Last Updated: October 24, 2021
This Data Processing Addendum (including the annexes attached hereto, this “DPA”) forms part of and is subject to the Luminary Cloud Terms of Service or the written agreement, as applicable (the “Agreement”) between the legal entity defined as ‘Customer’ thereunder (“Customer”) and Luminary Cloud, Inc. (“Provider”), under which Provider will provide certain services (collectively, the “Services”) to Customer.
For purposes of this DPA, the terms below have the meanings set forth below. Capitalized terms that are used but not defined in this DPA have the meanings given in the Agreement.
(a) Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, where “control” refers to the power to direct or cause the direction of the subject entity, whether through ownership of voting securities, by contract or otherwise.
(d) GDPR means (i) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“EU GDPR”); (ii) the EU GDPR as it forms part of United Kingdom (“UK”) law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); and (iii) any applicable implementing or supplementary legislation in any member state of the EEA or the UK (including the UK Data Protection Act 2018).
(f) Personal Data means Customer Data that constitutes “personal data,” “personal information,” or “personally identifiable information” defined in Applicable Data Protection Law, or information of a similar character regulated thereby, except that Personal Data does not include such information pertaining to Customer’s business contacts who are Customer personnel where Provider acts as a controller (meaning the entity that determines what data to collect and for what purposes) of such information.
(h) Security Measures has the meaning given in Section 4(a) (Provider’s Security Measures).
(b) Annex 1 (California Annex) to this DPA applies solely to Processing subject to the CCPA if Customer is a “business” or “service provider” (as defined in CCPA) with respect to such Processing.
(a) Provider Security Measures. Provider will implement and maintain technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data (the “Security Measures”) as described in Annex 2 (Security Measures). Provider may update the Security Measures from time to time, so long as the updated measures do not decrease the overall protection of Personal Data.
(c) Customer’s Security Responsibilities and Assessment
(i) Customer’s Security Responsibilities. Customer agrees that, without limitation of Provider’s obligations under Section 4 (Security), Customer is solely responsible for its use of the Services, including (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Customer Data (including Personal Data); (b) securing the account authentication credentials, systems and devices Customer uses to access the Services; (c) securing Customer’s systems and devices that Provider uses to provide the Services; and (d) backing up Customer Data (including Personal Data).
(a) Customer Compliance. Customer shall comply with its obligations under Applicable Data Protection Laws. Customer shall ensure (and is solely responsible for ensuring) that its instructions in Section 3 comply with Applicable Data Protection Laws, and that Customer has given all notices to, and has obtained all necessary consents from, individuals to whom Personal Data pertains and all other parties as required by applicable laws or regulations for Customer to Process Personal Data as contemplated by the Agreement.
(b) Prohibited Data. Customer represents and warrants to Provider that Customer Data does not and will not, without Provider’s prior written consent, contain any information subject to the GDPR, social security numbers or other government-issued identification numbers, protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; health insurance information; biometric information; passwords for online accounts; credentials to any financial accounts; tax return data; credit reports or consumer reports; any payment card information subject to the Payment Card Industry Data Security Standard; information subject to the Gramm-Leach-Bliley Act, Fair Credit Reporting Act or the regulations promulgated under either such law; or information subject to restrictions under Applicable Data Protection Laws governing Personal Data of children, including, without limitation, all information about children under 13 years of age.
Except as expressly modified by the DPA, the terms of the Agreement remain in full force and effect. In the event of any conflict or inconsistency between this DPA and the other terms of the Agreement, this DPA will govern. Notwithstanding anything in the Agreement or any order form entered in connection therewith to the contrary, the parties acknowledge and agree that Provider’s access to Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement. Notwithstanding anything to the contrary in the Agreement, any notices required or permitted to be given by Provider to Customer under this DPA may be given (a) in accordance with any notice clause of the Agreement; (b) to Provider’s primary points of contact with Customer; or (c) to any email provided by Customer for the purpose of providing it with Services-related communications or alerts. Customer is solely responsible for ensuring that such email addresses are valid.
Annex 1 to DPA
California Annex
2. It is the parties’ intent that with respect to any personal information, Provider is a service provider. Provider shall not (a) sell any personal information; (b) retain, use or disclose any personal information for any purpose other than for the specific purpose of providing the Services, including retaining, using, or disclosing the personal information for a commercial purpose other than the provision of the Services; or (c) retain, use or disclose the personal information outside of the direct business relationship between Provider and Customer. Provider hereby certifies that it understands its obligations under this Section 2 and will comply with them.
Annex 2 to DPA
Security Measures
5. Password controls designed to manage and control password strength and usage including prohibiting users from sharing passwords, requiring two-factor or multi-factor authentication to be configured whenever the accepting service has that capability, and requiring that the Provider’s employee’s passwords: (i) be at least eight (8) characters in length, (ii) not be stored in readable format on the Provider’s computer systems; (iii) must have defined complexity; (iv) must have a history threshold to prevent reuse of recent passwords; and (v) newly issued passwords must be changed after first use.
7. Physical and environmental security of data centers, server room facilities and other areas containing Personal Data designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor and log movement of persons into and out of the Provider’s facilities, and (iii) guard against environmental hazards such as heat, fire and water damage.
12. Vulnerability assessment, patch management and threat protection technologies, and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
13. Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergencies or disasters.