LYFTHELM GDPR DATA PROCESSING ADDENDUM This Data Processing Addendum (“DPA”) is an agreement between Lyfthelm Ltd (“Lyfthelm,” “we,” “us,” or “our”) and you or the entity you represent (“Customer”, “you” or “your”). This DPA supplements our standard terms and conditions when GDPR applies to your use of our services to process Customer Data. Unless otherwise defined in this DPA or in the Agreement, all capitalised terms used in this DPA will have the meanings given to them in Section 17 of this DPA.
- Data Processing.
- Scope and Roles. This DPA applies when Customer Data is processed by Lyfthelm. In this context, Lyfthelm will act as “processor” to Customer who may act either as “controller” or “processor” with respect to Customer Data (as each term is defined in the GDPR).
- Details of Data Processing.
- Subject matter. The subject matter of the data processing under this DPA is Customer Data.
- Duration. As between Lyfthelm and Customer, the duration of the data processing under this DPA is determined by Customer.
- Purpose. The purpose of the data processing under this DPA is the provision of the Services initiated by Customer from time to time.
- Nature of the processing: Compute, storage and such other Services as described in the Documentation and initiated by Customer from time to time.
- Type of Customer Data: Customer Data uploaded to the Services under Customer’s accounts.
- Categories of data subjects: The data subjects may include Customer’s customers, employees, suppliers and end-users.
- Compliance with Laws. Each party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA, including the GDPR.
- Customer Instructions. The parties agree that this DPA and the Agreement constitute Customer’s instructions regarding Lyfthelm’s processing of Customer Data (“Documented Instructions”). Lyfthelm will process Customer Data only in accordance with Documented Instructions. Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between Lyfthelm and Customer, including agreement on any additional fees payable by Customer to Lyfthelm forcarrying out such instructions. Customer is entitled to terminate this DPA and the Agreement if Lyfthelm declines to follow instructions requested by Customer that are outside the scope of, or changed from, those given or agreed to be given in this DPA.
- Confidentiality of Customer Data. Lyfthelm will not access or use, or disclose to any third party, any Customer Data, except, in each case, as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order). If a governmental body sends Lyfthelm a demand for Customer Data, Lyfthelm will attempt to redirect the governmental body to request that data directly from Customer. As part of this effort, Lyfthelm may provide Customer’s basic contact information to the government body. If compelled to disclose Customer Data to a government body, then Lyfthelm will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Lyfthelm is legally prohibited from doing so.
- Confidentiality Obligations of Lyfthelm Personnel. Lyfthelm restricts its personnel from processing Customer Data without authorisation by Lyfthelm. Additionally, Lyfthelm imposes appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.
- Security of Data Processing
- Lyfthelm has implemented and will maintain the technical and organisational measures for the Lyfthelm Network as described in the Lyfthelm Security Standards and this Section. In particular, Lyfthelm has implemented and will maintain the following technical and organisational measures:
- security of the Lyfthelm Network as set out in Section 1.1 of the Lyfthelm Security Standards;
- physical security of the facilities as set out in Section 1.2 of the Lyfthelm Security Standards;
- measures to control access rights for Lyfthelm employees and contractors in relation to the Lyfthelm Network as set out in Section 1.1 of the Lyfthelm Security Standards; and
- processes for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures implemented by Lyfthelm as described in Section 2 of the Lyfthelm Security Standards.
- Customer may elect to implement technical and organisational measures in relation to Customer Data. Such technical and organisational measures include the following which may be obtained by Customer from Lyfthelm, or directly from a third party supplier:
- pseudonymisation and encryption to ensure an appropriate level of security;
- measures to ensure the ongoing confidentiality, integrity, availability and resilience of the processing systems and services that are being operated by Customer;
- measures to allow Customer to backup and archive appropriately in order to restore availability and access to Customer Data in a timely manner in the event of a physical or technical incident; and
- processes for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures implemented by Customer.
- Lyfthelm has implemented and will maintain the technical and organisational measures for the Lyfthelm Network as described in the Lyfthelm Security Standards and this Section. In particular, Lyfthelm has implemented and will maintain the following technical and organisational measures:
- Sub-processing.
- Authorised Sub-processors. Customer agrees that Lyfthelm may use sub-processors to fulfil its contractual obligations under this DPA or to provide certain services on its behalf, such as providing support services. At least 30 days before Lyfthelm engages any new sub-processor to carry out processing activities on Customer Data on behalf of Customer, Lyfthelm will provide Customer with a mechanism to obtain notice of that update. Customer consents to Lyfthelm’s use of sub-processors as described in this Section. Except as set forth in this Section, or as Customer may otherwise authorise, LYFTHELM will not permit any sub-processor to carry out processing activities on Customer Data on behalf of Customer.
- Sub-processor Obligations. Where Lyfthelm authorises any sub-processor as described in Section 6.1:
- Lyfthelm will restrict the sub-processor’s access to Customer Data only to what is necessary to maintain the Services or to provide the Services to Customer and any End Users in accordance with the Documentation and Lyfthelm will prohibit the sub-processor from accessing Customer Data for any other purpose;
- Lyfthelm will enter into a written agreement with the sub-processor and, to the extent that the sub-processor is performing the same data processing services that are being provided by Lyfthelm under this DPA, Lyfthelm will impose on the sub- processor the same contractual obligations that Lyfthelm has under this DPA; and
- Lyfthelm will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the sub-processors that cause Lyfthelm to breach any of Lyfthelm’s obligations under this DPA.
- Data Subject Rights. Taking into account the nature of the Services, Lyfthelmoffers Customer certain controls as described in 5.2 that Customer may elect to use to comply with its obligations towards data subjects. Should a data subject contact Lyfthelmwith regard to correction or deletion of its personal data, Lyfthelmwill use commercially reasonable efforts to forward such requests to Customer.
- Optional Security Features. Lyfthelmmakes available a number of security features and services that Customer may elect to use. Customer is responsible for (a) implementing the measures described in Section 5.2, as appropriate, and (b) taking such steps as Customer considers adequate to maintain appropriate security, protection, and deletion of Customer Data, which includes use of encryption technology to protect Customer Data from unauthorised access and measures to control access rights to Customer Data.
- Security Breach Notification.
- Security Incident. Lyfthelmwill (a) notify Customer of a Security Incident without undue delay after becoming aware of the Security Incident, and b) take reasonable steps to mitigate the effects and to minimise any damage resulting from the Security Incident.
- Lyfthelm To assist Customer in relation to any personal data breach notifications Customer is required to make under the GDPR, Lyfthelmwill include in the notification under section 9.1(a) such information about the Security Incident as Lyfthelmis reasonably able to disclose to Customer, taking into account the nature of the Services, the information available to Lyfthelm, and any restrictions on disclosing the information, such as confidentiality.
- Unsuccessful Security Incidents. Customer agrees that:
- an unsuccessful Security Incident will not be subject to this Section 9. An unsuccessful Security Incident is one that results in no unauthorised access to Customer Data or to any of Lyfthelm’s equipment or facilities storing Customer Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorised access to traffic data that does not result in access beyond headers) or similar incidents; and
- Lyfthelm’s obligation to report or respond to a Security Incident under this Section 9 is not and will not be construed as an acknowledgement by Lyfthelmof any fault or liability of Lyfthelmwith respect to the Security Incident.
- Notification(s) of Security Incidents, if any, will be delivered to one or more of Customer’s administrators by any means Lyfthelmselects, including via email. It is Customer’s sole responsibility to ensure Customer’s administrators maintain accurate contact information on the Lyfthelmmanagement console and secure transmission at all times.
- Lyfthelm Audits.
- Lyfthelm Audits. Lyfthelm uses external auditors to verify the adequacy of its security measures, including the security of the physical data centers from which Lyfthelm provides the Services. This audit: (a) will be performed at least annually; (b) will be performed according to ISO 27001 standards or such other alternative standards that are substantially equivalent to ISO 27001; (c) will be performed by independent third party security professionals at Lyfthelm’s selection and expense; and (d) will result in the generation of an audit report (“Report“), which will be Lyfthelm’s Confidential Information.
- Audit Reports. At Customer’s written request, and provided that the parties have an applicable NDA in place, Lyfthelm will provide Customer with a copy of the Report so that Customer can reasonably verify Lyfthelm’s compliance with its obligations under this DPA.
- Privacy Impact Assessment and Prior Consultation. Taking into account the nature of the Services and the information available to Lyfthelm, Lyfthelm will assist Customer in complying with Customer’s obligations in respect of data protection impact assessments and prior consultation pursuant to Articles 35 and 36 of the GDPR, by providing the information Lyfthelm makes available under this Section 10.
- Customer Audits. Customer agrees to exercise any right it may have to conduct an audit or inspection, including under the Standard Contractual Clauses if they apply, by instructing Lyfthelm to carry out the audit described in Section 10. If Customer wishes to change this instruction regarding the audit, then Customer has the right to request a change to this instruction by sending Lyfthelm written notice as provided for in the Agreement. If Lyfthelm declines to follow any instruction requested by Customer regarding audits or inspections, Customer is entitled to terminate this DPA and the Agreement.
- Transfers of Personal Data.
- Customer may specify the location(s) where Customer Data will be processed within the LyfthelmNetwork, including the EU (Dublin) Region, the EU (Frankfurt) Region, the EU (London) Region and the EU (Paris) Region (each a “Region”). Once Customer has made its choice, Lyfthelm will not transfer Customer Data from Customer’s selected Region(s) except as necessary to provide the Services initiated by Customer, or as necessary to comply with the law or binding order of a governmental body.
- Termination of the DPA. This DPA shall continue in force until the termination of the Agreement (the “Termination Date”).
- Removal of Customer Data. Lyfthelm will delete Customer Data when requested by Customer by using the Service controls provided for this purpose by Lyfthelm.
- Duties to Inform. Where Customer Data becomes subject to confiscation during bankruptcy or insolvency proceedings, or similar measures by third parties while being processed by Lyfthelm, Lyfthelm will inform Customer without undue delay. Lyfthelm will, without undue delay, notify all relevant parties in such action (e.g. creditors, bankruptcy trustee) that any Customer Data subjected to those proceedings is Customer’s property and area of responsibility and that Customer Data is at Customer’s sole disposition.
- Entire Agreement; Except as amended by this DPA, the Agreement will remain in full force and effect. If there is a conflict between any other agreement between the parties including the Agreement and this DPA, the terms of this DPA will control.
- Unless otherwise defined in the Agreement, all capitalised terms used in this DPA will have the meanings given to them below:
“Lyfthelm Network” means Lyfthelm’s data center facilities, servers, networking equipment, and host software systems (e.g., virtual firewalls) that are within Lyfthelm’s control and are used to provide the Services.
“Lyfthelm Security Standards” means the security standards attached to the Agreement, or if none are attached to the Agreement, attached to this DPA as Annex 1.
“Customer” means you or the entity you represent.
“Customer Data” means the “personal data” (as defined in the GDPR) that is uploaded to the Services under Customer’s Lyfthelm accounts.
“EEA” means the European Economic Area.
“GDPR” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Processing” has the meaning given to it in the GDPR and “process”, “processes” and “processed” will be interpreted accordingly.
“Security Incident” means a breach of Lyfthelm’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Data.
ANNEX 1 Lyfthelm Security Standards
Capitalised terms not otherwise defined in this document have the meanings assigned to them in the Agreement.
- Information Security Program. Lyfthelm will maintain an information security program (including the adoption and enforcement of internal policies and procedures) designed to (a) help Customer secure Customer Data against accidental or unlawful loss, access or disclosure, (b) identify reasonably foreseeable and internal risks to security and unauthorised access to the Lyfthelm Network, and (c) minimise security risks, including through risk assessment and regular testing. Lyfthelm will designate one or more employees to coordinate and be accountable for the information security program. The information security program will include the following measures:
- Network Security. The Lyfthelm Network will be electronically accessible to employees, contractors and any other person as necessary to provide the Services. Lyfthelm will maintain access controls and policies to manage what access is allowed to the Lyfthelm Network from each network connection and user, including the use of firewalls or functionally equivalent technology and authentication controls. Lyfthelm will maintain corrective action and incident response plans to respond to potential security threats.
- Physical Security
- Physical Access Controls. Physical components of the Lyfthelm Network are housed in nondescript facilities (the “Facilities“). Physical barrier controls are used to prevent unauthorised entrance to the Facilities both at the perimeter and at building access points. Passage through the physical barriers at the Facilities requires either electronic access control validation (e.g., card access systems, etc.) or validation by human security personnel (e.g., contract or in-house security guard service, receptionist, etc.). Employees and contractors are assigned photo-ID badges that must be worn while the employees and contractors are at any of the Facilities. Visitors are required to sign-in with designated personnel, must show appropriate identification, are assigned a visitor ID badge that must be worn while the visitor is at any of the Facilities, and are continually escorted by authorised employees or contractors while visiting the Facilities.
- Limited Employee and Contractor Access. Lyfthelm provides access to the Facilities to those employees and contractors who have a legitimate business need for such access privileges. When an employee or contractor no longer has a business need for the access privileges assigned to him/her, the access privileges are promptly revoked, even if the employee or contractor continues to be an employee of Lyfthelm or its Affiliates.
- Physical Security Protections. All access points (other than main entry doors) are maintained in a secured (locked) state. Access points to the Facilities are monitored by video surveillance cameras designed to record all individuals accessing the Facilities. Lyfthelm also maintains electronic intrusion detection systems designed to detect unauthorised access to the Facilities, including monitoring points of vulnerability (e.g., primary entry doors, emergency egress doors, roof hatches, dock bay doors, etc.) with door contacts, glass breakage devices, interior motion-detection, or other devices designed to detect individuals attempting to gain access to the Facilities. All physical access to the Facilities by employees and contractors is logged and routinely audited.
- Continued Evaluation. Lyfthelm will conduct periodic reviews of the security of its Lyfthelm Network and adequacy of its information security program as measured against industry security standards and its policies and procedures. Lyfthelm will continually evaluate the security of its Lyfthelm Network and associated Services to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.