Limited Data Clause for Incidental Access

Below is a heavily-revised version of the clause published in The Tech Contracts Handbook (3rd ed.). The revisions result from changes in privacy law since publication (including expansions of the “processor” definition under GDPR and other statutes). But even as revised, we’re not sure when this clause would work or under which jurisdictions’ privacy laws. So we may revise this clause as the law changes and as we learn more. Before using this clause, you should research privacy law applicable to your deal/data to determine whether a clause like this serves any purpose or would lead to violation of applicable law.

Customer shall not transmit Non-Account Data (as defined below) to Provider at any time or for any reason, including without limitation by including Non-Account Data in a message to Provider or by attempting to copy Non-Account Data onto a computer Provider owns or controls. Customer recognizes and agrees that: (1) Provider does not provide data storage or host software or computers for customers’ use; (2) Provider is not expected to collect, store, manage, transform, transfer, or otherwise manipulate Non-Account Data; (3) through provision of Professional Services, Provider may have access to Customer computers that store Non-Account Data, but Provider is not expected to access such Non-Account Data; and (4) any Non-Account Data access Provider may have through Professional Services would be incidental and meant to be temporary and would occur on Customer computers as a result of Professional Services involving those computers. (“Non-Account Data” refers to Customer Data, excluding data related to the management or enforcement of this Agreement or related to provision and receipt of Professional Services by Customer’s employees and natural person contractors.) [The II.J.1 clause box in this library and in The Tech Contracts Handbook (3rd ed.) defines Customer data as “all information processed or stored through the System by Customer or on Customer’s behalf.” The “System” typically means a cloud computing system, but here it could be all the customer’s computers or at least all those accessible to the provider.]

(a) Statutory Special Terms. The parties recognize and agree that Attachment __ (____): (i) governs the following Customer Data to the extent shared with or accessible by Provider: __________ [list the data governed by the privacy/security law in question]; and (ii) applies only to such Customer Data and not to any of the parties’ other rights or duties pursuant to this Agreement. If Provider receives a “right to know,” deletion, “right to be forgotten,” or similar request related to Customer Data, Provider is not required to respond on Customer’s behalf or on Provider’s own behalf, subject to applicable law, but Provider may do so. Nothing in this Agreement precludes Provider from asserting rights or defenses it may have under applicable law related to such requests. Customer recognizes and agrees that, except where forbidden by applicable law, Provider may charge additional fees (without limitation) (A) for activities (if any) required of Provider by laws related to privacy or security and (B) for activities Customer requests and Provider agrees to perform to help Customer comply with such laws.

(b) Privacy Policy. Customer acknowledges Provider’s privacy policy at __________, and Customer recognizes and agrees that such privacy policy is not part of this Agreement and that nothing in this Agreement restricts Provider’s right to alter such privacy policy.