Last Updated: October 24, 2021
This Data Processing Addendum (including the annexes attached hereto, this “DPA”) forms part of and is subject to the Luminary Cloud Terms of Service or the written agreement, as applicable (the “Agreement”) between the legal entity defined as ‘Customer’ thereunder (“Customer”) and Luminary Cloud, Inc. (“Provider”), under which Provider will provide certain services (collectively, the “Services”) to Customer.
For purposes of this DPA, the terms below have the meanings set forth below. Capitalized terms that are used but not defined in this DPA have the meanings given in the Agreement.
(a) Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, where “control” refers to the power to direct or cause the direction of the subject entity, whether through ownership of voting securities, by contract or otherwise.
(b) Applicable Data Protection Laws means U.S. federal and state privacy, data protection and data security laws and regulations applicable to the Processing of Personal Data under the Agreement, including the CCPA to the extent applicable to the relevant Personal Data or Processing thereof under the Agreement.
(d) GDPR means (i) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“EU GDPR”); (ii) the EU GDPR as it forms part of United Kingdom (“UK”) law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); and (iii) any applicable implementing or supplementary legislation in any member state of the EEA or the UK (including the UK Data Protection Act 2018).
(e) Information Security Incident means a breach of Provider’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in Provider’s possession, custody or control. Information Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
(f) Personal Data means Customer Data that constitutes “personal data,” “personal information,” or “personally identifiable information” defined in Applicable Data Protection Law, or information of a similar character regulated thereby, except that Personal Data does not include such information pertaining to Customer’s business contacts who are Customer personnel where Provider acts as a controller (meaning the entity that determines what data to collect and for what purposes) of such information.
(g) Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(h) Security Measures has the meaning given in Section 4(a) (Provider’s Security Measures).
Provider will Process Personal Data only in accordance with Customer’s instructions to Provider. This DPA is a complete expression of such instructions, and Customer’s additional instructions will be binding on Provider only pursuant to an amendment to this DPA signed by both parties. Customer instructs Provider to Process Personal Data to provide the Services as contemplated by this Agreement. Customer agrees that Processing Personal Data may involve Provider’s deriving aggregated, anonymized, and/or de-identified data related to the Services.
(a) Provider Security Measures. Provider will implement and maintain technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data (the “Security Measures”) as described in Annex 2 (Security Measures). Provider may update the Security Measures from time to time, so long as the updated measures do not decrease the overall protection of Personal Data.
(b) Information Security Incidents. Provider will notify Customer without undue delay of any Information Security Incident of which Provider becomes aware. Such notifications will describe available details of the Information Security Incident, including steps taken to mitigate the potential risks and steps Provider recommends Customer take to address the Information Security Incident. Provider’s notification of or response to an Information Security Incident will not be construed as Provider’s acknowledgement of any fault or liability with respect to the Information Security Incident.
(i) Customer’s Security Responsibilities. Customer agrees that, without limitation of Provider’s obligations under Section 4 (Security), Customer is solely responsible for its use of the Services, including (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Customer Data (including Personal Data); (b) securing the account authentication credentials, systems and devices Customer uses to access the Services; (c) securing Customer’s systems and devices that Provider uses to provide the Services; and (d) backing up Customer Data (including Personal Data).
(ii) Customer’s Security Assessment. Customer agrees that the Services, the Security Measures and Provider’s commitments under this DPA are adequate to meet Customer’s needs, including with respect to any security obligations of Customer under Applicable Data Protection Laws, and provide a level of security appropriate to the risk in respect of the Personal Data.
(a) Provider’s Data Subject Request Assistance. Provider will (taking into account the nature of the Processing of Personal Data) provide Customer with assistance reasonably necessary for Customer to perform its obligations under Applicable Data Protection Laws to fulfill requests by data subjects to exercise their rights under Applicable Data Protection Laws (“Data Subject Requests”) with respect to Personal Data in Provider’s possession or control. Customer shall compensate Provider for any such assistance at Provider’s then-current professional services rates, which shall be made available to Customer upon request.
(b) Customer’s Responsibility for Requests. If Provider receives a Data Subject Request, Provider will advise the data subject to submit the request to Customer and Customer will be responsible for responding to the request.
(a) Customer Compliance. Customer shall comply with its obligations under Applicable Data Protection Laws. Customer shall ensure (and is solely responsible for ensuring) that its instructions in Section 3 comply with Applicable Data Protection Laws, and that Customer has given all notices to, and has obtained all necessary consents from, individuals to whom Personal Data pertains and all other parties as required by applicable laws or regulations for Customer to Process Personal Data as contemplated by the Agreement.
(b) Prohibited Data. Customer represents and warrants to Provider that Customer Data does not and will not, without Provider’s prior written consent, contain any information subject to the GDPR, social security numbers or other government-issued identification numbers, protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; health insurance information; biometric information; passwords for online accounts; credentials to any financial accounts; tax return data; credit reports or consumer reports; any payment card information subject to the Payment Card Industry Data Security Standard; information subject to the Gramm-Leach-Bliley Act, Fair Credit Reporting Act or the regulations promulgated under either such law; or information subject to restrictions under Applicable Data Protection Laws governing Personal Data of children, including, without limitation, all information about children under 13 years of age.
Except as expressly modified by the DPA, the terms of the Agreement remain in full force and effect. In the event of any conflict or inconsistency between this DPA and the other terms of the Agreement, this DPA will govern. Notwithstanding anything in the Agreement or any order form entered in connection therewith to the contrary, the parties acknowledge and agree that Provider’s access to Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement. Notwithstanding anything to the contrary in the Agreement, any notices required or permitted to be given by Provider to Customer under this DPA may be given (a) in accordance with any notice clause of the Agreement; (b) to Provider’s primary points of contact with Customer; or (c) to any email provided by Customer for the purpose of providing it with Services-related communications or alerts. Customer is solely responsible for ensuring that such email addresses are valid.
Annex 1 to DPA
1. For purposes of this Annex 1, the terms “business,” “commercial purpose,” “sell” and “service provider” shall have the respective meanings given thereto in the CCPA, and “personal information” shall mean Personal Data that constitutes personal information governed by the CCPA.
2. It is the parties’ intent that with respect to any personal information, Provider is a service provider. Provider shall not (a) sell any personal information; (b) retain, use or disclose any personal information for any purpose other than for the specific purpose of providing the Services, including retaining, using, or disclosing the personal information for a commercial purpose other than the provision of the Services; or (c) retain, use or disclose the personal information outside of the direct business relationship between Provider and Customer. Provider hereby certifies that it understands its obligations under this Section 2 and will comply with them.
3. The parties acknowledge that Provider’s retention, use and disclosure of personal information authorized by Customer’s instructions documented in the DPA are integral to Provider’s provision of the Services and the business relationship between the parties.
Annex 2 to DPA
2. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Provider’s organization, monitoring and maintaining compliance with the Provider’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
3. Data security controls which include, at a minimum, logical segregation of data, restricted (e.g. role-based) access and monitoring, and utilization of commercially available industry standard encryption technologies for Personal Data that is transmitted over public networks (i.e. the Internet) or when transmitted wirelessly or at rest or stored on portable or removable media (i.e. laptop computers, CD/DVD, USB drives, back-up tapes).
4. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g. granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).
5. Password controls designed to manage and control password strength and usage including prohibiting users from sharing passwords, requiring two-factor or multi-factor authentication to be configured whenever the accepting service has that capability, and requiring that the Provider’s employee’s passwords: (i) be at least eight (8) characters in length, (ii) not be stored in readable format on the Provider’s computer systems; (iii) must have defined complexity; (iv) must have a history threshold to prevent reuse of recent passwords; and (v) newly issued passwords must be changed after first use.
7. Physical and environmental security of data centers, server room facilities and other areas containing Personal Data designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor and log movement of persons into and out of the Provider’s facilities, and (iii) guard against environmental hazards such as heat, fire and water damage.
8. Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from the Provider’s possession.
11. Network security controls that provide for the use of enterprise firewalls and layered DMZ architectures and/or network segmentation and VPC services from SOC-compliant public cloud providers, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
12. Vulnerability assessment, patch management and threat protection technologies, and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.