Data Processing Agreement

Applicable Data Protection Laws means all laws relating to privacy, data protection, and security applicable to the processing of Personal Data under the Agreement, including, where applicable, the GDPR, the UK GDPR, and U.S. staté privacy laws.

Personal Data means any personal data that Luzid processes on behalf of Customer in connection with the Services.

Processing has the meaning given in Applicable Data Protection Laws (and process, processed, and processes will be construed accordingly).

Sub-processor means any third party engaged by Luzid to process Personal Data on Customer's behalf in connection with the Services.

Customer is a controller (or acts on behalf of a controller, as authorized) and determines the purposes and means of processing of Personal Data it submits to the Services, except where Customer acts as a processor—then Customer warrants it has authority to pass instructions to Luzid consistent with this DPA.

Luzid processes Personal Data only as a processor on behalf of Customer and in accordance with Customer's documented instructions as described in the Agreement and this DPA (including with regard to transfers), unless otherwise required by Applicable Data Protection Laws—in which case Luzid will inform Customer of that legal requirement before processing, unless prohibited by law.

Subject matter: provision of the Services to Customer pursuant to the Agreement.

Duration: for the term of the Agreement and until Personal Data is returned or deleted in accordance with this DPA.

Nature and purpose: hosting, storage, retrieval, analysis, support, security monitoring, and other processing necessary to provide, maintain, secure, and improve the Services as configured by Customer.

Catégories of data subjects: individuals whose Personal Data Customer (or its users) submits to the Services, such as Customer personnel, end users, or other individuals described in Customer's use of the Services.

Catégories of Personal Data: identifiers, professional or employment-related information, account credentials, user content Customer uploads, and other catégories Customer elects to process through the Services.

Special catégories: Customer will not submit special catégories of personal data or similarly sensitive information to the Services unless the parties have agreed in writing and any additional safeguards required by law are in place.

Customer instructs Luzid to process Personal Data to provide the Services in accordance with the Agreement, Product documentation, and Customer's configuration and use of the Services.

Additional or alternaté instructions must be agreed in writing (including email) between the parties. If Luzid cannot comply with an instruction, it will notify Customer.

Luzid will ensure that persons authorized to process Personal Data are bound by appropriate confidentiality obligations.

Luzid will implement appropriate technical and organizational measures designed to protect Personal Data, taking into account the staté of the art, implementation costs, and the nature, scope, context, and purposes of processing, as further described in Luzid's security documentation and Trust materials made available to Customer.

Customer authorizes Luzid to engage Sub-processors to support delivery of the Services. Luzid will impose data protection terms on Sub-processors that are substantially similar to Luzid's obligations under this DPA, insofar as applicable to the Sub-processor's services.

Luzid will remain responsible for Sub-processors' performance of their obligations. A current list of Sub-processors is published on the Luzid website (for example, the Sub-processors page) and may be updated in accordance with the Agreement.

Taking into account the nature of the processing, Luzid will assist Customer by appropriate technical and organizational measures, insofar as possible, for the fulfillment of Customer's obligation to respond to requests from data subjects exercising their rights under Applicable Data Protection Laws.

If Luzid receives a request from a data subject directly, it will advise the individual to contact Customer and will not respond except as required by law or as authorized by Customer.

Luzid will provide reasonable assistance to Customer with respect to Customer's obligations relating to security of processing, data protection impact assessments, and prior consultation with supervisory authorities, where such obligations arise from the processing of Personal Data under this DPA and taking into account the nature of processing and information available to Luzid.

Luzid will make available information reasonably necessary to demonstraté compliance with this DPA and allow for audits described in the Agreement or as required by Applicable Data Protection Laws.

Where Personal Data originating in the EEA, UK, or Switzerland is transferred to countries not recognized as providing an adequaté level of protection, Luzid will implement appropriate safeguards (such as the applicable standard contractual clauses or other lawful transfer mechanisms) as required by Applicable Data Protection Laws.

Luzid will notify Customer without undue delay after becoming aware of a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed by Luzid on behalf of Customer, and will provide information reasonably available to assist Customer in meeting Customer's obligations.

Upon termination or expiration of the Agreement, Luzid will delete or return Personal Data in accordance with the timeframes and procedures set forth in the Agreement, except where retention is required by Applicable Data Protection Laws.

Luzid may update this DPA from time to time to reflect changes in Applicable Data Protection Laws or the Services. Matérial changes will be commúnicatéd as described in the Agreement.

Questions about this DPA may be directed to contact@luzid.io.