DATA PROCESSING AGREEMENT

DATA PROCESSING AGREEMENT

This Data Processing Agreement (“DPA”) supplements the Master Services Agreement (the “Agreement”) entered into by and between [CUSTOMER NAME] (“Customer”) and Lilt, Inc. (“Lilt”) as of the last date signed by either party below (“Effective Date”). By executing this DPA, Customer agrees to be bound by the terms of this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws (defined below), in the name and on behalf of its affiliates, if any. In the event of a conflict between the terms and conditions of this DPA and the Agreement, the terms and conditions of this DPA will supersede and control.

1. Definitions

1.1 All capitalized terms that are not expressly defined in this DPA will have the meanings given to them in the main body of the Agreement.

1.2 For the purposes of this DPA the following words will have the following meanings:

Customer Personal Data” means Personal Data Processed by Lilt on behalf of the Customer in connection with the Agreement.

Data Protection Laws” means (i) the General Data Protection Regulation (EU) 2016/679 (the “GDPR”); (ii) the Data Protection Acts 1988 to 2018, and any other legislation which implements the GDPR; (iii) the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011; (iv) any other legislation which implements the European Community’s Directive 2002/58/EC; (v) any binding guidance and / or codes of practice issued by the Irish Data Protection Commission or the European Data Protection Board; (vi) to the extent relevant, the retained European Union law version of the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland (“UK GDPR”); (vi) all applicable portions of the California Consumer Privacy Act of 2018; and (vii) any applicable data privacy laws of the United States.

Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.

Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Process” or “Processing” means any operation or set of operations which is performed on data or sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction and for the avoidance of doubt includes all processing as defined in the GDPR.

Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data attributable to Lilt and for the avoidance of doubt includes all personal data breaches as defined in the GDPR.

Services” means any and all services or obligations that Lilt performs under the Agreement.

Sub-Processor” means any third-party data Processor engaged by Lilt or by other companies in Lilt’s group of companies to Process Customer Personal Data.

Standard Contractual Clauses” or "SCCs" means together (i) the “EU SCCs” which are the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of personal data in countries not otherwise recognized as offering an adequate level of protection for personal data by the European Commission (as amended and updated from time to time), and (ii) the “UK SCCs” which are comprised of the EU SCCs as incorporated in and amended by the UK Addendum.

UK Addendum” means the International Data Transfer Addendum issued by the UK’s Information Commissioner’s Office under s.119(A) of the UK Data Protection Act 2018, currently found at https://ico.org.uk/media/for-organizations/documents/4019539/international-data-transfer-addendum.pdf.

2. Status of the parties

2.1 Each of the parties will comply with Data Protection Laws concerning the Processing of Customer Personal Data, in performing its obligations and exercising its rights under the Agreement.

2.2 If and to the extent language in this DPA or any of its Exhibits conflicts with the Agreement, this DPA shall prevail. To the extent applicable and to the extent there is a conflict between the terms of the SCCs and this DPA, the SCCs shall prevail.

2.3 The Customer Personal Data, the duration of Processing and the specific uses of the Customer Personal Data are detailed in Schedule 1 attached hereto.

3. Processing of Personal Data

3.1 Lilt will act as a Processor in respect of the Customer Personal Data and will only Process the Customer Personal Data in accordance with the documented instructions of the Customer and the Data Protection Laws.

3.2 Lilt will only Process Customer Personal Data to perform its obligations pursuant to the Agreement.

3.3 Lilt will immediately inform the Customer if any instruction it receives from the Customer breaches the Data Protection Laws.

3.4 The Customer will ensure its Processing instructions are lawful and that the Processing of Customer Personal Data in accordance with its instructions will not breach Data Protection Laws.

3.5 The parties agree that the Agreement (including this DPA) sets out the Customer’s complete instructions to Lilt for the Processing of Customer Personal Data, and any Processing outside the scope of these instructions will require prior written agreement between Lilt and the Customer.

3.6 Lilt will ensure that any persons authorized to Process the Customer Personal Data by it (including its employees, contractors, agents and subcontractors) are contractually obliged to keep the Customer Personal Data a secure and confidential to the standards required by the Data Protection Laws, and in compliance with the Agreement.

3.7 Lilt will provide reasonable assistance to the Customer in order to enable the Customer to:

3.7.1 meet its obligations under Data Protection Laws to implement appropriate technical and organizational security measures;

3.7.2 respond to requests by Data Subjects to exercise their rights under Data Protection Laws;

3.7.3 notify supervisory authorities and/or Data Subjects about Security Incidents; and

3.7.4 to conduct data protection impact assessments and prior consultation with supervisory authorities.

4. Security

Lilt will implement and maintain appropriate technical and organizational security measures designed to protect Customer Personal Data from Security Incidents and to preserve the security of Customer Personal Data.

5. Sub-Processors

5.1 The Customer specifically authorizes Lilt to engage Sub-Processors, as described in Lilt’s Subprocessor List at https://lilt.com/legal/lilt-subprocessors.

5.2 Lilt will: (i) enter into a written agreement with each Sub-Processor imposing data protection obligations no less protective of Customer Personal Data as Lilt’s obligations in this DPA to the extent applicable to the nature of the services provided by such Sub-Processor; and (ii) be liable and responsible for the acts and omissions of any Sub-Processor as if such acts and omissions were its own.

5.3 Lilt will provide Customer with at least thirty (30) days prior, written notice of any intended changes concerning the addition or replacement of Sub-Processors thereby giving the Customer the opportunity to object to such changes within ten (10) days. A list of Lilt's Sub-Processors can be found here, which may be updated from time to time in accordance with this Clause 5.

6. Data Subject Rights

To the extent legally permitted, Lilt will promptly notify (and provide reasonable assistance to) the Customer if Lilt receives a request from a Data Subject that identifies the Customer and seeks to exercise the Data Subject’s right to access, rectify, erase, transfer or port Customer Personal Data, or to restrict the Processing of Customer Personal Data.

7. Security Incidents

7.1 If Lilt becomes aware of a Security Incident, Lilt will notify the Customer without undue delay, and in any case, where feasible within seventy-two (72) hours after becoming aware.

7.2 Lilt will provide to the Customer timely information about the Security Incident, including, but not limited to: the nature and consequences of the Security Incident, the measures taken and/or proposed by Lilt to mitigate or contain the Security Incident, the status of Lilt’s investigation, a contact point from which additional information may be obtained, and the categories and approximate number of data records concerned.

8. Data Transfers

8.1 The Customer authorizes Lilt and its Sub-Processors to transfer Customer Personal Data across international borders, including from the European Economic Area (the “EEA”) and the United Kingdom (“UK”) to the United States. To the extent that Lilt transfers personal data from the EEA or the UK to a third country to provide the Services, Lilt shall do so only in compliance with the Data Protection Laws.

8.2 For transfers of Personal Data by Customers to Lilt under this DPA from the UK, European Union, the European Economic Area and/or their member states and Switzerland to countries which do not ensure an adequate or equivalent level of data protection within the meaning of applicable Data Protection Laws of the foregoing territories, to the extent such transfers are subject to such applicable Data Protection Laws.

8.3 The Standard Contractual Clauses and/or UK Addendum (as applicable) are incorporated into this Agreement by reference shall apply as follows:

  • The Customer enters into the SCCs as controller and exporter and Lilt enters into the SCCs as processor and importer, and each party's address is as set out in the Agreement;

  • Module Two only of the SCCs will apply;

  • in Clause 7, the optional docking clause will apply, and the same shall apply with respect to Table 2 of the UK Addendum;

  • in Clause 9(a) option 2 will apply and Lilt will inform the Customer of the addition or replacement of sub- processors at least 30 days in advance, and the same shall apply with respect to Table 2 of the UK Addendum.

  • in Clause 11, the optional language will not apply, and the same shall apply with respect to Table 2 of the UK Addendum;

  • in Clause 17, option 1 shall apply and the SCCs will be governed by Irish law and Part 2, Section 15(m) of the UK Addendum regarding Clause 17 of the EU SCCs shall apply with respect to the UK SCCs;

  • in Clause 18(b), disputes shall be resolved before the courts of Ireland and Part 2, Section 15(n) of the UK Addendum shall apply; and

  • Annex I of the SCCs and/or UK Addendum shall be deemed completed with the information set out in Schedule 1 to this Agreement; and

  • Annex II of the SCCs and/or UK Addendum shall be deemed completed with the information set out in Schedule 2 to this Agreement.

8.4 Notwithstanding the fact that the SCCs and/or UK Addendum (as applicable) are incorporated herein by reference without the SCCs and/or UK Addendum actually being signed by the parties, the parties agree that the execution of this DPA is deemed to constitute its execution of the SCCs and/or UK Addendum on behalf of the data exporter or data importer (as applicable), and that it is duly authorized to do so on behalf of, and to contractually bind, the data exporter or data importer (as applicable) accordingly.

9. Deletion or Return of Personal Data

9.1 Lilt will, at Customer’s direction and cost, delete or return all Customer Personal Data to Customer at the end of the provision of the applicable Services to which the Processing relates, and delete all existing copies held by Lilt (unless applicable law requires the storage of such Customer Personal Data by Lilt) and, upon customer’s written request, provide confirmation in writing to the Customer that it has complied with any such request of Customer. To the extent that the Data Protection Laws require Lilt to store Customer Personal Data, Lilt will notify the Customer in writing of that fact and of the law that applies to such storage, to the extent legally permitted.

10. Audit Rights

10.1 Upon Customer’s request, Lilt shall, no more than once per calendar year make available for Customer’s or its appropriately qualified third-party representative’s (collectively, the "Auditor") review, copies of certifications or reports demonstrating Lilt’s compliance with this DPA.

10.2 Where the Auditor is a third-party, the Auditor may be required to execute a separate confidentiality agreement with Lilt prior to any audit of Lilt, and Lilt may object in writing to such Auditor, if in Lilt's reasonable opinion, the Auditor is not suitably qualified or is a direct competitor of Lilt. Any such objection by Lilt will require the Customer to either appoint another Auditor or conduct the audit itself. Expenses incurred by Auditor in connection with any review of Reports or an audit, shall be borne exclusively by the Auditor.

IN WITNESS WHEREOF, the parties hereto have caused this DPA to be executed as of the Effective Date.

Lilt, Inc.

Customer

Signature

Signature

Name

Name

Title

Title

Date

Date