Redis LangCache and the next era of fast, accurate AI are here.
Get the details
Last Update: March 26, 2025
This Data Processing Addendum (“DPA”) is part of the Redis Cloud Agreement, or the applicable services agreement between Redis and Customer (the “Agreement”), referencing this DPA. This DPA is effective on the same date as the Agreement, or as otherwise agreed between the Parties herein. The Parties agree that this DPA shall replace any existing DPA, or other data protection provisions the Parties may have previously entered into in connection with the Services.
1.1 Affiliate means any company controlling, controlled by, or under common control with a Party, where control means ownership, directly or indirectly, of the shares of a company representing fifty percent (50%) or more of the voting rights in this company.
1.2 Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
1.3 Customer means the entity using the Services that has executed an Agreement or applicable order form (or Transaction if defined as such in the Agreement), which references this DPA.
1.4 Data Exporter means Customer and any of its Affiliates and subsidiaries that transfer Customer Personal Data to Data Importer for the purposes specified in the Agreement, and such transfer is subject to a specific transfer mechanism as required by the applicable Privacy Laws and Regulations.
1.5 Data Importer means Redis and any of its Affiliates and Personnel s that will have access to or otherwise Process Customer Personal Data, in circumstances where the Personal Data originates from a data subject located in the country at issue, and is processed by Redis, its Affiliate or Personnel located in a Non-Adequate Country.
1.6 Individual or Data Subject means a natural person the Personal Data relates to.
1.7 Non-Adequate Country means a country not providing an adequate level of Personal Data protection pursuant to applicable Privacy Laws or a decision of a supervisory authority.
1.8 Personal Data means information about an identified or identifiable Individual, also referred to as Personal Information (or other substantially similar term) pursuant to applicable Privacy Law, which Redis Processes under the terms of the Agreement.
1.9 Personnel means the employees, agents, consultants, and contractors of Redis, Customer, and Affiliates.
1.10 Privacy Law means, to the extent applicable: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“EU GDPR”); (ii) the Data Protection Act 2018 and EU GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (“UK GDPR”); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); (iv) the Swiss Federal Act on Data Protection (“FADP”); (v) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (Cal. Civ. Code §§ 1798.100 to 1798.199.100), together with the CCPA Regulations (Cal. Code Regs. tit. 11, §§ 7000 to 7102) which may be amended from time to time (“CCPA”); and (vi) any other data protection legislation applicable to the processing of Personal Data under the Agreement.
1.11 Process, Processed or Processing means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, blocking, erasure or destruction.
1.12 Services means the Redis Cloud service, or any other services provided by Redis to Customer in the Agreement, including support services.
1.13 Standard Contractual Clauses or SCCs or EU SCCs mean the standard contractual clauses for the transfer of personal data to third countries pursuant to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021, which are available at this link. For purposes of Attachment 1, both MODULE TWO: Transfer controller to processor (“Module 2”) and, if applicable, MODULE THREE: Transfer processor to processor (“Module 3”) (referred to jointly as the “Modules”) of the SCCs, as approved by the European Commission and as updated from time to time.
1.14 Subprocessor(s) means Affiliates and other third parties that may Process Personal Data in the performance of the Services.
2.1. Scope and Roles. This DPA applies where Redis processes Personal Data on behalf of Customer as part of the Services. The DPA does not apply when Redis is the Controller.
(i) GDPR and analogous Privacy Law. If the GDPR or other Privacy Law apply to Redis’ Processing of Personal Data on behalf of the Customer under the Agreement, Redis acts as the Processor. The Customer may act as either the Controller or Processor of Personal Data, as defined under applicable Privacy Law.
(ii) CCPA. If the CCPA applies to Redis’ Processing of Personal Data on behalf of the Customer, the Customer is the “Business,” and Redis is the “Service Provider.” Redis will (i) Process Personal Data solely on behalf of the Customer and for the specific business purposes outlined in the Agreement; (ii) not retain, use, disclose, or otherwise Process such Personal Data for any purpose other than performing the Services; (iii) not “sell” or “share” Customer Personal Data (as defined in CCPA); (iv) not combine Customer Personal Data with personal data that Redis receives from another Redis customer, except as permitted under CCPA; and (v) notify Customer if Redis determines that it can no longer comply with our obligations under CCPA. Customer has the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data that is protected under CCPA.
2.2 Instructions for Redis’ Processing of Personal Data. Redis will only Process Personal Data in accordance with Customer’s documented instructions including concerning transfers of Personal Data to a third country, unless Redis is required to do otherwise by applicable Privacy Law. In such case, Redis shall inform Customer of the legal requirement before Processing, unless that legal requirement prohibits such disclosure. Redis will promptly inform the Customer if, in its opinion, an instruction violates applicable Privacy Law.
Under this DPA, Customer instructs Redis to Process Personal Data for the following business purposes:
Processing outside the scope of this DPA (if any) will require prior written agreement between Redis and Customer on additional instructions for Processing, including agreement on any additional fees Customer will pay Redis to carry out such instructions.
2.3 Details of Processing. The subject matter and duration of the Processing align with the purposes and duration specified in the Agreement. Customer determines the nature and purpose of the Processing, the type of Personal Data, and the categories of Data Subjects involved, are determined by the Customer. This is based on Customer’s utilization of the Services and the Personal Data that Customer elects to provide for the Services or otherwise provide to Redis for Processing. The categories of Data Subjects may include, but are not limited to, Customer’s employees, staff, vendors, end users, or any other individuals whose Personal Data Customer chooses to provide to Redis under the Agreement.
2.4 Assistance in Compliance. At Customer’s written request, Redis will assist Customer in complying with Customer’s obligations pursuant to Articles 32 to 36 to the GDPR (or other substantially similar obligations under applicable Privacy Law), in relation to the Processing of Customer’s Personal Data by Redis, taking into account the nature of Processing and the information available to Redis.
3.1 Customer Obligations. Customer shall: (i) provide all necessary notices to Individuals; (ii) receive all necessary permissions and consents; and (iii) address any obligations related to the lawful basis for Processing as necessary for Redis to Process Personal Data on Customer’s behalf under the terms of the Agreement and this DPA pursuant to the applicable Privacy Law. Customer shall serve as the single point of contact for Redis. As other controllers may have rights, Customer shall exercise any rights on their behalf and obtain all necessary permissions from any applicable other controllers. Redis will be discharged of any information obligation with respect to other controllers, when Redis has provided such information to Customer. Similarly, Redis will serve as a single point of contact for Customer with respect to Redis’ obligations as a Processor under this DPA.
3.2 Documentation. To the extent required under the applicable Privacy Law, Customer will appropriately document the Individuals’ notices and consents or other lawful bases on which such Personal Data is Processed. Customer shall not use the Services with Personal Data to the extent that such use would violate Privacy Law.
4.1 Requests. Redis shall, to the extent legally permissible, promptly notify Customer upon receiving a request from a Data Subject whose Personal Data is processed under this DPA, and if the Data Subject has provided information to identify the Customer. If no contact information is provided by the Data Subject, Redis will ask the Data Subject to redirect its request to the Customer. Redis shall not respond directly to any such Data Subject request without the Customer’s prior written consent, except as required by Privacy Law.
4.2 Assistance. Considering the nature of Redis’ Processing and to the extent feasible, Redis shall assist Customer in fulfilling its obligation to respond to Data Subject requests under applicable Privacy Law. Redis shall provide such assistance by providing Customer access to the Personal Data and supporting Customer in the operational execution of Data Subjects’ rights. Customer shall pay Redis for the reasonable costs incurred in providing such assistance, excluding any negligible costs.
4.3 Accuracy of Personal Data. The Customer acknowledges that Redis does not control the content of Personal Data processed and therefore cannot be responsible for its accuracy. If Redis becomes aware of any inaccuracy in the Personal Data processed, Redis shall promptly notify Customer. Redis shall cooperate with Customer to rectify or delete inaccurate Personal Data, subject to the terms of this DPA and applicable Privacy Law.
5.1 Limitation of Access. Redis will ensure that access to Personal Data is limited to Personnel who require such access to provide the Services.
5.2 Confidentiality. Redis will ensure that its Personnel who have access to Personal Data and engaged in Processing: (i) are under an appropriate obligation of confidentiality; (ii) are informed of the confidential nature of the Personal Data; and (iii) have received appropriate training.
6.1 Affiliates and Subprocessors. Redis may engage Subprocessors in the performance of the Services. All Subprocessors involved in the Processing have entered into written agreements with Redis or such other instruments that bind them to the same material obligations of this DPA. The list of applicable Subprocessors is available at this link (the “Subprocessor List”). Customer may also register to receive email notifications of any change to the Subprocessor List. Redis will be liable for the performance of its Subprocessors to the same extent that Redis would be liable if performing the Services of each Subprocessor directly, to the extent required under applicable Privacy Law.
6.2 Objection. Customer may object to engagement by Redis of a new Subprocessor within a reasonable time following Redis’ updating the Subprocessor List. Customer agrees that any objection will be based on a detailed and legitimate reason. If Customer sends Redis an appropriate written objection to the new Subprocessor, Redis will make commercially reasonable efforts to provide the Services without using the new Subprocessor. If Redis believes it cannot provide the Services without the use of such Subprocessor, Customer may, as its sole and exclusive remedy, terminate the applicable Services, subject to the payment of outstanding applicable fees.
7.1 Transfer to Subprocessors. All Redis’ Subprocessors: (i) are subject to appropriate contractual safeguards; (ii) have executed or undertaken to comply with other binding instruments, certifications, or self-certifications for the lawful transfer of Customer’s Personal Data, as required and available under applicable Privacy Law; or (iii) are established in a country that was acknowledged by the EU Commission or applicable competent authority as providing adequate protection to Personal Data.
7.2 Location of Data. Customer controls the geographic regions in which Personal Data resides when configuring the Services. If Customer configures the Services in such a way that Personal Data is transferred between one geographic region to a Non-Adequate Country, the relevant sections of Attachment 1 shall apply.
8.1 Controls. Redis shall maintain appropriate administrative, physical, and technical safeguards to protect the security and integrity of the Personal Data. These measures will conform with the Redis Technical and Organizational Security Measures (“TOMs”) available at this link. No material decrease in the overall security of the TOMs for the Services will occur during the term of the Agreement.
8.2 Policies. Redis uses external auditors to verify the adequacy of its security measures. Upon Customer’s written request at reasonable intervals and subject to confidentiality limitations, Redis will make available to Customer (or to a third-party auditor on Customer’s behalf, that is not a Redis competitor and subject to the auditor’s execution of a non-disclosure agreement with Redis) the then most recent version of Redis’ summaries of third-party audit or certification reports.
8.3 Audits. If Customer reasonably determines that Redis’ provided information is insufficient to demonstrate compliance with the TOMs, Customer may conduct one (1) audit per year (“DPA Audit”), subject to the following: (i) Customer must provide at least sixty (60) days’ prior written notice; (ii) Audit personnel must execute Redis’ non-disclosure agreement, with third-party auditors also signing a non-competition undertaking; (iii) Audits must not compromise the confidentiality, security, or operations of Redis’ systems or data; (iv) Customer bears all audit-related costs and liabilities; (v) Audit results are confidential and may not be shared without Redis’ prior written consent, except as required by law with prior notice to Redis. Customer will promptly notify Redis of any non-compliance discovered, and Redis will use commercially reasonable efforts to address confirmed issues.
8.4 Customer Configurations. Redis Cloud has configurable security options and settings that should be configured by Customer according to the Redis Enterprise security best practices documentation (“Redis Security Configuration Best Practices”). The Redis Security Configuration Best Practices for the Redis Cloud Services is available at this link,. Customer has been provided with Redis Security Configuration Best Practices in this Section.
9.1 Breach Prevention and Management. Redis maintains security incident management policies and procedures. If required by Privacy Law, Redis will notify the Customer of any unauthorized access to, acquisition of, or disclosure of Customer Personal Data (“Security Incident”), within seventy-two (72) hours of confirmation of the Security Incident. Redis will make commercially reasonable efforts to identify and remediate the cause of the Security Incident.
10.1 Data Deletion. Redis will provide Customer with the ability to remove Customer Personal Data and any copies during the term of the Agreement or upon or after the termination of the Agreement. Customer acknowledges that Redis fulfills the data deletion requirement under applicable Privacy Law by providing such capability.
10.2 Data Retention. Customer acknowledges and agrees that Redis may retain copies of certain records, log files, and transactional details, as necessary in connection with its routine backup and archiving procedures and to ensure compliance with its legal and continuing obligations.
11.1 Redis may disclose Personal Data if required by law or a subpoena or other judicial or administrative order or if Redis deems the disclosure necessary to protect the safety and rights of any person, Individual, or the general public.
11.2 Redis undertakes to adopt supplementary measures to protect the Personal Data transferred under the SCCs by the Data Exporter, in accordance with the requirements of applicable Privacy Law, including by implementing appropriate technical and organizational safeguards available by visiting the TOMs.
11.3 In the event that Redis receives a legally binding request for access to Personal Data by a public authority, Redis will: (i) promptly notify Customer, unless prohibited by law, to enable Customer to take protective measures; (ii) limit disclosure to the minimum amount of data required by law, based on a reasonable interpretation; and (iii) if legally permissible, challenge unlawful or excessive requests and provide Customer with general information about government requests received within the past year. Redis will not disclose Personal Data in a way that is massive, disproportionate, or indiscriminate beyond what is necessary in a democratic society.
12.1 The Redis DPO can be contacted at privacy@redis.com.
13.1 Invalidation by law or court review of one or more of the provisions under this DPA does not affect the remaining provisions. Invalid provisions will be replaced to the extent possible by those valid provisions which achieve essentially the same objectives. The terms of this DPA supersede any conflicting Agreement terms. If there is any conflict between the SCCs and the Agreement (including this DPA), the SCCs prevail, to the extent the conflict relates to the processing of Customer Personal Data that is subject to the SCCs. Redis will enter into the SCCs for the transfer of Client Personal Data required by the applicable Privacy Laws with each Subprocessor located in a Non-Adequate Country, Any claims against Redis under this DPA may only be brought by the Customer entity that is a party to the Agreement against the Redis entity that is a party to the Agreement. Any limitations of liability in the Agreement apply to this DPA to the fullest extent allowed by law. In no event does this DPA restrict or limit the rights of any Data Subject or of any competent supervisory authority.
The following provisions apply to all transfers of Personal Data pertaining to Data Subjects located in the EEA, where the Data Exporter, the Data Importer or both are located in a Non-Adequate Country.
Module 2 applies when Customer is the Controller. If Redis is a subprocessor on behalf of Customer as a Processor, Module 3 will apply.
Module 2 and Module 3 are hereby amended as follows, to the extent allowed by applicable law:
| Section Reference | Concept | Selection by the Parties |
|---|---|---|
| Section 1, Clause 7 | Docking Clause | Any Clause purporting to allow the admission of contracting parties without mutually executed signed writings shall not apply (including but not limited to any optional docking clauses). |
| Section II, Clause 9 | Approval of Subprocessor | The language of Option 2 shall apply, with General Written Authorisation in accordance with a notification period of five (5) days in advance. Any optional language requiring Prior Specific Written Authorisation does apply, except in the case of a mutually executed amendment between Controller and Processor. |
| Section II, Clause 11 | Redress | The Optional language of Clause 11 shall not apply. |
| Section II, Clause 13 | Supervision | All options under Clause 13(a) shall apply. |
| Section II, Clause 15 | Audit Rights | Any audit right described in Module 2 or Module 3 is satisfied by the audit procedures explicitly described in this DPA, except to the extent mandated by Privacy Law. |
| Section IV, Clause 17 | Governing Law | The language of Option 1 in Clause 17 shall apply, except as otherwise described in this Attachment 1. The SCCs will be governed by the law of the Republic of Ireland. |
| Section IV, Clause 18 | Choice of Forum and Jurisdiction | The courts of the EU Member State where the competent supervisory authority is located, according to Clause 13. |
| Annex 1(A) | List of Parties | Data Importer’s “Name”; “Address”; “Contact person’s name, position and contact details” shall be those details of Redis as defined in this Agreement. |
| Annex 1(B) | Description of Transfer | Outlined in Section 2 of this DPA. |
| Annex 1(C) | Competent Supervisory Authority | (i) The competent supervisory authority shall be drafted as the supervisory authority which is competent to supervise the activities of the Data Exporter or, (ii) where the Data Exporter is not established in the EEA, the supervisory authority applicable in the EEA country where the data exporter’s EU representative has been appointed pursuant to Article 27(1) of the GDPR, or (iii) where the data exporter is not obliged to appoint a representative, the supervisory authority applicable to the EEA country where the Data Subjects relevant to the transfer are located. |
This Section describes the “Activities relevant to the data transferred under these Clauses” contained in the Modules: (i) The subject matter, nature, categories, and types of Personal Data subject to Processing are described in Section 2 of the DPA, (ii) The descriptions of scope and transfer, described in Section 2 of the DPA is the Description of Transfer for the purposes of Annex I.B of the Appendix of the Standard Contractual Clauses, (iii) The duration of the Processing activities are continuous until the termination of the Agreement, (iv) The purpose of the Processing is the provision of the Services to Customer, and (ev) The details contained in the Redis Subprocessor List are agreed by the Parties to constitute a description of transfers to applicable Subprocessors.
If the European Commission has previously adopted an adequacy decision with respect to a jurisdiction outside of the European Union, the Parties acknowledge that such decision is a valid transfer mechanism for data transfers to the applicable jurisdiction. If the European Commission adopts a new adequacy decision, determining on the basis of Article 45 GDPR, that a jurisdiction outside of the European Union offers an adequate level of protection, and such decision is published to the European Commission’s website, available at this link, The Parties agree that this decision may be used as a transfer mechanism for the applicable jurisdiction.
a. Where one or both Parties are located in Non-Adequate Countries and are Processing Personal Data subject to the Lei Geral de Proteção de Dados Pessoais (Law No. 13,709/2018) (“LGPD”), the the Brazilian Standard Contractual Clauses (“Brazilian SCCs”) apply, is incorporated by reference, and is entered into by executing this DPA.
b. The Parties agree to amend the Brazilian SCCs as follows: (i) For the purpose of Clause 1 (Identification of the Parties) of the Brazilian SCCs, see the details of Annex 1(A) within the table under “Amendments to the Modules” of this Attachment, (ii) For the purpose of Clause 2 (Object) of the Brazilian SCCs, see the details of Annex 1(B) within the table under “Amendments to the Modules” of this Attachment, (iii) For the purpose of Clause 3 (Onward Transfers) of the Brazilian SCCs, the language of Option A shall apply, (iv) For the purpose of Clause 4 (Responsibilities of the Parties) of the Brazilian SCCs, the language of Option A shall apply, and (v) Information required to complete Section 3 (Security Measures) of the Brazilian SCCs shall align with the corresponding Appendices and Annexes of the EU SCC attached to this DPA.
a. Transfer of Personal Data subject to the Indian Digital Personal Data Protection Act is not permitted to countries specifically blacklisted by the Government of India.
a. For transfers of Personal Data subject to the Japanese Act on the Protection of Personal Information (“APPI”) the Parties agree that the DPA and its Attachment apply as legitimate measures for the transfers.
a. The Processors shall not Transfer any Personal Data outside the People’s Republic of China (“PRC”) nor allow any third parties outside PRC to access Controllers’ Personal Data without the written consent of the Controllers. Where the Controllers consent to the Transfer of Personal Data to and/or by the Processors, the latter shall collaborate and assist the Controllers, in accordance with the applicable PRC’s laws and regulations, by (i) providing the required documentation to obtain the Transfer(s) approvals from the appropriate regulatory authorities and/or (ii) conducting security assessments and/or (iii) filing the applicable standard contractual clauses.
a. Where one or both Parties are located in Non-Adequate Countries and are Processing Personal Data subject to the Swiss Federal Act on Data Protection from September 1st, 2023 (“FADP”), the SCCs apply, with the following amendments: (i) the Swiss Federal Data Protection and Information Commissioner is the competent Supervisory Authority as per Clause 13.a (Supervision) and Appendix I.C, (ii) the governing law shall be the Swiss law in case the Transfer is exclusively subject to the FADP, as per Clause 17 (Governing law), (iii) the term EU Member State must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland), and, (iv) references to the GDPR shall also include the reference to the equivalent provisions of the FADP (as amended or replaced). The EU SCC’s Annexes are completed as per Section 12.2 (b) to (d).
a. Where one or both Parties are located in Non-Adequate Countries and are Processing Personal Data subject to the Law on the Protection of Personal Data from April 7, 2016 (“Turkish Data Protection Law”), the Turkish standard contractual clauses (“Turkish SCCs”) apply, is incorporated by reference, and is entered into by executing this DPA.
b. The Parties agree to amend the Turkish SCCs as follows: (i) For the purpose of Clause 8 (Sub-Processors) of the Turkish SCC, the language of Option 2 applies, (ii) For the purpose of Clause 10 (Redress) of the Turkish SCC, the optional language shall not apply, and (iii) Information required to complete the Appendix, Annexes I to III of the Turkish SCC can be found in the Appendix of the EU SCC.
a. Where one or both Parties are located in Non-Adequate Countries and are Processing Personal Data subject to the UK GDPR, the EU SCC apply and the UK International Data Transfer Addendum to the EU SCC, entered into force on 21 March 2022 (as amended or supplemented) (“UK Addendum”), is incorporated by reference and is entered into by executing this DPA.
b. The Parties agree to amend the UK Addendum as follows: (i) In the body of the approved EU SCC referenced in Section 2.2 above, to which the UK Addendum is appended to: (a) the Information Commissioner’s Office is the competent Supervisory Authority as per Clause 13.a (Supervision) and Appendix I.C, (b) the laws of the UK as per Clause 17 (Governing law) apply, (c) the courts of the UK as per Clause 18 (Choice of forum and jurisdiction) are selected, (d) references to the GDPR shall be replaced by the UK GDPR and references to specific Section(s) of the GDPR are replaced with the equivalent section(s) of the UK GDPR (if any), and (e) references to the Union, EU and EU Member State are all replaced with the UK, (ii) The EU SCC’s Annexes are completed as per Section 12.2, (iii) In Table 4 of the UK Addendum, “Both Parties may end the UK Addendum as set out in Section 19 of the UK Addendum” is added in the section “Ending this Addendum when the Approved Addendum changes”, and (iv) The Alternative Part 2 Mandatory Clauses of the UK Addendum is selected.
