DATA PROCESSING ADDENDUM

 

This Data Processing Addendum (“Addendum”) forms part of the Master Software as a Service Agreement (the “Agreement”) between LexCheck Inc. (“LexCheck”) and Customer (“Customer” (collectively the “Parties”)).

1. Subject Matter and Duration. 

1. Subject Matter. This Addendum reflects the Parties’ commitment to abide by Applicable Data Protection Laws concerning the Processing of Customer Personal Data in connection with LexCheck’s execution of the Agreement. All capitalized terms that are not expressly defined in this Data Processing Addendum will have the meanings given to them in the Agreement. If and to the extent language in this Addendum or any of its Exhibits conflicts with the Agreement, this Addendum shall control.
2. Duration and Survival. This Addendum will become legally binding upon the Effective Date of the Agreement or upon the date upon which both Parties have signed this Addendum, if it is completed after the Effective Date of the Agreement. LexCheck will Process Customer Personal Data until the relationship terminates as specified in the Agreement. LexCheck’s obligations and Customer’s rights under this Addendum will continue in effect so long as LexCheck Processes Customer Personal Data. 

2. Definitions. 

For the purposes of this Addendum, the following terms and those defined within the body of this Addendum apply.

1. “Applicable Data Protection Law(s)” means the relevant data protection and data privacy laws, rules and regulations to which the Customer Personal Data are subject. “Applicable Data Protections Law(s)” shall include, but not be limited to, EU General Data Protection Regulation 2016/679 (“GDPR”) principles and requirements.
2. “Customer Personal Data” means Personal Data pertaining to Customer’s users or employees Processed by LexCheck. The Customer Personal Data and the specific uses of the Customer Personal Data are detailed in Exhibit 1 attached hereto, as required by the GDPR.
3. “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
4. “Personal Data” shall have the meaning assigned to the terms “personal data” or “personal information” under Applicable Data Protection Law(s).
5. “Privacy Shield” collectively means the requirements of the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework.   
6. “Process,” “Processes,” “Processing,” “Processed” means any operation or set of operations which is performed on data or sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
7. “Processor” means a natural or legal person, public authority, agency or other body which Processes Customer Personal Data on behalf of Customer subject to this Addendum.
8. “Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data Processed by LexCheck.
9. “Services” means any and all services that LexCheck performs under the Agreement.
10. "Third Party(ies)” means LexCheck’s authorized contractors, agents, vendors and third party service providers that Process Customer Personal Data. 

3. Data Use and Processing.

1. Compliance with Laws.  Customer Personal Data shall be Processed in compliance with the terms of this Addendum and all Applicable Data Protection Law(s). 
2. Documented Instructions. LexCheck and its Third Parties shall Process Customer Personal Data only in accordance with the documented instructions of Customer or as specifically authorized by this Addendum, the Agreement, or any applicable Statement of Work. LexCheck will, unless legally prohibited from doing so, inform Customer in writing if it reasonably believes that there is a conflict between Customer’s instructions and applicable law or otherwise seeks to Process Customer Personal Data in a manner that is inconsistent with Customer’s instructions.
3. Authorization to Use Third Parties. To the extent necessary to fulfill LexCheck’s contractual obligations under the Agreement or any Statement of Work, Customer hereby authorizes (i) LexCheck to engage Third Parties and (ii) Third Parties to engage subprocessors. Any Third Party Processing of Customer Personal Data shall be consistent with Customer’s reasonable documented instructions and comply with all Applicable Data Protection Law(s).
4. LexCheck and Third Party Compliance. LexCheck agrees to (i) enter into a written agreement with Third Parties regarding such Third Parties’ Processing of Customer Personal Data that imposes on such Third Parties (and their subprocessors) data protection and security requirements for Customer Personal Data that are compliant with Applicable Data Protection Law(s); and (ii) remain responsible to Customer for LexCheck’s Third Parties’ (and their subprocessors if applicable) failure to perform their obligations  with respect to the Processing of Customer Personal Data.
5. Right to Object to Third Parties. LexCheck shall make available to Customer a list of Third Parties that Process Customer Personal Data upon reasonable request. Prior to engaging any new Third Parties that Process Customer Personal Data, LexCheck will notify Customer via email and allow Customer thirty (30) days to object. If Customer has legitimate objections to the appointment of any new Third Party, the parties will work together in good faith to resolve the grounds for the objection for no less than thirty (30) days, and failing any such resolution, Customer may terminate the part of the service performed under the Agreement that cannot be performed by LexCheck without use of the objectionable Third Party. LexCheck shall refund any pre-paid fees to Customer in respect of the terminated part of the Service.
6. Confidentiality. Any person or Third Party authorized to Process Customer Personal Data must agree to maintain the confidentiality of such information or be under an appropriate statutory or contractual obligation of confidentiality.
7. Personal Data Inquiries and Requests. LexCheck agrees to comply with all reasonable instructions from Customer related to any requests from individuals exercising their rights in Personal Data granted to them under Applicable Data Protection Law(s) (“Privacy Request”). At Customer’s request and without undue delay, LexCheck agrees to assist Customer in answering or complying with any Privacy Request in so far as it is possible.
8. Data Protection Impact Assessment and Prior Consultation. LexCheck agrees to provide reasonable assistance at Customer’s expense to Customer where, in Customer’s judgement, the type of Processing performed by LexCheck is likely to result in a high risk to the rights and freedoms of natural persons (e.g., systematic and extensive profiling, Processing sensitive Personal Data on a large scale and systematic monitoring on a large scale, or where the Processing uses new technologies) and thus requires a data protection impact assessment and/or prior consultation with the relevant data protection authorities.
9. Demonstrable Compliance. LexCheck agrees to keep records of its Processing in compliance with Applicable Data Protection Law(s) and provide any necessary records to Customer to demonstrate compliance upon reasonable request. 

4. Cross-Border Transfers of Personal Data. 

1. Cross-Border Transfers of Personal Data. Customer authorizes LexCheck and its Third Parties to transfer Customer Personal Data across international borders, including from the European Economic Area to the United States. Any cross-border transfer of Customer Personal Data must be supported by an approved adequacy mechanism.
2. Standard Contractual Clauses. LexCheck and Customer will use the European Commission
   
   Decision C(2010)593 Standard Contractual Clauses for Controllers to Processors (“Model Clauses”) as the adequacy mechanism supporting the transfer and Processing of Customer Personal Data, the terms of which are herein incorporated by reference and made part hereto. Under Appendix 1 of the Model Clauses, the “data exporter” is Customer and the “data importer” is LexCheck and the information required by Appendix 1 can be found in Exhibit 1. For the purposes of Appendix 2 of the Model Clauses, the technical and organizational measures implemented by the data importer are those listed in Section 5 of this Addendum. Pursuant to clause 5(h) of the Model Clauses, Company agrees that LexCheck may engage new Third Parties in accordance with Section(s) 3(c) – 3(e) of this Addendum. The Parties agree that the Illustrative
   
   Clause (Optional) is expressly not included in the Model Clauses. Each party’s signature to this Addendum shall be considered a signature to the Model Clauses. If required by the laws or regulatory procedures of any jurisdiction, the Parties shall execute or re-execute the Model Clauses as separate documents.

5. Information Security Program.

1. LexCheck agrees to implement appropriate technical and organizational measures designed to protect Customer Personal Data as required by Applicable Data Protection Law(s) (the “Information Security Program”). Such measures shall be designed to include: 

1. 1. Pseudonymisation of Customer Personal Data where appropriate, and encryption of Customer Personal Data in transit and at rest;
   2. The ability to ensure the ongoing confidentiality, integrity, availability of LexCheck’s Processing and Customer Personal Data;
   3. The ability to restore the availability and access to Customer Personal Data in the event of a physical or technical incident;
   4. A process for regularly testing, assessing and evaluating of the effectiveness of the LexCheck’s Information Security Program to ensure the security of Customer Personal Data from reasonably suspected or actual accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.   

6. Security Incidents. 

1. Security Incident Procedure. LexCheck will deploy and follow policies and procedures to detect, respond to, and otherwise address Security Incidents including procedures to (i) identify and respond to reasonably suspected or known Security Incidents, mitigate harmful effects of Security Incidents, document Security Incidents and their outcomes, and (ii) restore the availability or access to Customer Personal Data in a timely manner.
2. Notice. LexCheck agrees to provide prompt written notice without undue delay and within the time frame required under Applicable Data Protection Law(s) (but in no event longer than twenty-four (24) hours) to Customer’s Designated POC upon becoming aware that a Security Incident has taken place. Such notice will include all available details required under Applicable Data Protection Law(s) for Customer to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident. 

7. Audits.

1. Right to Audit; Permitted Audits. LexCheck shall make available to Customer and its regulators all  information necessary to demonstrate compliance with Applicable Data Protection Laws and this Addendum. Customer and its regulators shall have the right to inspect LexCheck’s architecture, systems, and documentation which are relevant to the security and integrity of Customer Personal Data, or as otherwise required by a governmental regulator:
   1. Following any notice from LexCheck to Customer of an actual or reasonably suspected Security Incident involving Customer Personal Data;
   2. Upon Customer’s reasonable belief that LexCheck is not in compliance with Applicable Data Protection Laws, this Addendum or its security policies and procedures under the Agreement;
   3. As required by governmental regulators;
   4. For any reason, or no reason at all, once annually.
2. Audit Terms. Any audits described in this Section shall be:
   1. Conducted by Customer or its regulator, or through a third party independent contractor selected by one of these parties, and to whom LexCheck does not reasonably object.
   2. Conducted during reasonable times.
   3. Conducted upon reasonable advance notice to LexCheck.
   4. Of reasonable duration and scope and shall not unreasonably interfere with LexCheck’s day-today operations.
   5. Conducted in such a manner that does not violate any agreement between LexCheck and its service providers, including cloud providers, or violate or cause LexCheck to violate its reasonable policies related to security and confidentiality.
3. Third Parties. In the event that Customer conducts an audit through a third party independent auditor or a third party accompanies Customer or participates in such audit, such third party shall be required to enter into a non-disclosure agreement containing confidentiality provisions substantially similar to those set forth in the Agreement to protect LexCheck’s and LexCheck’s customers’ confidential and proprietary information. For the avoidance of doubt, regulators shall not be required to enter into a non-disclosure agreement.
4. Audit Results. Upon LexCheck’s request, after conducting an audit, Customer shall notify LexCheck of the manner in which LexCheck does not comply with any of the applicable security, confidentiality or privacy obligations or Applicable Data Protection Laws herein. Upon such notice, LexCheck shall make any necessary changes to ensure compliance with such obligations at its own expense and without unreasonable delay and shall notify Customer when such changes are complete. Notwithstanding anything to the contrary in the Agreement, Customer may conduct a follow-up audit within six (6) months of LexCheck’s notice of completion of any necessary changes. To the extent that a Customer audit identifies any material security vulnerabilities, LexCheck shall promptly remediate those vulnerabilities.

8. Data Storage and Deletion.

1. Data Storage. LexCheck will abide by the following with respect to storage of Customer Personal Data:
   1. LexCheck will not store or retain any Customer Personal Data except as necessary to perform the Services under the Agreement.
   2. LexCheck will (i) inform Customer in writing of all countries where Customer Personal Data is Processed or stored and (ii) obtain consent from Customer for Processing or storage in the identified countries. As of the Effective Date, LexCheck stores Customer Personal Data in the following countries to which Customer hereby consents: United States.
2. Data Deletion. LexCheck will abide by the following with respect to deletion of Customer Personal Data:
   1. Within ninety (90) calendar days of the Agreement’s expiration or termination, LexCheck will securely destroy (per subsection (iii) below) all copies of Customer Personal Data (including automatically created archival copies).
   2. Upon Customer’s request, LexCheck will promptly return to Customer a copy of all Customer Personal Data within thirty (30) calendar days and, if Customer also requests deletion of the Customer Personal Data, will carry that out as set forth above.
   3. All deletion of Customer Personal Data will be conducted in accordance with standard industry practices for deletion of sensitive data.
   4. Tapes, printed output, optical disks, and other physical media will be physically destroyed by a secure method, such as shredding performed by a bonded provider.
   5. Upon Customer’s request, LexCheck will provide evidence that LexCheck has deleted all Customer Personal Data. LexCheck will provide the “Certificate of Deletion” within thirty (30) calendar days of Customer’s request.

 

1.1  Subject Matter of Processing	The subject matter of Processing is the Services pursuant to the Agreement.
1.2  Duration of Processing	The Processing will continue until the expiration or termination of the Agreement.
1.3  Categories of Data Subjects	Includes the following: Prospects, customers, business partners and vendors of Customer (who are natural persons) Employees or contact persons of Customer’s prospects, customers, business partners and vendors Employees, agents, advisors, freelancers of Customer (who are natural persons) Customer’s users authorized by Customer to use the Services
1.4  Nature and Purpose of Processing	Includes the following: Nature: Processing of the data uploaded by Customer to LexCheck's contract negotiation SaaS application. The purpose of Processing of Customer Personal Data by LexCheck is the performance of the Services pursuant to the Agreement.
1.5  Types of Personal Information	Includes the following: First and last name Title Position Employer Contact information (company, email, phone, physical business address) Identification Data (notably email addresses and phone numbers) Electronic identification data (notably IP addresses and mobile device IDs)