This data processing agreement constitutes an addendum to the Tarsnap Terms and Conditions agreed to between a person registered for a Tarsnap account ("You" or "Your") and Tarsnap Backup Inc. ("Tarsnap").

Whereas:

• You handle data covered by the General Data Protection Regulation ("GDPR") and have consequential legal obligations concerning the handling of that data;
• You wish to use services provided by Tarsnap ("Tarsnap Services") in regard to that data;
• In providing Tarsnap services, it is technically infeasible for Tarsnap to distinguish between data covered by the General Data Protection Regulation and other non-covered data, to distinguish between different types of Your data, or to distinguish between data associated with specific individuals; and
• Tarsnap wishes to assist You in fulfilling Your legal obligations,

It is agreed that:

1. Data Processing

1.1 Tarsnap will handle data which You provide in the course of using Tarsnap Services only as needed to provide said services, and will not perform any other analysis or processing or use said data for any other purpose.

1.2. API requests made using Your authentication keys shall constitute "documented instructions" for the purpose of Article 28 of the GDPR.

2. Security

2.1 Tarsnap will use appropriate technical and organizational measures to ensure the security of Your data while it is being processed.

2.2. Upon request, Tarsnap will provide You with information concerning the technical and organizational measures used, and will notify You before making any changes which meaningfully reduce the level of security.

2.3. You will use appropriate technical and organizational measures to ensure the security of cryptographic keys used to access Tarsnap Services. Any disclosure of information resulting from Your failure to secure such keys will not be considered a breach in Tarsnap's security.

3. Notification of security breaches

3.1. In the event that Tarsnap becomes aware of evidence of a breach in its security which could affect Your data, Tarsnap will notify You without undue delay, and within 36 hours unless a further delay is necessary in order to protect the security of Your data or data belonging to other Tarsnap customers.

4. Sub-processors

4.1. Tarsnap may use sub-processors in the course of providing Tarsnap Services. These sub-processors may be in countries outside of the European Union if the European Commission has decided that an adequate level of protection is provided, or where Standard Contractual Clauses approved by the European Commission are in place.

4.2. Upon request, Tarsnap will provide You with information concerning the countries and sub-processors where Your data is being processed and technical measures used to ensure the security of Your data, and will notify You prior to making any changes to the list of sub-processors used.

5. Enquiries by Data Subjects

5.1. Tarsnap will make reasonable efforts to assist you in complying with requests from Data Subjects, but You acknowledge that those efforts will necessarily be limited by Tarsnap's inability to decrypt Your data or to identify which portions of Your data concern any particular individual.

6. Audit

6.1. Tarsnap will make information available to You or to an auditor appointed by You as necessary to demonstrate compliance with this agreement and legal obligations under the General Data Protection Regulation, subject to the limitation that information will not be provided which could compromise the security of Your data or data belonging to other Tarsnap customers.

7. Retrieval of data and termination

7.1. You may retrieve Your data at any time via the Tarsnap service.

7.2. Upon the conclusion of this agreement, Your data will be deleted.