Software and Service Specific Requirements for Fivetran Products
Effective 6/1/26
These Software and Service Specific Requirements for Fivetran Products (these "Requirements") apply to clients that have purchased or been granted access to Fivetran Products (as defined below) under an Order Form (“Client” or “Customer”). These Requirements supplement the terms of (a) the dbt Labs Terms of Service or other agreement for Client’s use of the dbt Labs Services (the "Terms") entered into between dbt Labs, LLC, as successor to dbt Labs, Inc. ("dbt Labs") and Client; and (b) the dbt Labs Data Processing Addendum or similar agreement for dbt Labs’ processing of Personal Data on behalf of Client in connection with Client’s use of dbt Labs Services and Fivetran Products (the "DPA", and together with the Terms, the "Agreement") entered into between dbt Labs and Client. Capitalized terms used but not defined herein will have the meanings given to them in the Agreement (or, if not defined in the Agreement, in the dbt Labs Terms of Service located at https://www.getdbt.com/terms-of-service or the dbt Labs Data Processing Addendum located at https://www.getdbt.com/cloud/dpa, or such successor URLs as may be designated by dbt Labs).
1. DEFINITIONS
Notwithstanding anything to the contrary in the Agreement, for purposes of Client’s use of the Fivetran Products, the following definitions apply:
- "Customer Data" or “Data” means any data that Client or its Authorized Users upload to or transmit through a Fivetran Product.
- "Documentation" means Fivetran’s usage documentation for the applicable Fivetran Product made available on Fivetran’s website.
- "Fivetran" means Fivetran Inc., a Delaware corporation.
- "Fivetran Product" means (a) a SaaS-based data integration product ("SaaS Product"), (b) a downloadable data integration software component or product installed on premise or in Client’s private cloud environment ("On-Prem Software"), or (c) any combination or hybrid thereof, in each case provided by Fivetran.
- “Personal Data” means the personal data described in Annex I as attached to these Requirements.
- “Software and Service Specific Requirements” means the requirements for certain of the Fivetran Products and Professional Services located at https://www.fivetran.com/legal/service-specific-requirements, solely to the extent Client uses such Fivetran Products or Professional Services.
- "Source and Target Systems" means with respect to On-Prem Software, the permitted type and number of computer hardware systems, storage platforms and computer frameworks from which Client may use such On-Prem Software, as identified in the applicable Order Form.
- “System Data” means data, information or outputs derived by dbt Labs from the use of a Fivetran Product, including logs, statistics, or reports regarding the performance, availability, usage, integrity or security of the Fivetran Product (e.g., a user’s path through the Fivetran Product, login frequency, query logs, etc.). For the avoidance of doubt, System Data does not include Customer Data and does not relieve dbt Labs from otherwise complying with its confidentiality obligations under the Agreement with respect to Customer Data.
- “Third Party Platform” means any product, add-on or platform not provided by dbt Labs that Client uses with the Fivetran Product.
2. PROVISION OF FIVETRAN PRODUCTS
2.1 Scope. Except as modified herein, the Agreement governs Client’s use of the Fivetran Products and every reference to the Services therein will be deemed to also refer to the Fivetran Products so that the rights and obligations therein continue to apply. Fivetran, the parent company of dbt Labs, may provide the Fivetran Products, or a portion thereof, to Client in accordance with the Agreement, these Requirements and any applicable Order Form. dbt Labs will (a) be responsible for the portions of the Fivetran Products provided by Fivetran; and (b) not be relieved of its obligations under the Agreement, these Requirements or the applicable Order Form if Fivetran provides the Fivetran Products or a portion thereof. Notwithstanding anything in the Agreement or these Requirements to the contrary, Customer may execute one or more Order Forms directly with Fivetran for the Fivetran Products and (a) each such Order Form shall be governed by the terms and conditions of the Agreement, as modified and supplemented by these Requirements; and (b) dbt Labs shall be an express third party beneficiary of such Order Form, with the right to enforce the terms thereof as if dbt Labs were a party thereto.
2.2 On-Prem Software License. With respect to any Order Form that includes On-Prem Software, subject to the terms of the Agreement and these Requirements, dbt Labs grants to Client a limited, non-exclusive, non-transferable (except as part of a permitted assignment of the Agreement under Section 13.2 (Assignment) of the Terms), non-sublicensable, royalty-free, worldwide license during the subscription term of such Order Form to install, integrate and use for its own internal business purposes such On-Prem Software on the Source and Target Systems.
3. PRIVACY AND SECURITY
3.1 Security. Notwithstanding anything to the contrary in the Agreement, any security provisions and any security exhibits in the Agreement related to the dbt Labs Services will not apply to the Fivetran Products. Instead, dbt Labs will procure that Fivetran maintains administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Customer Data submitted to the Fivetran Products in accordance with the Fivetran security policy located at https://fivetran.com/docs/security (the "Fivetran Security Policy") posted as of the Effective Date (as the Fivetran Security Policy may be updated by Fivetran in a manner that does not materially decrease the applicable protections for the Fivetran Products during the term of the applicable Order Form).
3.2 Privacy. For purposes of these Requirements, notwithstanding anything to the contrary in the Agreement and solely with respect to the Processing of Personal Data in connection with the Fivetran Products, the DPA is modified as follows:
(a) dbt Labs will process Personal Data for the following purposes: (i) as described in Schedule 1 of these Requirements, which hereby replaces Schedule 1 of the DPA (Details of the Processing and Transfer of Subscriber Personal Data); (ii) in accordance with the documented reasonable instructions of Client (which instructions, where Client is a processor, will reflect the instructions of its controller) that are consistent with the terms of the Agreement, these Requirements, applicable Order Forms, and Data Protection Laws; and (iii) to comply with dbt Labs’ legal obligations.
(b) Schedule 2 of the DPA (Technical and Organisational Security Measures) is modified as set forth in Schedule 2 of these Requirements;
(c) Schedule 3 of the DPA (Authorised Subprocessors) is modified as set forth in Schedule 3 of these Requirements.
(d) “Security Incident” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure or access to Personal Data that is in violation of dbt Labs’ security obligations under the Terms by dbt Labs or its agents of which dbt Labs becomes aware. Security Incident will not include an unsuccessful security incident, which is one that results in no unauthorized access to Personal Data or to any dbt Labs equipment or facilities storing the Personal Data, and could include (without limitation) pings and other broadcast attacks of firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents
(e) Transfer Mechanisms. To the extent Client’s use of Fivetran Products requires an onward transfer mechanism to lawfully transfer personal data from a jurisdiction to dbt Labs located outside of that jurisdiction (“Transfer Mechanism”), the transfer of Personal Data will be subject to a single Transfer Mechanism, as applicable, and in accordance with the following order of precedence: (i) the EU-US Data Privacy Framework (“DPF”), the UK extension to the EU-US Data Privacy Framework, and the Swiss-US Data Privacy Framework self-certification program operated by the US Department of Commerce as applicable; (ii) Standard Contractual Clauses as set forth in the DPA; and, if neither (i) nor (ii) is applicable, then (iii) such other applicable Transfer Mechanisms permitted under Data Protection Laws.
(f) dbt Labs shall ensure that any contract with its subprocessors including terms at least as protective as the ones contained in the Agreement.
(g) Where required by the U.S. Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Client agrees not to upload to any SaaS Product any personal health information ("PHI Data") unless a Business Associate Agreement ("BAA") has been duly executed. Unless a BAA is in place, neither dbt Labs nor Fivetran will have liability under the Agreement for PHI Data, notwithstanding anything in the Agreement, or pursuant to HIPAA or any other applicable law.
(h) Notwithstanding anything to the contrary in this Agreement, dbt Labs may collect System Data and use such data internally to develop, improve, support, and operate Fivetran Products. dbt Labs’ use of System Data will comply with Data Protection Laws. dbt Labs owns all right, title, and interest in System Data. dbt Labs may not share any System Data that includes Personal Data with a third party except to the extent the System Data is aggregated and anonymized such that Client and Client’s users cannot be identified.
4. SUPPORT POLICY AND SLA
Notwithstanding anything to the contrary in the Agreement, technical support for the Fivetran Products will not be subject to dbt Labs’ support. Instead, technical support for the Fivetran Products are governed by the Fivetran Support Policy located at https://www.fivetran.com/legal/support-policy. In addition, use of the Fivetran Products is not subject to any service level agreement or SLA in the Agreement, and such use will instead be governed by the Fivetran SLA at https://www.fivetran.com/legal/sla.
5. SERVICE CONSUMPTION TABLE
Notwithstanding anything to the contrary in the Agreement or an Order Form, any provisions related to Fees, including as it related to Units, in the Agreement or an existing Order Form will not apply to the Fivetran Products. Instead, the Fivetran Service Consumption Table located at https://www.fivetran.com/legal/service-consumption-table (the "Service Consumption Table") will apply to the Fivetran Products unless otherwise set forth in the applicable Order Form. If Client’s use of a Fivetran Product exceeds the usage or capacity set forth on the applicable Order Form, or otherwise requires the payment of additional Fees (per the terms of the Agreement, these Requirements, or the Order Form), dbt Labs will invoice Client in arrears for such additional usage or capacity and Client agrees to pay the additional Fees in the manner provided herein. Billing communications will be addressed to ar@fivetran.com.
6. RESTRICTIONS AND REQUIREMENTS
Client will use the Fivetran Products in accordance with the Fivetran Acceptable Use Policy located at https://www.fivetran.com/legal/acceptable-use-policy and the Software and Service Specific Requirements.
7. TRADE LAWS
Client agrees to comply with, and shall not permit Authorized Users or any third parties to access or use the Fivetran Products in violation of international export controls and economic and trade sanctions laws and regulations (collectively, “Trade Laws”). Without limiting the foregoing, Client represents that it (a) will not access the Services from a country or territory that is itself the subject or target of trade or economic sanctions (a “Sanctioned Country”).
8. PRE-COMMERCIAL OFFERINGS
Any Fivetran Product or feature offered on a trial basis will be deemed a "Beta Feature" for all purposes of Section 13.10 (Beta Features Terms) of the Terms.
9. LIMITATION OF LIABILITY AND INDEMNIFICATION
NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THE AGREEMENT, THE AGGREGATE, CUMULATIVE LIABILITY OF DBT LABS (INCLUDING ITS AFFILIATES AND THEIR DIRECTORS, OFFICERS, EMPLOYEES, REPRESENTATIVES, AGENTS AND SUPPLIERS) FOR OBLIGATIONS AND CLAIMS RELATED TO CUSTOMER DATA, WILL NOT EXCEED TWO TIMES (2X) THE AMOUNTS PAID OR PAYABLE BY CLIENT UNDER THE APPLICABLE ORDER FORM DURING THE TWELVE MONTH PERIOD PRIOR TO THE EVENT GIVING RISE TO THE CLAIM (“SPECIAL CAP”).
NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THE AGREEMENT, CLIENT WILL INDEMNIFY AND DEFEND DBT LABS AND ITS AFFILIATES AND THEIR RESPECTIVE OFFICERS, DIRECTORS AND EMPLOYEES (COLLECTIVELY, “DBT LABS INDEMNIFIED PARTIES”) FROM AND AGAINST ANY DAMAGES AND COSTS FINALLY AWARDED AGAINST THE DBT LABS INDEMNIFIED PARTIES OR AGREED TO IN SETTLEMENT BY CLIENT (INCLUDING REASONABLE ATTORNEYS’ FEES) IN CONNECTION WITH ANY CLAIMS ARISING FROM OR RELATED TO CUSTOMER DATA OR THEIR USE WITH THE FIVETRAN PRODUCTS, AS APPLICABLE, PROVIDED DBT LABS’ USE OF THE CUSTOMER DATA IS IN ACCORDANCE WITH THE AGREEMENT. SUCH INDEMNITY IS NOT SUBJECT TO THE LIMITATION OF LIABILITY SET FORTH IN THE AGREEMENT.
10. EFFECTIVE DATE AND UPDATES TO THESE REQUIREMENTS
These Requirements take effect immediately upon Client’s use of the Fivetran Products. dbt Labs may update these Requirements from time to time. Any updates will become effective for Client upon renewal or entry into a new Order Form enabling the Fivetran Products after any updates go into effect.
11. MISCELLANEOUS
Except as otherwise set forth in these Requirements, the terms of the Agreement, including, without limitation, any disclaimers, limitations of liability and governing law provisions set forth therein, will apply to Client’s use of the Fivetran Products.
Schedule 1 to the DPA
Annex I to the DPA — Data Processing Description (applicable to Fivetran Products only)
This Annex I forms part of the DPA and describes the processing that the processor will perform on behalf of the controller.
A. LIST OF PARTIES
Controller(s) / Data exporter(s):
[Identity and contact details of the controller(s) / data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
Name | As provided by Client. |
Address | As provided by Client. |
Contact person’s name, position and contact details | As provided by Client. |
Activities relevant to the data transferred under these Clauses | dbt Labs will process Personal Data in order to facilitate migration of data to and from Client’s data sources and Client’s data warehouse(s). The frequency and retention periods for which Personal Data may be stored will vary depending on Client’s configuration of Fivetran Products and are described at https://fivetran.com/docs. |
Role (controller/processor) | Controller / processor. |
Processor(s) / Data importer(s):
[Identity and contact details of the processor(s) / data importer(s), including any contact person with responsibility for data protection]
Name | dbt Labs, LLC |
Address | 1221 Broadway, Floor 20, Oakland, CA 94612 USA |
Contact person’s name, position and contact details | Data Protection Officer: Seth Batey privacy@fivetran.com; DPO@fivetran.com |
Activities relevant to the data transferred under these Clauses | dbt Labs will process Client’s Personal Data in order to facilitate migration of data to and from Client’s data sources and Client’s data warehouse(s). The frequency and retention periods for which Personal Data may be stored will vary depending on Client’s configuration of Fivetran Products and are described at https://fivetran.com/docs. |
Role (controller/processor) | Processor / sub-processor. |
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose Personal Data is transferred | Individuals whose Personal Data is stored in Client’s data sources and processed by Fivetran. |
Categories of Personal Data transferred | dbt Labs may have access to Personal Data of individuals whose Personal Data is stored in Client’s data sources. The types of Personal Data processed are determined by Client and may include, without limitation: name, email address, physical address, IP address and other online identifiers, date of birth, telephone/mobile number, and location data. |
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures | The types of Personal Data processed are determined by Client and may include sensitive data. |
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis) | Duration of account / agreement life-cycle. |
Nature of the processing | The data processing activities carried out by dbt Labs under the Agreement. |
Purpose(s) of the data transfer and further processing | dbt Labs will process Client Personal Data in order to facilitate migration of data to and from Client’s data sources and Client’s data warehouse(s). |
The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period | The frequency and retention periods for which Personal Data may be stored will vary depending on Client’s configuration of Fivetran Products and are described at https://fivetran.com/docs. |
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing |
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies (e.g., in accordance with Clause 13 SCCs) | Irish Supervisory Authority (Data Protection Commission). |
Schedule 2 to the DPA
Annex II to the DPA — Technical and Organisational Security Measures (applicable to Fivetran Products only)
Description of the technical and organisational measures implemented by the processor(s) / data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Measures of pseudonymisation and encryption of Personal Data | Applicable security measures can be found on Fivetran’s website at https://fivetran.com/docs/security-and-privacy/security, https://fivetran.com/docs/security-and-privacy/privacy, and https://fivetran.com/docs/activations/misc/security-and-privacy. Security measures include: Transport layer security: • All data is transmitted to or from Fivetran over an encrypted protocol using industry-standard cryptographic protocols (TLS 1.2+); and • Fivetran redirects unencrypted requests (HTTP) to an encrypted protocol (HTTPS). Physical & environmental security: the Fivetran Products are hosted in Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS). Hosting providers maintain physical & environmental security protections including: • Physical access restricted to approved employees based on the principle of least privilege; • Multi-factor authentication when approved personnel access facilities; • Closed Circuit Television Camera (CCTV) video recording of access points; • Fire detection and suppression systems; and • Redundant infrastructure for power, networking, and cooling. Logical access controls: logical access to Fivetran Products is restricted to employees based on the principle of least privilege. All access is formally approved and requires multi-factor authentication. Access is removed in the event of employee termination or if the employee changes roles and no longer requires access, as well as being reviewed on a quarterly basis. Access activity is logged in centralized logging infrastructure and protected from tampering. |
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services | Fivetran will: • Prior to implementing changes to its information systems, follow a documented change management process to assess the potential impact of such changes on privacy, confidentiality, security, integrity and availability of Personal Data, and determine whether such changes are consistent with Fivetran’s information security program; • Maintain application security and software development controls designed to prevent the introduction of security vulnerabilities in software developed by Fivetran that processes Personal Data; • Implement network security controls such as up-to-date firewalls, layered DMZs and updated intrusion detection/prevention systems, including firewalls between Fivetran’s information systems, the Internet, and other public networks, and internal networks not necessary for processing Personal Data; • Implement and maintain software that detects, prevents, removes and remedies malicious code (computer viruses, Trojan horses, worms, time/logic bombs); • To the extent practicable, run malicious code detection software at least daily and update it at least daily, including by obtaining and implementing the most current available virus signatures; and • Maintain vulnerability management and regular application, operating system and other infrastructure patching procedures and technologies to identify, assess, mitigate and protect against new and existing security vulnerabilities and threats. |
Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident | Fivetran will: • Maintain policies and procedures to detect, monitor, document and respond to actual or reasonably suspected breaches, including training personnel to recognize, escalate and notify senior management of incidents; mandatory post-breach review; and policies governing reporting of breaches to regulators and law enforcement; • Maintain policies and procedures for responding to an emergency or other occurrence that can compromise privacy, confidentiality, integrity or availability of Personal Data, providing for: creating retrievable copies of Personal Data; restoring lost Personal Data; enabling continuation of critical business processes in emergency mode; assessing relative criticality of specific applications and Personal Data; and periodic testing and updates of contingency plans. Except as described at https://fivetran.com/docs/using-fivetran/features/regional-failover, Fivetran provides a Regional Failover feature for select plans and deployments. |
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing | Fivetran completes an annual, independent SOC 1 and SOC 2 Type 2 audit of its facilities, networks, and systems. Further, Fivetran is certified under ISO 27001. On Client’s request, Fivetran will provide the audit results. |
Measures for user identification and authorisation | Fivetran will: • Identify personnel, classes of personnel and third parties whose documented business functions and responsibilities require access to Personal Data, relevant information systems, and Fivetran’s premises; • Permit access to Personal Data, relevant information systems and Fivetran’s premises only to such authorized personnel and third parties; • Maintain a current record of personnel and third parties authorized to access Personal Data, relevant information systems and Fivetran’s premises, and the purposes of such access; • Maintain logical and physical access controls, secure user authentication protocols, secure access control methods, and firewall protection; • Prevent terminated personnel, subcontractors or other third parties from accessing Personal Data and information systems by immediately terminating physical and electronic access; and • Manage access to Personal Data and relevant information systems by maintaining secure control over user IDs, passwords, and other authentication identifiers; using multi-factor or risk-based authentication; requiring password changes on indication of compromise; configuring device trust to allow only trusted workstations; restricting access to active users and accounts; blocking access after multiple unsuccessful login attempts; terminating access after a predetermined period of inactivity; and promptly revoking or changing access in response to personnel termination or job-function changes. |
Measures for the protection of data during transmission | • All data is transmitted to or from Fivetran over an encrypted protocol using industry-standard cryptographic protocols (TLS 1.2+); and • Fivetran redirects unencrypted requests (HTTP) to an encrypted protocol (HTTPS). |
Measures for the protection of data during storage | Fivetran will: • Apply encryption with industry-standard algorithms and key lengths to Personal Data: stored on laptops, mobile devices, portable storage devices and removable archival media; stored on file servers or in application databases; transmitted across any public network or wirelessly; transmitted in email attachments; and in transit outside of Fivetran’s information systems. • Maintain policies prohibiting such storage or transmission unless required encryption has been applied. |
Measures for ensuring physical security of locations at which Personal Data are processed | Fivetran will: • Maintain reasonable restrictions on physical access to Personal Data and relevant information systems; • Maintain reasonable physical protection against damage from fire, flood, earthquake, explosion, civil unrest, and other forms of natural or man-made disaster; • Lock workstations with access to Personal Data when unattended; and • Document repairs and modifications to information security-related physical components of Fivetran’s information systems. |
Measures for ensuring events logging | A list of data and digital assets that can be exported (including logs, Fivetran platform connector logs, and audit trail log events) is available in Client’s Fivetran account and is listed in Fivetran’s documentation at: • https://fivetran.com/docs/logs |
Measures for ensuring system configuration, including default configuration | Fivetran will: • Outline duties and areas of responsibility of Fivetran personnel that are segregated to reduce opportunities for unauthorized or unintentional modification or misuse of Personal Data or Fivetran’s information systems; and • Implement measures designed to maintain physical or logical segregation of Personal Data to prevent it from being commingled with another party’s information except as approved by Client. |
Measures for internal IT and IT security governance and management | Fivetran completes an annual, independent SOC 1 and SOC 2 Type 2 audit of its facilities, networks, and systems. Further, Fivetran is certified under ISO 27001. On Client’s request, Fivetran will provide the audit results. In addition, Fivetran will: • Assign to an individual or group the responsibility for developing, implementing, and managing a comprehensive written information security program; • Ensure relevant personnel are sufficiently trained, qualified, and experienced; • Develop, maintain, and document reasonable technological, physical, administrative and procedural safeguards (policies, procedures, guidelines, practices, standards, and controls) to: ensure the privacy, confidentiality, security, integrity, and availability of Personal Data; protect against any anticipated threats or hazards; and protect against breach; • Regularly test, monitor, and evaluate the sufficiency and effectiveness of the information security program, including breach response procedures; • Conduct information security risk assessments at least annually and whenever there is a material change in business or technology practices that impacts Personal Data; • Adjust and update Fivetran’s information systems and information security program to limit and mitigate identified threats and risks; • Assess whether Fivetran’s information security program is operating in a manner reasonably calculated to prevent and mitigate breaches; • Ensure risk assessments are conducted by personnel independent of those who develop or maintain Fivetran’s information systems or information security program; • Conduct reasonable background checks (including criminal background checks) as allowed by local law of any employee with access to Personal Data or relevant information systems; and • Regularly and periodically train personnel, subcontractors and any third parties who have access to Personal Data or relevant information systems concerning Fivetran’s information security program, the importance of security, confidentiality and privacy of Personal Data, and the risks associated with breaches. Fivetran’s risk assessments will: identify and assess reasonably foreseeable internal and external threats and risks; assess the likelihood of, and potential damage that can be caused by, identified threats and risks; assess the adequacy of personnel training and compliance; and assess the adequacy of service provider arrangements. |
Measures for certification/assurance of processes and products | Fivetran completes an annual, independent SOC 1 and SOC 2 Type 2 audit of its facilities, networks, and systems. Further, Fivetran is certified under ISO 27001. On Client’s request, Fivetran will provide the audit results. |
Measures for ensuring data minimisation | Connections for each customer are managed separately within the host environment. Except as described at https://fivetran.com/docs/security-and-privacy/privacy#retentionofcustomerdata and https://fivetran.com/docs/activations/misc/security-and-privacy, Fivetran does not store Personal Data, other than while in transit. Information on access to customer resources required for connection functionality is logically separated within the host storage facility (Microsoft Azure, GCP, or AWS). Fivetran does not control the host physical infrastructure. Fivetran relies on the fault-tolerant nature of Microsoft Azure, GCP, and AWS across multiple availability zones, and can redeploy the platform to another region in case of catastrophic failure. Except as described at https://fivetran.com/docs/security-and-privacy/privacy#fivetrandataresidency and https://fivetran.com/docs/activations/misc/data-storage, Fivetran will process Personal Data within the region specified by Client during configuration of the Fivetran Product. Current geographic regions supported by Fivetran are at https://fivetran.com/docs/getting-started/ips and https://fivetran.com/docs/activations/misc/data-storage. In addition, Fivetran will: collect only as much Personal Data as needed to accomplish the purpose for which the information is collected; refrain from storing Personal Data on media connected to external networks unless necessary for business purposes; prohibit download and use of file sharing and other software that can open security vulnerabilities to areas or systems that hold Personal Data; securely dispose of records containing Personal Data so the information cannot be read or reconstructed after it is no longer needed; and securely erase media containing Personal Data before reuse. |
Measures for ensuring data quality | Based on the nature of the Fivetran services, Fivetran is a data pipeline, so the accuracy of the Personal Data depends on whether or not Client has provided accurate information. |
Measures for ensuring limited data retention | Except as described at https://fivetran.com/docs/security-and-privacy/privacy#retentionofcustomerdata and https://fivetran.com/docs/activations/misc/security-and-privacy, Fivetran does not store Personal Data, other than while in transit. In addition, Fivetran will use secure destruction procedures to sanitize any unencrypted hard disk, portable storage device or backup media containing Personal Data prior to sending it offsite for maintenance or disposal purposes. |
Measures for ensuring accountability | Fivetran has a Data Protection Officer, Chief Information Security Officer, and several security and privacy personnel that are responsible for security and privacy compliance, including appropriate security safeguards. |
Measures for allowing data portability and ensuring erasure | A list of data and digital assets that can be exported (including logs, Fivetran platform connector logs, and audit trail log events) is available in Client’s Fivetran account and is listed in Fivetran’s documentation at: • https://fivetran.com/docs/logs • https://fivetran.com/docs/logs/fivetran-platform • https://fivetran.com/docs/logs#audittraillogevents Clients may submit data portability requests to privacy@fivetran.com. Except as described at https://fivetran.com/docs/security-and-privacy/privacy#retentionofcustomerdata and https://fivetran.com/docs/activations/misc/security-and-privacy, Fivetran does not store Personal Data, other than while in transit. |
For transfers to (sub-) processors, the specific technical and organisational measures to be taken by the (sub-) processor:
Contractual language | Fivetran ensures that its sub-processors are subject to substantially similar terms that provide equivalent data protection. |
Due Diligence | Fivetran conducts due diligence on third parties, including necessary privacy and security reviews, such as privacy threshold and privacy impact assessments. Fivetran will: • Take reasonable steps and conduct due diligence to select and retain sub-processors capable of maintaining the privacy, confidentiality, security, integrity and availability of Personal Data consistent with Fivetran’s contractual and other legal obligations; • Contractually require sub-processors to maintain adequate safeguards for Personal Data sufficient to allow Fivetran to meet its contractual and legal requirements; and • Assess and monitor sub-processors to confirm their compliance with the applicable privacy and information security requirements. |
Contractual language
Fivetran ensures that its sub-processors are subject to substantially similar terms that provide equivalent data protection.
Due Diligence
Fivetran conducts due diligence on third parties, including necessary privacy and security reviews, such as privacy threshold and privacy impact assessments. Fivetran will:
• Take reasonable steps and conduct due diligence to select and retain sub-processors capable of maintaining the privacy, confidentiality, security, integrity and availability of Personal Data consistent with Fivetran’s contractual and other legal obligations;
• Contractually require sub-processors to maintain adequate safeguards for Personal Data sufficient to allow Fivetran to meet its contractual and legal requirements; and
• Assess and monitor sub-processors to confirm their compliance with the applicable privacy and information security requirements.
Schedule 3 to the DPA
Annex III to the DPA — List of Subprocessors (applicable to Fivetran Products only)
The current list of sub-processors authorised to process Personal Data in connection with the Fivetran Products is maintained at https://fivetran.com/docs/security-and-privacy/privacy#subprocessormanagement (or such successor URL as may be designated by Fivetran). Fivetran provides notice for any additions to such list. Client may request a preferred email contact to receive notifications of changes by sending the contact to privacy@fivetran.com.
Client agrees that Client’s configuration of access to a Fivetran Product (including selection of region or hosting environment) constitutes Client’s consent to Fivetran’s and dbt Labs’ use of the corresponding sub-processors for the Fivetran Products. This paragraph does not apply to changes made solely at the request of Fivetran or dbt Labs in the absence of Client’s instructions, direction or request.