This Data Processing Agreement (“DPA”) supplements the Master Services Agreement (the “Agreement”) entered into by and between [CUSTOMER NAME] (“Customer”) and Lilt, Inc. (“Lilt”) as of the last date signed by either party below (“Effective Date”). By executing this DPA, Customer agrees to be bound by the terms of this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws (defined below), in the name and on behalf of its affiliates, if any. In the event of a conflict between the terms and conditions of this DPA and the Agreement, the terms and conditions of this DPA will supersede and control.

1. Definitions

1.1 All capitalized terms that are not expressly defined in this DPA will have the meanings given to them in the main body of the Agreement.

1.2 For the purposes of this DPA the following words will have the following meanings:

“Customer Personal Data” means Personal Data Processed by Lilt on behalf of the Customer in connection with the Agreement.

“Data Protection Laws” means (i) the General Data Protection Regulation (EU) 2016/679 (the “GDPR”); (ii) the Data Protection Acts 1988 to 2018, and any other legislation which implements the GDPR; (iii) the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011; (iv) any other legislation which implements the European Community’s Directive 2002/58/EC; (v) any binding guidance and / or codes of practice issued by the Irish Data Protection Commission or the European Data Protection Board; (vi) to the extent relevant, the retained European Union law version of the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland (“UK GDPR”); (vi) all applicable portions of the California Consumer Privacy Act of 2018; and (vii) any applicable data privacy laws of the United States.

“Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.

“Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

“Process” or “Processing” means any operation or set of operations which is performed on data or sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction and for the avoidance of doubt includes all processing as defined in the GDPR.

“Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data attributable to Lilt and for the avoidance of doubt includes all personal data breaches as defined in the GDPR.

“Services” means any and all services or obligations that Lilt performs under the Agreement.

“Sub-Processor” means any third-party data Processor engaged by Lilt or by other companies in Lilt’s group of companies to Process Customer Personal Data.

“Standard Contractual Clauses” or "SCCs" means together (i) the “EU SCCs” which are the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of personal data in countries not otherwise recognized as offering an adequate level of protection for personal data by the European Commission (as amended and updated from time to time), and (ii) the “UK SCCs” which are comprised of the EU SCCs as incorporated in and amended by the UK Addendum.

“UK Addendum” means the International Data Transfer Addendum issued by the UK’s Information Commissioner’s Office under s.119(A) of the UK Data Protection Act 2018, currently found at https://ico.org.uk/media/for-organizations/documents/4019539/international-data-transfer-addendum.pdf.

2. Status of the parties

2.1 Each of the parties will comply with Data Protection Laws concerning the Processing of Customer Personal Data, in performing its obligations and exercising its rights under the Agreement.

2.2 If and to the extent language in this DPA or any of its Exhibits conflicts with the Agreement, this DPA shall prevail. To the extent applicable and to the extent there is a conflict between the terms of the SCCs and this DPA, the SCCs shall prevail.

2.3 The Customer Personal Data, the duration of Processing and the specific uses of the Customer Personal Data are detailed in Schedule 1 attached hereto.

3. Processing of Personal Data

3.1 Lilt will act as a Processor in respect of the Customer Personal Data and will only Process the Customer Personal Data in accordance with the documented instructions of the Customer and the Data Protection Laws.

3.2 Lilt will only Process Customer Personal Data to perform its obligations pursuant to the Agreement.

3.3 Lilt will immediately inform the Customer if any instruction it receives from the Customer breaches the Data Protection Laws.

3.4 The Customer will ensure its Processing instructions are lawful and that the Processing of Customer Personal Data in accordance with its instructions will not breach Data Protection Laws.

3.5 The parties agree that the Agreement (including this DPA) sets out the Customer’s complete instructions to Lilt for the Processing of Customer Personal Data, and any Processing outside the scope of these instructions will require prior written agreement between Lilt and the Customer.

3.6 Lilt will ensure that any persons authorized to Process the Customer Personal Data by it (including its employees, contractors, agents and subcontractors) are contractually obliged to keep the Customer Personal Data a secure and confidential to the standards required by the Data Protection Laws, and in compliance with the Agreement.

3.7 Lilt will provide reasonable assistance to the Customer in order to enable the Customer to:

3.7.1 meet its obligations under Data Protection Laws to implement appropriate technical and organizational security measures;

3.7.2 respond to requests by Data Subjects to exercise their rights under Data Protection Laws;

3.7.3 notify supervisory authorities and/or Data Subjects about Security Incidents; and

3.7.4 to conduct data protection impact assessments and prior consultation with supervisory authorities.

4. Security

Lilt will implement and maintain appropriate technical and organizational security measures designed to protect Customer Personal Data from Security Incidents and to preserve the security of Customer Personal Data.

5. Sub-Processors

5.1 The Customer specifically authorizes Lilt to engage Sub-Processors, as described in Lilt’s Subprocessor List at https://lilt.com/legal/lilt-subprocessors.

5.2 Lilt will: (i) enter into a written agreement with each Sub-Processor imposing data protection obligations no less protective of Customer Personal Data as Lilt’s obligations in this DPA to the extent applicable to the nature of the services provided by such Sub-Processor; and (ii) be liable and responsible for the acts and omissions of any Sub-Processor as if such acts and omissions were its own.

5.3 Lilt will provide Customer with at least thirty (30) days prior, written notice of any intended changes concerning the addition or replacement of Sub-Processors thereby giving the Customer the opportunity to object to such changes within ten (10) days. A list of Lilt's Sub-Processors can be found here, which may be updated from time to time in accordance with this Clause 5.

6. Data Subject Rights

To the extent legally permitted, Lilt will promptly notify (and provide reasonable assistance to) the Customer if Lilt receives a request from a Data Subject that identifies the Customer and seeks to exercise the Data Subject’s right to access, rectify, erase, transfer or port Customer Personal Data, or to restrict the Processing of Customer Personal Data.

7. Security Incidents

7.1 If Lilt becomes aware of a Security Incident, Lilt will notify the Customer without undue delay, and in any case, where feasible within seventy-two (72) hours after becoming aware.

7.2 Lilt will provide to the Customer timely information about the Security Incident, including, but not limited to: the nature and consequences of the Security Incident, the measures taken and/or proposed by Lilt to mitigate or contain the Security Incident, the status of Lilt’s investigation, a contact point from which additional information may be obtained, and the categories and approximate number of data records concerned.

8. Data Transfers

8.1 The Customer authorizes Lilt and its Sub-Processors to transfer Customer Personal Data across international borders, including from the European Economic Area (the “EEA”) and the United Kingdom (“UK”) to the United States. To the extent that Lilt transfers personal data from the EEA or the UK to a third country to provide the Services, Lilt shall do so only in compliance with the Data Protection Laws.

8.2 For transfers of Personal Data by Customers to Lilt under this DPA from the UK, European Union, the European Economic Area and/or their member states and Switzerland to countries which do not ensure an adequate or equivalent level of data protection within the meaning of applicable Data Protection Laws of the foregoing territories, to the extent such transfers are subject to such applicable Data Protection Laws.

8.3 The Standard Contractual Clauses and/or UK Addendum (as applicable) are incorporated into this Agreement by reference shall apply as follows:

• The Customer enters into the SCCs as controller and exporter and Lilt enters into the SCCs as processor and importer, and each party's address is as set out in the Agreement;

• Module Two only of the SCCs will apply;

• in Clause 7, the optional docking clause will apply, and the same shall apply with respect to Table 2 of the UK Addendum;

• in Clause 9(a) option 2 will apply and Lilt will inform the Customer of the addition or replacement of sub- processors at least 30 days in advance, and the same shall apply with respect to Table 2 of the UK Addendum.

• in Clause 11, the optional language will not apply, and the same shall apply with respect to Table 2 of the UK Addendum;

• in Clause 17, option 1 shall apply and the SCCs will be governed by Irish law and Part 2, Section 15(m) of the UK Addendum regarding Clause 17 of the EU SCCs shall apply with respect to the UK SCCs;

• in Clause 18(b), disputes shall be resolved before the courts of Ireland and Part 2, Section 15(n) of the UK Addendum shall apply; and

• Annex I of the SCCs and/or UK Addendum shall be deemed completed with the information set out in Schedule 1 to this Agreement; and

• Annex II of the SCCs and/or UK Addendum shall be deemed completed with the information set out in Schedule 2 to this Agreement.

8.4 Notwithstanding the fact that the SCCs and/or UK Addendum (as applicable) are incorporated herein by reference without the SCCs and/or UK Addendum actually being signed by the parties, the parties agree that the execution of this DPA is deemed to constitute its execution of the SCCs and/or UK Addendum on behalf of the data exporter or data importer (as applicable), and that it is duly authorized to do so on behalf of, and to contractually bind, the data exporter or data importer (as applicable) accordingly.

9. Deletion or Return of Personal Data

9.1 Lilt will, at Customer’s direction and cost, delete or return all Customer Personal Data to Customer at the end of the provision of the applicable Services to which the Processing relates, and delete all existing copies held by Lilt (unless applicable law requires the storage of such Customer Personal Data by Lilt) and, upon customer’s written request, provide confirmation in writing to the Customer that it has complied with any such request of Customer. To the extent that the Data Protection Laws require Lilt to store Customer Personal Data, Lilt will notify the Customer in writing of that fact and of the law that applies to such storage, to the extent legally permitted.

10. Audit Rights

10.1 Upon Customer’s request, Lilt shall, no more than once per calendar year make available for Customer’s or its appropriately qualified third-party representative’s (collectively, the "Auditor") review, copies of certifications or reports demonstrating Lilt’s compliance with this DPA.

10.2 Where the Auditor is a third-party, the Auditor may be required to execute a separate confidentiality agreement with Lilt prior to any audit of Lilt, and Lilt may object in writing to such Auditor, if in Lilt's reasonable opinion, the Auditor is not suitably qualified or is a direct competitor of Lilt. Any such objection by Lilt will require the Customer to either appoint another Auditor or conduct the audit itself. Expenses incurred by Auditor in connection with any review of Reports or an audit, shall be borne exclusively by the Auditor.

IN WITNESS WHEREOF, the parties hereto have caused this DPA to be executed as of the Effective Date.

SCHEDULE 1

SCHEDULE 2

TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Security and Trust Center

• Please visit our Security and Trust Center for additional information and resources: https://lilt.com/technology/security 

Infrastructure

• Data Center security: Our infrastructure is on the Google Cloud Platform which maintains an extensive set of certifications including SOC2, ISO 27001, and FEDRAMP that cover the service's security, confidentiality, availability, and integrity. More information on GCP security is available here: https://cloud.google.com/security/compliance/#/

• Monitoring: We collect logs of system events throughout our infrastructure including cloud-level, application level, and data-store level audit trails. Logs are stored in an immutable storage system that prevents accidental or malicious deletion. Administrators have configured alerts for key system activity that may indicate a compromise or misconfiguration.

• Encryption in Transit: We use TLS 1.2 encryption on communication to our website and APIs, automatic HTTP to HTTPs redirection, and HTTP Strict Transport Security to prevent downgrade attacks. Our default encryption algorithms utilize Perfect Forward Secrecy (PFS) and Authenticated Encryption with Associated Data (AEAD).

• Encryption at Rest: All customer data is encrypted at rest using AES256 encryption. Encryption keys are stored in high-security hardware security modules and periodically rotated.

• Backups: Customer data is backed up daily using automated snapshots which are stored in authentication-protected storage using pre-defined retention times. System administrators are notified of failed or delayed backups. Backups are geographically isolated from production systems.

• Application Security: Our development team utilizes best practices in code development, testing, and deployment. As part of that process, we leverage frameworks that provide protections against common web vulnerabilities (e.g. OWASP Top 10). Libraries and dependency code are scanned for known vulnerabilities and tickets automatically opened for engineers to review and upgrade packages.

• Penetration Testing: Our services are tested annually by professional penetration testing teams. During the assessment, the team seeks to identify vulnerabilities and weaknesses that could enable attackers to compromise our systems. Identified issues are prioritized and remediated by our technical team. A customer letter is available upon request.

• Secure Decommissioning: The secure decommissioning of hardware used to manage and store customer data is managed by our cloud provider which leverages a combination of mark-and-sweep deletion cycles, cryptographic erasure, and physical device destruction in compliance with NIST SP 800-88 Revision 1.

Access Control

• User Authentication: Customers can authenticate to our service either using user-defined passwords or SSO. Inside our application, customers can configure roles that further restrict what actions their users can take on their data.

• Security: User passwords must meet minimum length and complexity requirements. Brute force password protections are implemented using account throttling - where repeated attempts to login to an account result in a progressive delay between login attempts. Passwords are stored in encrypted form using salted hashes.

• Cloud Access: Cloud access is protected using 2FA for administrative accounts and encrypted VPN access for access to internal systems. All administrative access to cloud systems is logged.

• Database Access: Administrative access to production databases is restricted to a subset of our engineering team. All access uses unique accounts and administrator activity is logged to our centralized logging system.

• Code Access: Code is stored in a centralized code repository that requires 2FA for authentication. User groups are configured to provide only the access necessary for employees to do their assigned job. Code updates undergo mandatory code review and approval before being released into production.

Policies & Procedures

• Security Policy: We maintain a company-wide security policy that covers the security requirements for systems throughout our infrastructure including:

  • System Inventory

  • Data Classification

  • System lockdown procedures

  • Encryption

  • Data Access

  • Incident Response

  • Backups and Restoration

• Confidentiality Agreements: All employees and contractors are required to sign confidentiality agreements.

• On-boarding and Off-boarding: All employees are on-boarded using a standard process to ensure they receive training and access appropriate to perform their job role. Our off-boarding process is designed to efficiently remove access and accounts when employees leave the company or transition job roles.

• Employee Computers: Our employee computers and company mobile devices are required to meet a set of security requirements including full disk encryption, vulnerability updates, company-approved password manager, and login restrictions.

• Physical Access Management: LILT employees are entrusted with a secure card that permits access to the main office areas and all doors are card reader equipped. Card reader entries are logged. Our employee’s badges are required to be returned during offboarding, and missing badges must be reported to the responsible office manager and revoked and disabled. The company replaces or resets physical locks in the event of a breach or upon evidence of tampering, or key loss.