Data Processing Agreement

This Data Processing Addendum ("DPA") supplements the Terms of Service ("Agreement") between Luzidos, Inc. ("Luzidos") and the customer ("Customer") identified in an order form that is subject to that Agreement ("Service Order"). Luzidos and Customer are each referred to in this DPA as a "Party" and together as the "Parties."

This DPA is effective as of the effective date of the applicable Service Order ("Effective Date").

1. DEFINITIONS

1.1 Terms used but not defined within this DPA will have the meaning set forth in the Agreement. The following terms used in this DPA will be defined as follows:

2. INTERACTION WITH THE AGREEMENT

2.1 This DPA is incorporated into and forms an integral part of the Agreement. This DPA supplements and (in case of contradictions) supersedes the Agreement with respect to any Processing of Covered Data.

2.2 Any Processing operation as described in clause 4 (Details of Data Processing) and Schedule 1 to this DPA will be subject to this DPA.

2.3 Customer Affiliates will be beneficiaries under this DPA and, through Customer (see clauses 2.4 and 2.5), be entitled to enforce all rights in relation to Covered Data provided by the respective Affiliate. Customer will ensure that all obligations under this DPA will be passed on to the respective Customer Affiliate.

2.4 Customer warrants that it is duly mandated by any Customer Affiliates on whose behalf Luzidos Processes Covered Data in accordance with this DPA to (a) enforce the terms of this DPA on behalf of Customer Affiliates, and to act on behalf of Customer Affiliates in the administration and conduct of any claims arising in connection with this DPA; and (b) receive and respond to any notices or communications under this DPA on behalf of Customer Affiliates.

2.5 Customer will be the only point of contact for all communication between Customer Affiliates and Luzidos.

3. ROLE OF THE PARTIES

3.1 The Parties acknowledge and agree that:

3.1.1 for the purposes of the GDPR, Luzidos acts as "processor" or "sub-processor" (as defined in the GDPR). Luzidos's function as processor or sub-processor will be determined by the function of Customer:

3.1.1.1 Where Customer acts as a controller, Luzidos acts as a processor.

3.1.1.2 Where Customer acts as a processor on behalf of another controller, Luzidos acts as a sub-processor.

3.1.2 for the purposes of the US Data Protection Laws, Luzidos will act as a "service provider" or "processor" (as defined in US Data Protection Laws), as applicable, in its performance of its obligations pursuant to the Agreement and this DPA.

4. DETAILS OF DATA PROCESSING

4.1 The details of the Processing of Personal Data under the Agreement and this DPA (such as subject matter, nature and purpose of the Processing, categories of Personal Data and Data Subjects) are described in the Agreement and in Schedule 1 to this DPA.

4.2 Covered Data will only be Processed on behalf of and under the instructions of Customer and in accordance with Applicable Data Protection Laws. The Agreement and this DPA will generally constitute instructions for the Processing of Covered Data. Customer may issue further written instructions in accordance with this DPA. Without limiting the foregoing, Luzidos is prohibited from:

4.2.1 selling Covered Data or otherwise making Covered Data available to any third party for monetary or other valuable consideration;

4.2.2 sharing Covered Data with any third party for cross-context behavioral advertising;

4.2.3 retaining, using, or disclosing Covered Data for any purpose other than for the business purposes specified in the Agreement or as otherwise permitted by Applicable Data Protection Laws;

4.2.4 retaining, using, or disclosing Covered Data outside of the direct business relationship between the Parties; and

4.2.5 except as otherwise permitted by Applicable Data Protection Laws, combining Covered Data with Personal Data that Luzidos receives from or on behalf of another person or persons, or collects from its own interaction with the Data Subject.

4.3 Luzidos will limit access to Covered Data to personnel who have a business need to have access to such Covered Data, and will ensure that such personnel are subject to obligations at least as protective of the Covered Data as the terms of this DPA and the Agreement.

4.4 Luzidos may (without prejudice to clause 11) Process Covered Data anywhere that Luzidos or its Sub-processors maintain facilities, subject to clause 5 of this DPA.

4.5 Luzidos will provide Customer with information to enable Customer to conduct and document any data protection assessments required under Applicable Data Protection Laws. In addition, Luzidos will notify Customer promptly if Luzidos determines that it can no longer meet its obligations under Applicable Data Protection Laws.

4.6 Customer will have the right to take reasonable and appropriate steps to ensure that Luzidos uses Covered Data in a manner consistent with Customer's obligations under Applicable Data Protection Laws.

5. SUB-PROCESSORS

5.1 Customer grants Luzidos the general authorisation to engage Sub-processors, subject to clause 5.2, as well as Luzidos's current Sub-processors as of the Effective Date.

5.2 Luzidos will enter into a written agreement with each Sub-processor imposing data protection obligations that, in substance, are no less protective of Covered Data than Luzidos's obligations under this DPA.

5.3 Luzidos will provide Customer with at least fifteen (15) days' notice of any proposed changes to the Sub-processors it uses to Process Covered Data. Customer may object to Luzidos's use of a new Sub-processor by providing Luzidos with written notice within ten (10) days after notice is provided.

6. DATA SUBJECT RIGHTS REQUESTS

6.1 As between the Parties, Customer will have sole discretion and responsibility in responding to the rights asserted by any individual in relation to Covered Data under Applicable Data Protection Laws (each, a "Data Subject Request").

6.2 Luzidos will promptly forward to Customer without undue delay any Data Subject Request received by Luzidos or any Sub-processor and may advise the individual to submit their request directly to Customer.

6.3 Luzidos will provide Customer with reasonable assistance as necessary for Customer to fulfil its obligation under Applicable Data Protection Laws to respond to Data Subject Requests.

7. SECURITY AND AUDITS

7.1 Luzidos will implement and maintain appropriate technical and organizational data protection and security measures designed to ensure security of Covered Data. The measures are set out in Schedule 2.

7.2 Customer will have the right to audit Luzidos's compliance with this DPA upon reasonable written notice, only once per year, and only during normal business hours.

8. SECURITY INCIDENTS

8.1 Luzidos will notify Customer in writing without undue delay after becoming aware of any Security Incident, and reasonably cooperate in any obligation of Customer under Applicable Data Protection Laws to make any notifications.

9. DELETION AND RETURN

9.1 Luzidos will, within thirty (30) days of the date of termination or expiry of the Agreement, return or delete all Covered Data as requested by Customer.

10. CONTRACT PERIOD

10.1 This DPA will commence on the Effective Date and remain in effect until Luzidos's deletion of all Covered Data as described in this DPA.

11. STANDARD CONTRACTUAL CLAUSES

11.1 The Standard Contractual Clauses as specified in Schedule 3 are incorporated by reference and apply to transfers of Covered Data falling within the scope of the GDPR.

12. DEIDENTIFIED DATA

12.1 If Luzidos receives Deidentified Data from Customer, Luzidos will take reasonable measures to ensure the information cannot be associated with a Data Subject and will not attempt to reidentify the information.

13. GENERAL

13.1 The Parties hereby certify that they understand the requirements in this DPA and will comply with them.

13.2 The Parties agree to negotiate in good faith any amendments to this DPA as may be required in connection with changes in Applicable Data Protection Laws.

SCHEDULE 1 - DETAILS OF PROCESSING

A. List of Parties

1. Data Exporter

The data exporter is: each of the Customer and/or Customer Affiliates operating in countries which comprise the European Economic Area, UK and/or Switzerland.

2. Data Importer

The data importer is: Luzidos.

B. Description of Processing

1. Categories of Data Subjects

• Authorized Users
• Prospects, customers, business partners and vendors of Customer
• Employees or contact persons of prospects, customers, business partners and vendors
• Employees, agents, advisors, and freelancers of Customer

2. Categories of Personal Data

Name, email address, name of employer, and account credentials.

3. Frequency of the Processing

• The Processing is performed continuously and is determined by the Customer as set forth in the Agreement.

4. Subject matter and nature of the Processing

The provision of automation tools for software implementation consultants.

5. Purpose(s) of the data transfer and further Processing

To provide the Services, including access to artificial intelligence models specialized in document generation.

6. Storage Limitation

If Personal Data is not deleted upon request by Customer during the term of the Agreement, the duration of Processing corresponds to the duration of this DPA as defined in clause 10 of the DPA.

C. Competent Supervisor Authority

Identify the competent supervisory authority/ies in accordance with clause 13 of the SCCs:

• Where the data exporter is established in an EU Member State: The supervisory authority of the country in which the data exporter is established is the competent authority.
• Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of the GDPR: The competent supervisory authority is the Member State in which the representative is established.
• Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) without, however, having to appoint a representative pursuant to Article 27(2) of the GDPR: The competent supervisory authority is the supervisory authority of Spain.

SCHEDULE 2 - TECHNICAL AND ORGANIZATIONAL MEASURES

Luzidos has implemented the following technical and organizational measures (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, as well as the risks for the rights and freedoms of natural persons:

• Organizational management and dedicated staff responsible for the development, implementation, and maintenance of Luzidos's information security program.
• Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Luzidos's organization, monitoring and maintaining compliance with Luzidos's policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
• Utilization of commercially available and industry standard encryption technologies for Covered Data that is:
  • being transmitted by Luzidos over public networks (i.e., the Internet) or when transmitted wirelessly; or
  • at rest or stored on portable or removable media (i.e., laptop computers, CD/DVD, USB drives, back-up tapes).
• Data security controls which include at a minimum, but may not be limited to, logical segregation of data, logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g., granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all Users, periodic review, and revoking/changing access promptly when employment terminates or changes in job functions occur).
• Password controls designed to manage and control password strength, expiration and usage including prohibiting Users from sharing passwords and requiring that Luzidos's passwords that are assigned to its employees: (i) be at least eight (8) characters in length, (ii) not be stored in readable format on Luzidos's computer systems; (iii) must have defined complexity; (iv) must have a history threshold to prevent reuse of recent passwords; and (v) newly issued passwords must be changed after first use.
• System audit or event logging and related monitoring procedures to proactively record User access and system activity for routine review.
• Physical and environmental security of data center, server room facilities and other areas containing Personal Data designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor, and log movement of persons into and out of Luzidos facilities, and (iii) guard against environmental hazards such as heat, fire, and water damage.
• Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems according to prescribed internal and adopted industry standards, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Luzidos's possession.
• Change management procedures and tracking mechanisms designed to test, approve, and monitor all changes to Luzidos's technology and information assets.
• Incident / problem management procedures design to allow Luzidos to investigate, respond to, mitigate, and notify of events related to Luzidos's technology and information assets.
• Network security controls that provide for the use of firewall systems, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
• Vulnerability assessment, patch management and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate, and protect against identified security threats, viruses, and other malicious code.
• Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.

SCHEDULE 3 - STANDARD CONTRACTUAL CLAUSES

EU SCCS

The Standard Contractual Clauses will apply to any Processing of Covered Data that is subject to the GDPR. For the purposes of the Standard Contractual Clauses:

• Module Two will apply in the case of the Processing under clause 3(a)(i) of the DPA and Module Three will apply in the case of Processing under clause 3(a)(ii) of the DPA.
• Clause 7 of the Standard Contractual Clauses (Docking Clause) does not apply.
• Clause 9(a) option 2 (General written authorization) is selected, and the time period to be specified is determined in clause 5.3 of the DPA.
• The option in Clause 11(a) of the Standard Contractual Clauses (Independent dispute resolution body) does not apply.
• With regard to Clause 17 of the Standard Contractual Clauses (Governing law), the Parties agree that, option 1 will apply and the governing law will be the law of Spain.
• In Clause 18 of the Standard Contractual Clauses (Choice of forum and jurisdiction), the Parties submit themselves to the jurisdiction of the courts of Spain.
• For the Purpose of Annex I of the Standard Contractual Clauses, Schedule 1 of the DPA contains the specifications regarding the parties, the description of transfer, and the competent supervisory authority
• For the Purpose of Annex II of the Standard Contractual Clauses, Schedule 2 of the DPA contains the technical and organizational measures.
• The specifications for Annex III of the Standard Contractual Clauses, are determined by clause 5.1 of the DPA. The Sub-processor's contact person's name, position and contact details will be provided by Luzidos upon request.

UK ADDENDUM

This UK Addendum will apply to any Processing of Covered Data that is subject to the UK GDPR or to both the UK GDPR and the GDPR.

As used in this UK Addendum:

• "Approved Addendum" means the template addendum, version B.1.0 issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018 and laid before the UK Parliament on 2 February 2022, as it may be revised according to Section 18 of the Mandatory Clauses.
• "Mandatory Clauses" means "Part 2: Mandatory Clauses" of the Approved Addendum.

With respect to any transfers of Covered Data falling within the scope of the UK GDPR from Customer (as data exporter) to Luzidos (as data importer):

• the Approved Addendum as further specified in this Schedule 4 will form part of this DPA, and the Standard Contractual Clauses will be read and interpreted in light of the provisions of the Approved Addendum, to the extent necessary according to Clause 12 lit. 1 of the Mandatory Clauses;
• In deviation to Table 1 of the Approved Addendum and in accordance with Clause 17 of the Mandatory Clauses, the parties are further specified in Schedule 1A. of this DPA.
• The selected Modules and Clauses to be determined according to Table 2 of the Approved Addendum are further specified in this Schedule as amended by the Mandatory Clauses.
• Annex 1 A and B of Table 3 to the Approved Addendum are specified by Schedule 1 of this DPA, Annex II of the Approved Addendum is further specified by Schedule 2 of this DPA, and Annex III of the Approved Addendum is further specified by Schedule 1B.10 of this DPA.
• Luzidos (as data importer) may end this DPA, to the extent the Approved Addendum applies, in accordance with clause ‎19 of the Mandatory Clauses;
• Clause 16 of the Mandatory Clauses will not apply.

SWISS ADDENDUM

This Swiss Addendum will apply to any Processing of Covered Data that is subject to Swiss Data Protection Laws (as defined below) or to both Swiss Data Protection Laws and the GDPR.

Interpretation of this Addendum

• Where this Addendum uses terms that are defined in the Standard Contractual Clauses, those terms will have the same meaning as in the Standard Contractual Clauses.
• This Addendum will be read and interpreted in the light of the provisions of Swiss Data Protection Laws, and so that if fulfils the intention for it to provide the appropriate safeguards as required by Article 46 GDPR and/or Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be.
• This Addendum will not be interpreted in a way that conflicts with rights and obligations provided for in Swiss Data Protection Laws.
• Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.

Hierarchy

In the event of a conflict or inconsistency between this Addendum and the provisions of the Clauses or other related agreements between the Parties, existing at the time this Addendum is agreed or entered into thereafter, the provisions which provide the most protection to Data Subjects will prevail.

Incorporation of the Clauses

In relation to any Processing of Personal Data subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the GDPR, this Addendum amends the DPA the Standard Contractual Clauses to the extent necessary so they operate:

• for transfers made by the data exporter to the data importer, to the extent that Swiss Data Protection Laws or Swiss Data Protection Laws and the GDPR apply to the data exporter's Processing when making that transfer; and
• to provide appropriate safeguards for the transfers in accordance with Article 46 of the GDPR and/or Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be.

To the extent that any Processing of Personal Data is exclusively subject to Swiss Data Protection Laws, the amendments to the DPA including the SCCs, as further specified in this Schedule and as required by clause 3.1 of this Swiss Addendum, include (without limitation):

• References to the "Clauses" or the "SCCs" mean this Swiss Addendum as it amends the SCCs.
• Clause 6 Description of the transfer(s) is replaced with: "The details of the transfer(s), and in particular the categories of Personal Data that are transferred and the purpose(s) for which they are transferred, are those specified in Schedule 1 of this DPA where Swiss Data Protection Laws apply to the data exporter's Processing when making that transfer."
• References to "Regulation (EU) 2016/679" or "that Regulation" or "GDPR" are replaced by "Swiss Data Protection Laws" and references to specific Article(s) of "Regulation (EU) 2016/679" or "GDPR" are replaced with the equivalent Article or Section of Swiss Data Protection Laws extent applicable.
• References to Regulation (EU) 2018/1725 are removed.
• References to the "European Union", "Union", "EU" and "EU Member State" are all replaced with "Switzerland".
• Clause 13(a) and Part C of Annex I are not used; the "competent supervisory authority" is the Federal Data Protection and Information Commissioner (the "FDPIC") insofar as the transfers are governed by Swiss Data Protection Laws;
• Clause 17 is replaced to state "These Clauses are governed by the laws of Switzerland insofar as the transfers are governed by Swiss Data Protection Laws".
• Clause 18 is replaced to state: "Any dispute arising from these Clauses relating to Swiss Data Protection Laws will be resolved by the courts of Switzerland. A Data Subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland in which he/she has his/her habitual residence. The Parties agree to submit themselves to the jurisdiction of such courts."
• Until the entry into force of the revised Swiss Data Protection Laws, the Clauses will also protect Personal Data of legal entities and legal entities will receive the same protection under the Clauses as natural persons.

To the extent that any Processing of Personal Data is subject to both Swiss Data Protection Laws and the GDPR, the DPA including the Clauses as further specified in this Schedule will apply (i) as is and (ii) additionally, to the extent that a transfer is subject to Swiss Data Protection Laws, as amended by clauses 3.1 and 3.3 of this Swiss Addendum, with the sole exception that Clause 17 of the SCCs will not be replaced as stipulated under clause 3.3(b)(vii) of this Swiss Addendum

Customer warrants that it and/or Customer Affiliates have made any notifications to the FDPIC which are required under Swiss Data Protection Laws.

Contact Information

For questions about this Data Processing Addendum or data processing practices, please contact us at:

Email: privacy@luzidos.com