September 2021

Data Processing Attachment (DPA)

This Data Processing Attachment (“DPA”) forms part of LumApps’ Terms of Use (“Terms”) and governs the processing of Personal Data of the Customer (“Customer” or “Controller”) and LumApps (“Processor” or “LumApps”) (“Processor” or “LumApps”) and the Customer (“Controller”) (Each a “Party”; together comprising the “Parties” to this DPA).

Unless otherwise defined in this DPA, capitalized terms will have the meaning given to them in the Terms.

1. Definitions

Applicable Laws” the Regulation 2016/679 of the European Parliament and of the Council “on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data” (hereafter the “General Data Protection Regulation” or “GDPR”);

Data Subject” means the identified or identifiable person to whom Personal Data relates;

Personal Data” means the information relating to an identified or identifiable natural person entered into the Application.

Physical, Technical and Organizational Security Measures” means those measures aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing;

Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Security Incident” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, the Personal Data transmitted, stored, or otherwise processed as part of the Service.

Sub-processor” means a third party selected by the Processor to process Personal Data in connection with provision of the Service.

2. Description of Personal Data Processing

The subject matter of the Personal Data processing is described in Schedule A.

3. Obligations of Processor

3.1. The Processor shall process the Personal Data as follows:

(a) Keep the Personal Data secure and accessible only to authorized persons who are committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(b) Process such Personal Data only in accordance with the reasonable instructions requirements of the Controller. Controller and Processor agree that the DPA together with the Controller’s use of the Services in accordance with these Terms, constitute the Controller’s complete and final instructions to LumApps in relation to the processing of Personal Data, and additional instructions outside the scope of these instructions shall require prior written agreement between Controller and Processor;

(c) Immediately inform the Controller if, in its opinion, an instruction of the Controller infringes the Applicable Laws. Once informed that one of its instructions may be in breach of data protection law, the Controller shall assess the situation and determine whether the instruction actually violates a data protection law. If the Controller persists with an unlawful instruction, LumApps shall be entitled to terminate this DPA or the Order;

(d) Ensure that such Personal Data is only used for purposes authorized by the Controller;

(e) Implement and maintain appropriate Physical, Technical and Organizational Security Measures. Notwithstanding any provision to the contrary, the Processor may modify or update the Physical, Technical and Organizational Security Measures at its discretion provided that such modification or update does not result in a material degradation in the protection offered by the Physical, Technical and Organizational Security Measures;

(f) Notify the Controller without undue delay, after becoming aware, with all available information regarding a Security Incident and provide cooperation as necessary to enable it to comply with any obligation to report information regarding such a Security Incident to the appropriate regulatory agency and/or to the relevant data subjects in accordance with the requirements of the Applicable Laws;

(g) Provide access to retrieve the Personal Data to Controller during the three (3) months after the termination or the expiry of the Order, unless required to be stored under other Applicable Laws;

(h) Make available to the Controller, upon its express request, information necessary to demonstrate compliance with its obligations laid down in the DPA by appropriate means in compliance with the Processor’s internal organization;

(i) Promptly notify the Controller in the event of:

(1) Any legally binding request for disclosure of the Personal Data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;

(2) Any request received directly from the Data Subjects without responding to that request, unless it has been otherwise authorized to do so;

(j) Deal promptly and properly with all inquiries from the Controller relating to the processing of the Personal Data and

(k) Follow by the advice of the appropriate supervisory and/or regulatory authority with regard to the processing of the Personal Data transferred.

(l) Upon the Controller’s express request, assist the Controller in carrying out data protection impact assessments when required, and in consulting the supervisory authority when the outcome reveals that there is a high risk that cannot be mitigated.

4. Sub Processing

4.1. The Controller authorizes the Processor to engage other Sub-processors to assist in fulfilling LumApps’ obligations with respect to the provision of the Services.

4.2. LumApps has currently appointed, as Sub-processors, the third parties listed in Schedule A.

4.3. The Processor shall inform the Controller of any changes concerning the addition or replacement of any Sub-processor within a reasonable time. The Controller shall have the opportunity to object to the engagement of a new Sub-processor on legitimate grounds relating to the protection of Personal Data within 10 days after being notified of such change. In case of an objection, the Parties will discuss the Controller’s concerns in good faith with a view to achieving a commercially reasonable resolution.

4.4. When Personal Data is sub-processed to Sub-Processors located outside of the EEA, the Controller hereby agrees to the signature by the Processor on its behalf of the standard contractual clauses for the transfer of personal data to Sub-Processors established in third countries under Commission Decision 2010/87/EU or equivalent standard data protection clauses under EU Law.

4.5. In any case, where the Processor engages Sub-processors, it will impose data protection terms on the Sub-processors that provide at least the same level of protection for Personal Data as those in Section 3, to the extent applicable to the nature of the services provided by such Sub-processors. The Processor will remain responsible for each Sub-processor’s compliance with its data protection obligations.

5. Audit

5.1. The Processor shall allow for, and contribute to, audits, including inspections, conducted by the Controller or another auditor mandated by the Controller in accordance with the following procedures:

(a) Upon the Controller’s request, the Processor will provide the Controller or its mandated auditor with the most recent certifications and/or summary audit report(s), which the Processor has procured to regularly test, assess and evaluate the effectiveness of the technical and organizational measures;

(b) The Processor shall reasonably cooperate with the Controller by providing available additional information concerning the technical and organizational measures, to help the Controller better understand such measures.

(c) To the extent it is not possible to otherwise satisfy an audit right mandated by applicable law or expressly agreed by the Parties, only legally mandated entities (such as governmental regulatory agency having oversight of the Controller’s operations), the Controller or its mandated auditor may conduct an audit subject to a fifteen (15) business days prior notice and within the limit of one (1) audit per year. During such audit, the Processor will disclose to the Controller the information necessary to demonstrate compliance with the obligations defined in this Section. The Controller shall have no right to view or access any systems, data, records or other information relating or pertaining to other customers or resellers of the Processor. Any such audit under the scope of this Section by the Controller is conducted at its own costs, on a time and material basis. The Controller shall provide the Processor with a copy of the audit report.

5.2. Any auditor mandated by the Controller shall not be a direct competitor of the Processor with regard to the Services and shall be bound to an obligation of confidentiality.

6. Data Subject rights

6.1. The Processor shall provide support to enable the Controller to respond to any request by any individual exercising his or her right under the Applicable Laws, including the right to access, correct or retrieve Personal Data, request or complaint by any person or regulatory authority in connection with the processing of Personal Data. If such requests, correspondence, inquiries or complaints go directly to the Processor, the latter will promptly inform the Controller and will advise the Data Subject to submit their request to the Controller, who is solely responsible for responding substantively to any such requests or communications.

6.2. The Controller shall:

(a) warrant to the Processor that it is entitled to, and has obtained all necessary consents required to, use and transfer such Personal Data to Processor as required for the Processor and its sub-processor to provide the Service, in full compliance with applicable data protection laws, including as needed, compliance to any prior required formalities and data subject rights, such as information and/or consent when such is required under applicable data protection laws;

(b) be solely responsible (i) for the accuracy, quality and legality of the Personal Data shared to the Processor and the means by which it acquired Personal Data, and for (ii) determining the purposes and the means of LumApps processing the of Personal Data;

(c) remain responsible for the completeness, the appropriation and the accuracy of the documented instructions.

Any changes to the instructions given or the security measures that are required by the Controller, shall be borne by the Controller.

Schedule A – Description of Personal Data Processing

Description Details
Purpose Use of LumApps Services and others services
Processing activities
  • Support and management of customer business operations;
  • Supply a directory of the users;
  • Improvement of user experience and fostering of the adoption and design features that fit user needs;
  • Monitoring for metrics, traces and logs to perform Lumapps support and security duties;
  • Storage.
Duration of the processing The duration of the applicable agreement or Order and 3 months after in order to provide the Customer the possibility to retrieve Personal Data.
Categories of personal data Name, address, title, position, telephone, e-mail address, IP address, usernames, passwords and any other Personal Data voluntarily provided by the users of the Application and/or Customer in the Application (example: job location, date of birth, hobbies, HR registration number, etc).
Categories of persons concerned Users as described in the applicable agreement or Order.
List of subprocessor(s) and their location(s) https://www.lumapps.com/legal/lumapps-platform-subprocessors/
LumApps Legal Pages