and the features used by Customer, some limited Personal Data may be included. For example, cloud user account names, logs and artifacts could include an individual’s name, logs could contain names, associated email address and IP address and (if specific Wiz features are enabled) pseudonymized samples of findings to enable Customer to locate, verify and remediate the finding(s).
Customer acknowledges that Wiz does not control which Customer Personal Data Customer shares with it in the context of the Services.
Categories of Data Subjects.
As part of providing the Services, Wiz may process Customer Personal Data related to Customer’s customers or users, leads, employees and service providers, the extent of which is solely determined by Customer.
SCHEDULE 2
STANDARD CONTRACTUAL CLAUSES
1. Incorporation and interpretation of the Standard Contractual Clauses
1.1 In relation to transfers by Customer of Customer Personal Data which are subject to Data Protection Laws of the EEA Extended Countries to Wiz in Third Countries, the parties agree that Module Two (Transfer controller to processor) or Module 3 (Transfer processor to processor) of the Standard Contractual Clauses shall apply, as applicable.
1.2 The Parties acknowledge that the information required to be provided in the Standard Contractual Clauses, including the appendices, is set out in Appendix 1 below.
1.3 If there is a conflict between the provisions of this Agreement and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail, provided that, except to the extent prohibited by applicable law, the Standard Contractual Clauses shall be interpreted in accordance with and subject to this DPA and the Agreement, including without limitation, the provisions on limitation of liability, instructions, storage, erasure and return of Personal Data, audits and engagement of Sub-Processors.
1.4 If any provision or part-provision of this DPA or the Agreement causes the Standard Contractual Clauses to become an invalid export mechanism in the relevant Extended EEA Country, it shall be deemed deleted but that shall not affect the validity and enforceability of the rest of this Agreement and the parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.
1.5 Where requested by Wiz, Customer shall provide reasonable assistance to Wiz and be responsible for issuing such communications to Data Subjects and/or the Controller (to the extent Module Three applies) as are required in order for Wiz to comply with its obligations under the Standard Contractual Clauses.
1.6 For the purpose of Section III, Clause 14 of the Standard Contractual Clauses, the parties acknowledge and agree that, as between the parties, the Customer (acting as data exporter) is responsible for: (i) assessing the laws of the country to which it transfers Personal Data; and (ii) determining whether or not the transfer meets the requirements of Section III, Clause 14(a) of the Standard Contractual Clauses. Where Wiz (as data importer) provides information to the Customer (acting as data exporter) for assisting the Customer in its assessment, such information is provided on an “as is” basis for informational purposes only. Without prejudice to Section III, Clause 14(c) of the Standard Contractual Clauses, Wiz (as data importer) shall not be liable for any losses suffered by the Customer in connection with its assessment.
1.7 Notwithstanding anything to the contrary, where the applicable Extended EEA Country where the data exporter is established or from where the transferred personal data originated is the UK, template Addendum B.1.0 issued by the UK ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses, (the “UK Approved Addendum”) shall amend the Standard Contractual Clauses in respect of such transfers and Part 1 of the UK Approved Addendum shall be populated as set out below:
Table 1. The “start date” will be the date this DPA enters into force. The “Parties” are Customer as exporter Wiz as importer.
Table 2. The “Addendum EU SCCs” are the modules and clauses of the Standard Contractual Clauses selected in relation to a particular transfer in accordance with paragraphs 1.1 and 1.2 of this Schedule.
Table 3. The “Appendix Information” is as set out in Appendix 1 to this Schedule.
Table 4. Neither party may end the UK Approved Addendum in accordance with its Section 19.
1.8 Except where paragraph 1.9 above applies, but notwithstanding anything else to the contrary, where the applicable Extended EEA Country where the data exporter is established or from where the transferred personal data originated is not a Member State of the European Union, references in the Standard Contractual Clauses to:
(a)“Member States of the European Union” shall refer to the applicable Extended EEA Country in which the data exporter is established or from where the transferred Personal Data originated (as applicable);
(b)“the GDPR” shall refer to the Data Protection Laws of the Extended EEA Country in which the data exporter is established or from where the Personal Data originated; and
(c)“supervisory authority” shall refer to the data protection authority in the Extended EEA Country as determined in Annex I(C) below.
Appendix 1 – Completion of the Standard Contractual Clauses
ANNEX I
A. LIST OF THE PARTIES | |
Data Exporter: | Name and address: Customer, as set out in the Agreement Contact details: As set out in the Agreement Activities relevant to the data transferred under these Clauses: Receipt of Wiz Services, as set out in the Agreement and this DPA |
Data Importer: | Name and address: Wiz, as set out in the Agreement Contact details: Privacy Officer, privacy@wiz.io Activities relevant to the data transferred under these Clauses: Provision of Wiz Services, as set out in the Agreement and this DPA |
B. DETAILS OF PROCESSING/TRANSFER | |
CATEGORIES OF DATA SUBJECTS | As described in Schedule 1 |
CATEGORIES OF PERSONAL DATA | As described in Schedule 1 |
SPECIAL CATEGORIES OF DATA (IF APPLICABLE) | Wiz does not control which Personal Data Customer shares with it in the context of the Services |
FREQUENCY OF THE TRANSFER | As regular as is required to provide the Services |
NATURE AND PURPOSE OF THE PROCESSING | As described in Schedule 1 |
RETENTION | As described in Schedule 1 |
TRANSFER TO (SUB)PROCESSORS | As set out in Wiz’s Sub-Processor List |
C. COMPETENT SUPERVISORY AUTHORITY | |
The competent supervisory authority shall be determined in accordance with Clause 13 of the Standard Contractual Clauses. Where an EU Representative has not been appointed by data exporter, the competent supervisory authority shall be the supervisory authority of the Netherlands. | |
D. GOVERNING LAW AND CHOICE OF FORUM | |
GOVERNING LAW | For the purposes of Clause 17 of the Standard Contractual Clauses the Parties select OPTION 1: the law of the Netherlands. a |
CHOICE OF FORUM | For the purposes of Clause 18 of the SCCs: the Parties select the courts of the Netherlands. |
E. OTHER | |
Where the Standard Contractual Clauses identify optional provisions (or provisions with multiple options) the following will apply: For Clause 7 (Docking Clause), the optional provision will apply. For Clause 9(a), option 2 (General Written Authorisation) will apply and the time period for prior notice of Sub-Processor changes shall be as set out in this DPA. For Clause 11(a) (Redress) – the optional provision will not apply. |
ANNEX II – WIZ SECURITY MEASURES
The technical and organizational measures including technical and organizational measures to support the security of Personal Data incorporated into Annex II of the Standard Contractual Clauses shall be the technical and organizational security measures as described in Wiz’s Security Documentation.
In addition, Wiz agrees to the following compensating safeguards to protect such data to an equivalent level as required under the Data Protection Laws of the Extended EEA Countries to the extent required under the Standard Contractual Clauses:
- Wiz and Customer shall encrypt all transfers of the Customer Personal Data between them, and Wiz shall encrypt any onward transfers it makes of such Customer Personal Data.
- Wiz will use reasonably available legal mechanisms to challenge any demands for Customer Personal Data access through national security process it receives as well as any non-disclosure provisions attached thereto.
- Wiz will promptly notify Customer of any government demands for Customer Personal Data, unless prohibited under applicable law. To the extent Wiz is prohibited by law from providing such notification, Wiz shall: (i) review each request on a case-by-case basis; (ii) use reasonable efforts to request that the confidentiality requirement be waived to enable Wiz to notify the Customer and/or the appropriate Supervisory Authority competent for the Customer; and (iii) maintain evidence of any such attempt to have a confidentiality requirement waived.
- Wiz will promptly notify Customer if Wiz can no longer comply with the applicable clauses in this Section. Wiz shall not be required to provide Customer with specific information about why it can no longer comply, if providing such information is prohibited by applicable law. Such notice shall entitle Customer to terminate the Agreement (or, at Customer’s option, affected statements of work, order forms, and like documents thereunder) and receive a prompt pro-rata refund of any prepaid amounts thereunder.
Effective August 29th 2023 to September 11th 2023
DownloadTable of Contents
DATA PROCESSING AGREEMENT
This Data Processing Agreement (“DPA”) forms part of the Wiz Master Subscription Agreement or other agreement for Wiz services entered into between the Parties (the “Agreement”) between the Wiz entity that has entered into the Agreement (“Wiz”, “Us”, “We”, “Our”) and Customer (collectively, “You”, “Your”, or “Customer”) pursuant to the Agreement. Both parties shall be referred to as the “Parties” and each, a “Party”. This DPA forms a binding legal agreement to reflect the Parties’ agreement with regard to the Processing of Personal Data (as such terms are defined below).
WHEREAS, 	Wiz shall provide the services set forth in the Agreement (collectively, the “Services”) to Customer, as described in the Agreement; and
WHEREAS, 	the Parties wish to set forth the arrangements concerning the Processing of Personal Data within the context of the Services and agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
NOW THEREFORE, in consideration of the mutual promises set forth herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged by the Parties, the Parties, intending to be legally bound, agree as follows:
1. 	INTERPRETATION AND DEFINITIONS
1.1 	The headings contained in this DPA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this DPA. References to clauses or sections are references to the clauses or sections of this DPA unless otherwise stated. Words used in the singular include the plural and vice versa, as the context may require. Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.
1.2	Definitions:
- “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
- “Controller” or “Business” as relevant under applicable Data Protection Laws, means the entity which determines the purposes and means of the Processing of Personal Data or such equivalent term under Data Protection Laws.
- “Customer Personal Data” means any Personal Data which is provided to and Processed by Wiz on behalf of Customer in order to provide the Services under the Agreement. Customer Personal Data does not include Personal Data that Wiz Processes as a Controller separately from its Processing obligations to Customer under the Agreement.
- “Data Protection Laws” means all laws and regulations of the the European Union, the EEA and their Member States, Switzerland, the United Kingdom, and the United States, each to the extent applicable to the Processing of Personal Data under the Agreement.
- “Data Subject” means the identified or identifiable person to whom the Customer Personal Data relates.
- “EEA” means the European Economic Area.
- “EU Data Protection Law” means the GDPR, and the UK GDPR.
- “Extended EEA Country” means a Member State of the EEA, Switzerland or the United Kingdom, and Extended EEA Countries means the foregoing countries collectively.
- “Member State(s)” means a country that belongs to the European Union and/or the EEA.
- “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier or such equivalent term under Data Protection Laws.
- “Process(ing)” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Processor” or “Service Provider,” as relevant under applicable Data Protection Laws, means the entity which Processes Personal Data on behalf of the Controller or Business or such equivalent term under Data Protection Laws.
- “Security Documentation” means Wiz’s security documentation that is applicable to the specific Services purchased by Customer, as updated from time to time, and as made reasonably available by Wiz.
- “Standard Contractual Clauses” means the “standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission decision of 4 June 2021” and published under document number C (2021) 3972 available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914&qid=1689513765256, as may be updated, amended or superseded from time to time.
- “Sub-Processor” means any Processor or Service Provider engaged by Wiz and/or Wiz Affiliate to Process Customer Personal Data.
- “Supervisory Authority” means the competent supervisory authority pursuant to the applicable Data Protection Laws.
- “Third Country” has the meaning given in Clause 8.2 below.
- “UK GDPR” means the GDPR as incorporated into United Kingdom domestic law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR").
- “US Privacy Laws” means the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act of 2020 along with any associated regulations (“CCPA”); the Virginia Consumer Data Protection Act (“VCDPA”); the Colorado Privacy Act; and any similar U.S. laws governing data privacy and security once effective.
2.	CUSTOMER’S PROCESSING OF PERSONAL DATA. Customer shall, in its use of the Services, Process Customer Personal Data in accordance with the requirements of Data Protection Laws and comply at all times with the obligations applicable to Controllers or Businesses, as applicable. For the avoidance of doubt, Customer’s instructions for the Processing of Customer Personal Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the means by which Customer acquired Customer Personal Data. Without limitation, Customer shall comply with any and all transparency-related obligations (including, without limitation, displaying any and all relevant and required privacy notices or policies) and shall have any and all required legal basis in order to collect, Process and transfer to Wiz the Customer Personal Data and to authorize the Processing by Wiz of the Customer Personal Data which is authorized in this DPA.
3.	WIZ’S PROCESSING OF PERSONAL DATA
3.1	Application. As used in clauses 3 – 9 herein, Customer Personal Data refers to Customer Personal Data that is subject to Data Protection Laws.
3.2	Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data, (i) Customer is the Controller or Business, (ii) Wiz is the Processor or Service Provider, and (iii) Wiz or its Affiliates may engage Sub-Processors pursuant to the requirements set forth in Clause 6 below.
3.3	Wiz and its Affiliates (as applicable) shall Process Customer Personal Data only in accordance with Customer’s documented instructions, which are set out in this DPA, the Agreement, as necessary for the performance of the Services and for the performance of the Agreement and this DPA, unless required to otherwise by any applicable law, court of competent jurisdiction or other Supervisory Authority to which Wiz and its Affiliates are subject, in which case, Wiz shall inform Customer of the legal requirement before processing, unless that law prohibits such information. Customer agrees that the Agreement is its complete and final instructions to Company in relation to the Processing of Personal Data. Processing any Personal Data outside the scope of the Agreement will require prior written agreement between Wiz and Customer by way of an amendment to the Agreement, and may include any additional fees that may be payable by Customer to Wiz for carrying out such instructions. The duration of the Processing, the nature and purposes of the Processing, as well as the types of Customer Personal Data Processed and categories of Data Subjects under this DPA are further specified in Schedule 1 to this DPA.
3.4	To the extent that Wiz or its Affiliates cannot comply with an instruction from Customer and/or its authorized users relating to Processing of Customer Personal Data or where Wiz considers such instruction to be unlawful, Wiz (i) shall inform Customer, providing relevant details of the problem; (ii) may, without any kind of liability towards Customer, temporarily cease all Processing of the affected Customer Personal Data (other than securely storing those data); and (iii) if the Parties do not agree on a resolution to the issue in question and the costs thereof, each Party may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected Processing, and Customer shall pay to Wiz all the amounts owed to Wiz or due before the date of termination.
4.	RIGHTS OF DATA SUBJECTS. If Wiz receives a request from a Data Subject to exercise its rights under Data Protection Laws (“Data Subject Request”), Wiz shall, to the extent legally permitted, promptly notify and forward such Data Subject Request to Customer. Taking into account the nature of the Processing, Wiz shall use commercially reasonable efforts to assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws.
5.	WIZ PERSONNEL
5.1	Confidentiality. Wiz shall grant access to the Customer Personal Data to persons under its authority (including, without limitation, its personnel) only on a need-to-know basis and ensure that such persons engaged in the Processing of Customer Personal Data have committed themselves to confidentiality.
6.	AUTHORIZATION REGARDING SUB-PROCESSORS
6.1	Customer hereby grants general written authorization to Wiz to appoint Sub-Processors to perform specific Processing activities on Customer Personal Data on its behalf. Wiz’s current list of Sub-Processors is included at https://www.wiz.io/sub-processor-list (“Sub-Processor List”) and is hereby approved by Customer.
6.2	Objection Right for Sub-Processors. Wiz offers a mechanism for Customers to subscribe to notifications of changes to Wiz’s Sub-Processor List via https://www.wiz.io/legal/sub-processor-list. If Customer subscribes to receive such updates, Wiz shall provide notification of any intended changes concerning the addition or replacement of other Sub-Processor(s) to the email address which has subscribed thereby giving Customer the opportunity to object. Customer may reasonably object to Wiz’s use of a Sub-Processor for reasons related to the Data Protection Laws by notifying Wiz in writing within ten (10) days after receipt of Wiz’s notice including the reasons for objecting to Wiz’s use of such Sub-Processor. Failure to object to such Sub-Processor in writing within ten (10) days following Wiz’s notice shall be deemed as acceptance of the Sub-Processor. In the event Customer reasonably objects to a Sub-Processor, Wiz will use reasonable efforts to make available to Customer a change in the Services to avoid Processing of Customer Personal Data by the objected-to Sub-Processor without unreasonably burdening Customer. If Wiz is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may, as a sole remedy, terminate the Agreement and this DPA by providing written notice to Wiz provided that all amounts due under the Agreement before the termination date shall be duly paid to Wiz. Until a decision is made regarding the Sub-Processor, Wiz may temporarily suspend the Processing of the affected Customer Personal Data.
6.3	Where Wiz engages a Sub-Processor, we shall do so by way of a written contract which imposes on the Sub-Processor substantially the same data protection obligations as in this DPA.
7.	SECURITY
7.1	Controls for the Protection of Customer Personal Data. Taking into account the state of the art, Wiz shall maintain industry-standard technical and organizational measures, including as required pursuant to Article 32 of the GDPR and other applicable Data Protection Laws, for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Personal Data), confidentiality and integrity of Customer Personal Data, as set forth in the Security Documentation. Upon Customer’s request, Wiz will use commercially reasonable efforts to assist Customer, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR and other applicable Data Protection Laws taking into account the nature of the processing, the state of the art, the costs of implementation, the scope, the context, the purposes of the Processing and the information available to Wiz.
7.2	Third-Party Certifications and Audits. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Wiz shall make available to Customer (or Customer’s independent, third-party auditor that is not reasonably objected to by Wiz and bound by confidentiality obligations) a copy of Wiz’s then most recent third-party audits or certifications, as applicable (provided, however, that any such documentation shall be Wiz’s confidential information and shall only be used by Customer to assess compliance with this DPA, and shall not be used for any other purpose or disclosed to any third party without Wiz’s prior written approval and, upon Wiz’s request, Customer shall return all such documentation in Customer’s possession or control). Only as required by applicable Data Protection Laws and at Customer’s cost and expense, not more than once per year, Wiz shall allow for and contribute to audits, including remote inspections, conducted by Customer (or Customer’s independent, third-party auditor that is not reasonably objected to by Wiz and that is bound by confidentiality obligations) provided that the parties shall agree on the scope, methodology, timing and conditions of such audits and inspections in advance. Notwithstanding anything to the contrary, such audits and/or inspections shall not contain any information, including without limitation, Personal Data that belongs to Wiz’s other customers.
8.	TRANSFERS OF DATA
8.1	Transfers to countries that offer adequate level of data protection. Personal Data may be transferred from the Extended EEA Countries to countries or frameworks that offer adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the Extended EEA Countries (“Adequacy Decisions”), without any further safeguard being necessary.
8.2 	Transfers to other countries. If, and to the extent, the Processing of Customer Personal Data which is subject to Data Protection Laws of the EEA Extended Countries includes transfers by Customer from the Extended EEA Countries to Wiz in countries outside the Extended EEA Countries which have not been subject to an Adequacy Decision (“Third Countries”), the Parties agree that such transfers shall be undertaken on the basis of the Standard Contractual Clauses, which will be deemed to have been signed by each Party on the Effective Date of this Agreement, are incorporated herein by reference and construed in accordance with Schedule 2 below, unless another mechanism provided for in the Data Protection Laws of the applicable Extended EEA Country applies.
8.3	In the event Customer enables Third Party Integrations (as defined in the Agreement) which involve transfers of Customer Personal Data between Wiz and the Third Party Integration provider, Customer acknowledges and agrees that (a) such Third Party Integration providers are not Sub-Processors of Wiz; (b) such transfers are conducted at Customer’s instruction in accordance with an agreement between the Customer and such Third Party Integration provider (which Wiz is not a party to); and (c) Customer shall be solely responsible for such transfers and their compliance with Data Protection Laws, including without limitation, executing Standard Contractual Clauses with such Third Party Integration providers as required.
9. 	US PRIVACY LAWS
9.1 	In performing its obligations under the Agreement and this DPA, Wiz will not: (1) “sell” or “share” for purposes of “cross-context behavioral advertising” or “targeted advertising” (as defined by applicable US Privacy Laws) any Customer Personal Data; (2) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Wiz and Customer; or (3) attempt to re-identify any pseudonymized, anonymized, aggregate, or de-identified Customer Personal Data.
9.2	Wiz will (1) comply with any applicable restrictions under applicable US Privacy Laws on combining Customer Personal Data with Personal Data that Wiz receives from, or on behalf of, another person or persons; and (2) promptly notify Customer if Wiz determines that it (i) can no longer meet its obligations under this DPA or applicable US Privacy Laws; or (ii) in Wiz’s opinion, an instruction from Customer infringes applicable US Privacy Laws.
9.3 Wiz certifies that it understands its obligations in this Clause 9.
9.4	The Parties agree that Schedule 1 hereto shall satisfy any requirement under applicable U.S. Privacy Law to provide details regarding the nature of the Processing activities related to Customer Personal Data.
10.	PERSONAL DATA INCIDENT MANAGEMENT AND NOTIFICATION. To the extent required under applicable Data Protection Laws, Wiz shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data (a “Personal Data Incident”). Wiz shall make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as Wiz deems necessary, possible and reasonable in order to remediate the cause of such a Personal Data Incident. Customer (or its customers), as the Controller or Business, will be the party responsible for notifying supervisory authorities and/or concerned Data Subjects (where required by Data Protection Laws).
11.	RETURN AND DELETION OF PERSONAL DATA. Subject to the Agreement, upon termination or expiry of the Services, Wiz shall, make available for return the Customer Personal Data via the Services and delete such Customer Personal Data in accordance with Wiz’s customer data retention & deletion policy unless applicable law requires storage of the Customer Personal Data. In any event, Customer agrees that Wiz may retain Customer Personal Data in accordance with its standard backup policy, for evidence purposes and/or for the establishment, exercise or defence of legal claims and/or to comply with applicable laws and regulations. Notwithstanding anything to the contrary, Customer hereby agrees and understands that, to the extent Wiz performs cloud scanning on behalf of Customer, if and when Customer wants to delete specific Customer Personal Data, Customer may delete such Customer Personal Data from its own databases, and it will automatically be erased from Wiz’s databases within a reasonable market standard timeframe. If Customer requests return of the Customer Personal Data, it shall be returned in an industry standard format generally available for Wiz’s Customers.
12.	TERMINATION. This DPA shall automatically terminate upon the termination or expiration of the Agreement under which the Services are provided, provided that, to the extent Wiz retains any Customer Personal Data following termination or expiration of the Agreement, this DPA shall survive for such period that Wiz retains Customer Personal Data. Clauses 2, 3.4 and 13 shall survive the termination or expiration of this DPA for any reason. This DPA cannot, in principle, be terminated separately to the Agreement, except where the Processing ends before the termination of the Agreement, in which case, this DPA shall automatically terminate.
13.	RELATIONSHIP WITH AGREEMENT. Subject to any provisions in Schedule 2 regarding governing law and choice of forum of the Standard Contractual Clauses, the governing law and choice of forum provision in the Agreement shall apply to this DPA. In the event of any conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement. For the avoidance of doubt each Party’s and its Affiliates’ liability, taken together in the aggregate, arising out of or relating to this DPA, the Standard Contractual Clauses, Data Protection Laws and any other data protection agreements in connection with the Agreement (if any), shall be subject to any aggregate limitations on liability set out in the Agreement. NOTWITHSTANDING THE FOREGOING, IF CUSTOMER IS USING THE SERVICES FOR A FREE TRIAL, WIZ’S MAXIMUM AGGREGATE LIABILITY TO CUSTOMER UNDER OR RELATED TO THIS DPA SHALL BE CAPPED AT ONE THOUSAND DOLLARS US ($1,000 US).
14.	MISCELLANEOUS. Any Wiz obligation hereunder may be performed (in whole or in part), and any Wiz right (including invoice and payment rights) or remedy may be exercised (in whole or in part), by an Affiliate of Wiz. This DPA may be amended by Wiz from time to time in its sole discretion, with such updated version posted to Wiz’s website, provided, however, that no such update shall materially diminish the privacy or security of Customer Personal Data.
List of Schedules
SCHEDULE 1 – DETAILS OF THE PROCESSING
SCHEDULE 2 – STANDARD CONTRACTUAL CLAUSE
SCHEDULE 1
DETAILS OF THE PROCESSING
Subject matter.
Wiz will Process Customer Personal Data as necessary to perform the Services pursuant to the Agreement, as further instructed by Customer in its use of the Services.
Nature and Purpose of Processing.
1.	Performing the Agreement, this DPA and/or other contracts executed by the Parties, including, providing the Service(s) and support and technical maintenance to Customer.
2.	To comply with documented reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement.
3.	Resolving disputes, enforcing the Agreement, this DPA and/or defending Wiz’s rights.
4.	Complying with applicable laws and regulations, including for cooperating with local and foreign tax authorities, preventing fraud, money laundering and terrorist financing.
Duration of Processing.
Subject to any section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Wiz will Process Customer Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
Types of Customer Personal Data.
Customer determines the categories of any Customer Personal Data that is made accessible to Wiz, which may include, without limitation, Customer Personal Data relating to the following categories:
- If Customer uses Wiz for scanning, Personal Data might be temporarily processed by Wiz during the scanning. The type of the Personal Data depends on Customer environment and which sources Customer connects.
- Wiz only stores metadata such as CVEs, misconfigurations, list of installed packages, cloud events, local cloud user accounts, cloud object identifiers and (depending on the features used by Customer) logs and file paths. Such metadata does not generally contain Personal Data, however, depending on the Customer’s environment and naming conventions and the features used by Customer, some limited Personal Data may be included. For example, cloud user account names, logs and artifacts could include an individual’s name, logs could contain names, associated email address and IP address and (if specific Wiz features are enabled) pseudonymized samples of findings to enable Customer to locate, verify and remediate the finding(s).
Customer acknowledges that Wiz does not control which Customer Personal Data Customer shares with it in the context of the Services.
Categories of Data Subjects.
As part of providing the Services, Wiz may process Customer Personal Data related to Customer’s customers or users, leads, employees and service providers, the extent of which is solely determined by Customer.
SCHEDULE 2
STANDARD CONTRACTUAL CLAUSES
1	Incorporation and interpretation of the Standard Contractual Clauses
1.1	In relation to transfers by Customer of Customer Personal Data which are subject to Data Protection Laws of the EEA Extended Countries to Wiz in Third Countries, the parties agree that Module Two (Transfer controller to processor) or Module 3 (Transfer processor to processor) of the Standard Contractual Clauses shall apply, as applicable.
1.2	The Parties acknowledge that the information required to be provided in the Standard Contractual Clauses, including the appendices, is set out in Appendix 1 below.
1.3	If there is a conflict between the provisions of this Agreement and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail, provided that, except to the extent prohibited by applicable law, the Standard Contractual Clauses shall be interpreted in accordance with and subject to this DPA and the Agreement, including without limitation, the provisions on limitation of liability, instructions, storage, erasure and return of Personal Data, audits and engagement of Sub-Processors.
1.4	If any provision or part-provision of this DPA or the Agreement causes the Standard Contractual Clauses to become an invalid export mechanism in the relevant Extended EEA Country, it shall be deemed deleted but that shall not affect the validity and enforceability of the rest of this Agreement and the parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.
1.5	Where requested by Wiz, Customer shall provide reasonable assistance to Wiz and be responsible for issuing such communications to Data Subjects and/or the Controller (to the extent Module Three applies) as are required in order for Wiz to comply with its obligations under the Standard Contractual Clauses.
1.6	For the purpose of Section III, Clause 14 of the Standard Contractual Clauses, the parties acknowledge and agree that, as between the parties, the Customer (acting as data exporter) is responsible for: (i) assessing the laws of the country to which it transfers Personal Data; and (ii) determining whether or not the transfer meets the requirements of Section III, Clause 14(a) of the Standard Contractual Clauses. Where Wiz (as data importer) provides information to the Customer (acting as data exporter) for assisting the Customer in its assessment, such information is provided on an “as is” basis for informational purposes only. Without prejudice to Section III, Clause 14(c) of the Standard Contractual Clauses, Wiz (as data importer) shall not be liable for any losses suffered by the Customer in connection with its assessment.
1.7 	Notwithstanding anything to the contrary, where the applicable Extended EEA Country where the data exporter is established or from where the transferred personal data originated is the UK, template Addendum B.1.0 issued by the UK ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses, (the “UK Approved Addendum”) shall amend the Standard Contractual Clauses in respect of such transfers and Part 1 of the UK Approved Addendum shall be populated as set out below:
Table 1. The “start date” will be the date this DPA enters into force. The “Parties” are Customer as exporter Wiz as importer.
Table 2. The “Addendum EU SCCs” are the modules and clauses of the Standard Contractual Clauses selected in relation to a particular transfer in accordance with paragraphs 1.1 and 1.2 of this Schedule.
Table 3. The “Appendix Information” is as set out in Appendix 1 to this Schedule.
Table 4. Neither party may end the UK Approved Addendum in accordance with its Section 19.
1.8 	Except where paragraph 1.9 above applies, but notwithstanding anything else to the contrary, where the applicable Extended EEA Country where the data exporter is established or from where the transferred personal data originated is not a Member State of the European Union, references in the Standard Contractual Clauses to:
(a)	“Member States of the European Union” shall refer to the applicable Extended EEA Country in which the data exporter is established or from where the transferred Personal Data originated (as applicable);
(b)	“the GDPR” shall refer to the Data Protection Laws of the Extended EEA Country in which the data exporter is established or from where the Personal Data originated; and
(c)	“supervisory authority” shall refer to the data protection authority in the Extended EEA Country as determined in Annex I(C) below.
Appendix 1 – Completion of the Standard Contractual Clauses
ANNEX I
A. LIST OF THE PARTIES | |
Data Exporter: | Name and address: Customer, as set out in the Agreement Contact details: As set out in the Agreement Activities relevant to the data transferred under these Clauses: Receipt of Wiz Services, as set out in the Agreement and this DPA |
Data Importer:	 | Name and address: Wiz, as set out in the Agreement Contact details: Privacy Officer, privacy@wiz.io Activities relevant to the data transferred under these Clauses: Provision of Wiz Services, as set out in the Agreement and this DPA |
B. DETAILS OF PROCESSING/TRANSFER | |
CATEGORIES OF DATA SUBJECTS | As described in Schedule 1 |
CATEGORIES OF PERSONAL DATA	 | As described in Schedule 1 |
SPECIAL CATEGORIES OF DATA (IF APPLICABLE) | Wiz does not control which Personal Data Customer shares with it in the context of the Services |
FREQUENCY OF THE TRANSFER | As regular as is required to provide the Services |
NATURE AND PURPOSE OF THE PROCESSING	 | As described in Schedule 1 |
RETENTION | As described in Schedule 1 |
TRANSFER TO (SUB)PROCESSORS | As set out in Wiz’s Sub-Processor List |
C. COMPETENT SUPERVISORY AUTHORITY | |
The competent supervisory authority shall be determined in accordance with Clause 13 of the Standard Contractual Clauses. Where an EU Representative has not been appointed by data exporter, the competent supervisory authority shall be the supervisory authority of the Netherlands. | |
D. GOVERNING LAW AND CHOICE OF FORUM | |
GOVERNING LAW | For the purposes of Clause 17 of the Standard Contractual Clauses the Parties select OPTION 1: the law of the Netherlands. a |
CHOICE OF FORUM | For the purposes of Clause 18 of the SCCs: the Parties select the courts of the Netherlands. |
E. OTHER | |
Where the Standard Contractual Clauses identify optional provisions (or provisions with multiple options) the following will apply:	 For Clause 7 (Docking Clause), the optional provision will apply. For Clause 9(a), option 2 (General Written Authorisation) will apply and the time period for prior notice of Sub-Processor changes shall be as set out in this DPA. For Clause 11(a) (Redress) – the optional provision will not apply. |
ANNEX II – WIZ SECURITY MEASURES
The technical and organizational measures including technical and organizational measures to support the security of Personal Data incorporated into Annex II of the Standard Contractual Clauses shall be the technical and organizational security measures as described in Wiz’s Security Documentation.
In addition, Wiz agrees to the following compensating safeguards to protect such data to an equivalent level as required under the Data Protection Laws of the Extended EEA Countries to the extent required under the Standard Contractual Clauses:
- Wiz and Customer shall encrypt all transfers of the Customer Personal Data between them, and Wiz shall encrypt any onward transfers it makes of such Customer Personal Data.
- Wiz will use reasonably available legal mechanisms to challenge any demands for Customer Personal Data access through national security process it receives as well as any non-disclosure provisions attached thereto.
- Wiz will promptly notify Customer of any government demands for Customer Personal Data, unless prohibited under applicable law. To the extent Wiz is prohibited by law from providing such notification, Wiz shall: (i) review each request on a case-by-case basis; (ii) use reasonable efforts to request that the confidentiality requirement be waived to enable Wiz to notify the Customer and/or the appropriate Supervisory Authority competent for the Customer; and (iii) maintain evidence of any such attempt to have a confidentiality requirement waived.
- Wiz will promptly notify Customer if Wiz can no longer comply with the applicable clauses in this Section. Wiz shall not be required to provide Customer with specific information about why it can no longer comply, if providing such information is prohibited by applicable law. Such notice shall entitle Customer to terminate the Agreement (or, at Customer’s option, affected statements of work, order forms, and like documents thereunder) and receive a prompt pro-rata refund of any prepaid amounts thereunder.
Effective August 21st 2023 to August 29th 2023
DownloadTable of Contents
- “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
- “Authorized Affiliate” means any of Customer’s Affiliate(s) which (a) is subject to the Data Protection Laws, and (b) is permitted to use the Services pursuant to the Agreement between Customer and Wiz but has not signed its own agreement with Wiz and is not a “Customer” as defined under the Agreement. For the purposes of the DPA, the term Customer includes Customer Authorized Affiliates to the extent applicable.
- “Controller” or “Business” as relevant under applicable Data Protection Laws, means the entity which determines the purposes and means of the Processing of Personal Data or such equivalent term under Data Protection Laws.
- “Customer Personal Data” means any Personal Data which is provided to and Processed by Wiz on behalf of Customer in order to provide the Services under the Agreement. Customer Personal Data does not include Personal Data that Wiz Processes as a Controller separately from its Processing obligations to Customer under the Agreement.
- “Data Protection Laws” means all laws and regulations of the European Union, the EEA and their Member States, Switzerland, the United Kingdom, and United States, each to the extent applicable to the Processing of Personal Data under the Agreement.
- “Data Subject” means the identified or identifiable person to whom the Customer Personal Data relates.
- “EEA” means the European Economic Area.
- “EU Data Protection Law” means the GDPR, and the UK GDPR.
- “Extended EEA Country” means a country within the EEA, Switzerland or the United Kingdom, and Extended EEA Countries means the foregoing countries collectively.
- “Member State(s)” means a country that belongs to the European Union and/or the EEA.
- “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier.
- “Process(ing)” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Processor” or “Service Provider,” as relevant under applicable Data Protection Laws, means the entity which Processes Personal Data on behalf of the Controller or Business or such equivalent term under Data Protection Laws.
- “Security Documentation” means Wiz’s security documentation that is applicable to the specific Services purchased by Customer, as updated from time to time, and as made reasonably available by Wiz.
- “Standard Contractual Clauses” means the “standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission decision of 4 June 2021” and published under document number C (2021) 3972 available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en, as may be updated, amended or superseded from time to time.
- “Sub-Processor” means any Processor or Service Provider engaged by Wiz and/or Wiz Affiliate to Process Customer Personal Data.
- “Supervisory Authority” means the competent supervisory authority pursuant to the applicable Data Protection Laws.
- “Third Country” has the meaning given in Clause 8.2 below.
- “UK GDPR” means the GDPR as incorporated into United Kingdom domestic law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR").
- “U.S. Privacy Laws” means the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act of 2020 along with any associated regulations (“CCPA”); the Virginia Consumer Data Protection Act (“VCDPA”); the Colorado Privacy Act; and any similar U.S. laws governing data privacy and security once effective.
- Wiz certifies that it understands its obligations in this Clause 9.
Table 1. The “start date” will be the date this DPA enters into force. The “Parties” are Customer or Customer Authorized Affiliate as exporter Wiz as importer.
Table 2. The “Addendum EU SCCs” are the modules and clauses of the Standard Contractual Clauses selected in relation to a particular transfer in accordance with paragraphs 1.1 and 1.2 of this Schedule.
Table 4. Neither party may end the UK Approved Addendum in accordance with its Section 19.
A. LIST OF THE PARTIES | |
Data Exporter: | Name and address: Customer or Customer Authorized Affiliate, as set out in the Agreement Contact details: As set out in the Agreement Activities relevant to the data transferred under these Clauses: Receipt of Wiz Services, as set out in the Agreement and this DPA |
Data Importer:	 | Name and address: Wiz, as set out in the Agreement Contact details: Privacy Officer, privacy@wiz.io Activities relevant to the data transferred under these Clauses: Provision of Wiz Services, as set out in the Agreement and this DPA |
B. DETAILS OF PROCESSING/TRANSFER | |
CATEGORIES OF DATA SUBJECTS | As described in Schedule 1 |
CATEGORIES OF PERSONAL DATA	 | As described in Schedule 1 |
SPECIAL CATEGORIES OF DATA (IF APPLICABLE) | Wiz does not control which Personal Data Customer shares with it in the context of the Services |
FREQUENCY OF THE TRANSFER | As regular as is required to provide the Services |
NATURE AND PURPOSE OF THE PROCESSING	 | As described in Schedule 1 |
RETENTION | As described in Schedule 1 |
TRANSFER TO (SUB)PROCESSORS | As set out in Wiz’s Sub-Processor List. |
C. COMPETENT SUPERVISORY AUTHORITY | |
The competent supervisory authority shall be determined in accordance with Clause 13 of the Standard Contractual Clauses. Where an EU Representative has not been appointed by data exporter, the competent supervisory authority shall be the supervisory authority of the Netherlands. Where the data exporter is established outside of the EU, but within an Extended EEA Country, the competent supervisory authority shall be the supervisory authority of the Extended EEA Country in which the Transferring Client Entity is established. Where the data exporter is established outside an Extended EEA Country and the personal data originates from an Extended EEA Country which is not in the EU, the supervisory authority shall be the supervisory authority of the Extended EEA Country from which the Personal Data originated. | |
D. GOVERNING LAW AND CHOICE OF FORUM | |
GOVERNING LAW | For the purposes of Clause 17 of the Standard Contractual Clauses the Parties select OPTION 1: a)	(a) where the data exporter is established in the EU or otherwise if the personal data originates from the EU, the Parties select the laws of the Netherlands; (b) where the data exporter is established outside the EU but within an Extended EEA Country, the Parties select the laws of the Extended EEA Country where the data exporter is established; or (c) subject to (a) above, where the data exporter is established outside an Extended EEA Country, the parties select the laws of the Extended EEA Country where the personal data originates from. |
CHOICE OF FORUM | For the purposes of Clause 18 of the SCCs:
outside an Extended EEA Country, the parties select the courts of the Extended EEA Country where the personal data originates from. |
E. OTHER | |
Where the Standard Contractual Clauses identify optional provisions (or provisions with multiple options) the following will apply:	 For Clause 7 (Docking Clause), the optional provision will apply. For Clause 9(a), option 2 will apply and the time period for prior notice of Sub-Processor changes shall be as set out in this DPA. For Clause 11(a) (Redress) – the optional provision will not apply. |
Effective July 5th 2023 to August 21st 2023
DownloadTable of Contents
- “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
- “Authorized Affiliate” means any of Customer’s Affiliate(s) which (a) is subject to the Data Protection Laws, and (b) is permitted to use the Services pursuant to the Agreement between Customer and Wiz but has not signed its own agreement with Wiz and is not a “Customer” as defined under the Agreement. For the purposes of the DPA, the term Customer includes Customer Authorized Affiliates to the extent applicable.
- “Controller” or “Business” as relevant under applicable Data Protection Laws, means the entity which determines the purposes and means of the Processing of Personal Data or such equivalent term under Data Protection Laws.
- “Customer Personal Data” means any Personal Data which is provided to and Processed by Wiz on behalf of Customer in order to provide the Services under the Agreement. Customer Personal Data does not include Personal Data that Wiz Processes as a Controller separately from its Processing obligations to Customer under the Agreement.
- “Data Protection Laws” means all laws and regulations of the European Union, the EEA and their Member States, Switzerland, the United Kingdom, and United States, each to the extent applicable to the Processing of Personal Data under the Agreement.
- “Data Subject” means the identified or identifiable person to whom the Customer Personal Data relates.
- “EEA” means the European Economic Area.
- “EU Data Protection Law” means the GDPR, and the UK GDPR.
- “Extended EEA Country” means a country within the EEA, Switzerland or the United Kingdom, and Extended EEA Countries means the foregoing countries collectively.
- “Member State(s)” means a country that belongs to the European Union and/or the EEA.
- “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier.
- “Process(ing)” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Processor” or “Service Provider,” as relevant under applicable Data Protection Laws, means the entity which Processes Personal Data on behalf of the Controller or Business or such equivalent term under Data Protection Laws.
- “Security Documentation” means Wiz’s security documentation that is applicable to the specific Services purchased by Customer, as updated from time to time, and as made reasonably available by Wiz.
- “Standard Contractual Clauses” means the “standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission decision of 4 June 2021” and published under document number C (2021) 3972 available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en, as may be updated, amended or superseded from time to time.
- “Sub-Processor” means any Processor or Service Provider engaged by Wiz and/or Wiz Affiliate to Process Customer Personal Data.
- “Supervisory Authority” means the competent supervisory authority pursuant to the applicable Data Protection Laws.
- “Third Country” has the meaning given in Clause 8.2 below.
- “UK GDPR” means the GDPR as incorporated into United Kingdom domestic law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR").
- “U.S. Privacy Laws” means the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act of 2020 along with any associated regulations (“CCPA”); the Virginia Consumer Data Protection Act (“VCDPA”); the Colorado Privacy Act; and any similar U.S. laws governing data privacy and security once effective.
- Wiz certifies that it understands its obligations in this Clause 9.