Data Processing Addendum

This Data Processing Addendum, including its Annexes and the Standard Contractual Clauses (“DPA”), forms an integral part of the LakeSail Master Cloud Services Agreement, or any other written agreement that governs Customer’s use of the LakeSail Services (as defined below) entered into between the entity identified as the “Customer” in the signature block below (“Customer”) and LakeSail, Inc. (“LakeSail”) (the “Agreement”), and applies solely to the extent that LakeSail processes any Customer Personal Data (defined below) in connection with the LakeSail Services. By signing this DPA, Customer enters into this DPA on behalf of itself and, if applicable and to the extent required under Applicable Data Protection Laws, in the name and on behalf of its Authorized Affiliates. All capitalized terms not defined herein shall have the meaning set forth in the Agreement. For the purposes of the DPA only, and except where otherwise indicated, the term “Customer” shall include Customer and its Authorized Affiliates.

  1. DEFINITIONS
  2. Applicable Data Protection Laws” means all data protection and privacy laws and regulations applicable to the respective party in its role in the processing of Customer Personal Data under the Agreement, which may include, to the extent applicable, European Data Protection Laws and the CCPA.
  3. Authorized Affiliate” means a Customer Affiliate who is authorized to use the LakeSail Services under the Agreement and who has not signed their own separate “Agreement” with LakeSail.
  4. CCPA” means the California Consumer Privacy Act of 2018 (Cal. Civ. Code § 1798.100, et seq.), as may be amended, superseded or replaced from time to time.
  5. Customer Content” means, if not defined within the Agreement, all data processed by LakeSail on your behalf in the course of providing the LakeSail Services.
  6. Customer Personal Data” means any ‘personal data’ or ‘personal information’ contained within Customer Content.
  7. LakeSail Services” means the Platform Services (as defined in the Agreement) and/or any other services provided directly by LakeSail to Customer under the Agreement.
  8. European Data Protection Laws” means (a) Regulation 2016/679 (General Data Protection Regulation) (“EU GDPR”); (b) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); and (c) the Swiss Federal Data Protection Act and its implementing regulations (“Swiss Data Protection Act”); in each case as may be amended, superseded or replaced from time to time.
  9. Restricted Transfer” means a transfer (directly or via onward transfer) of personal data that is subject to European Data Protection Laws to a third country outside the European Economic Area, United Kingdom and Switzerland which is not subject to an adequacy determination by the European Commission, United Kingdom or Swiss authorities (as applicable).
  10. Security Addendum” means the security addendum found at lakesail.com/legal/security-addendum.
  11. Security Breach” means a breach of security leading to an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.
  12. Standard Contractual Clauses” or “SCCs” means the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021, as may be amended, superseded or replaced from time to time.
  13. Subprocessor” means any other processor engaged by LakeSail to process Customer Personal Data.
  14. UK Addendum” means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioners Office under S.119 (a) of the UK Data Protection Act 2018, as updated or amended from time to time.
  15. The terms “controller”, “data subject”, “supervisory authority”, “processor”, “process”, “processing”, “personal data”, and “personal information” shall have the meanings given to them in Applicable Data Protection Laws. The term “controller” includes “business”, the term “data subject” includes “consumers”, and the term “processor” includes “service provider” (in each case, as defined by the CCPA).
  16. PROCESSING OF PERSONAL DATA
  17. Scope and Roles of the Parties. This DPA applies when Customer Personal Data is processed by LakeSail as a processor in its provision of the LakeSail Services to Customer, who will act as either a controller or processor, as applicable, of Customer Personal Data.
  18. Customer Processing. Customer agrees that (i) it will comply with its obligations under Applicable Data Protection Laws in its processing of Customer Personal Data and any processing instructions it issues to LakeSail, and (ii) it has provided notice and obtained (or will obtain) all consents and rights necessary under Applicable Data Protection Laws for LakeSail to process Customer Personal Data and provide the LakeSail Services pursuant to the Agreement (including this DPA).
  19. LakeSail Processing. LakeSail agrees that (a) when LakeSail processes Customer Personal Data in its capacity as a processor on behalf of the Customer, LakeSail will (i) comply with Applicable Data Protection Laws, and (ii) process the Customer Personal Data as necessary to perform its obligations under the Agreement, and only in accordance with Customer’s documented instructions (as set forth in the Agreement, in this DPA, or as directed by the Customer or Customer’s Authorized Users through the LakeSail Services). LakeSail is not responsible for determining if Customer’s processing instructions are compliant with applicable law. However, LakeSail shall notify Customer in writing if, in its reasonable opinion, the Customer’s processing instructions infringe Applicable Data Protection Laws and provided that Customer acknowledges that Customer Personal Data may be processed on an automated basis in accordance with Customers’ use of the LakeSail Services, which LakeSail does not monitor.
  20. Details of Processing. The details of the processing of Customer Personal Data by LakeSail are set out in Annex A to the DPA.
  21. CONFIDENTIALITY
  22. Personnel. LakeSail shall ensure that any employees or personnel it authorizes to process Customer Personal Data is subject to an appropriate duty of confidentiality.
  23. SUBPROCESSING
  24. Authorization. Customer provides a general authorization to LakeSail’s use of Subprocessors to process Customer Personal Data in accordance with this Section, including those Subprocessors listed at lakesail.com/legal/lakesail-subprocessors (“Subprocessor List”).
  25. Subprocessor Obligations. LakeSail shall (i) enter into a written agreement with its Subprocessors, which includes data protection and security measures no less protective than the measures set forth in this DPA; and (ii) remain fully liable for any breach of the Agreement and this DPA that is caused by an act, error or omission of its Subprocessors to the extent that LakeSail would have been liable for such act, error or omission had it been caused by LakeSail.
  26. Subprocessor Changes. LakeSail shall update the Subprocessor List when any new Subprocessor commences processing Customer Personal Data. Such update will constitute notice to Customer of LakeSail’s engagement of such new Subprocessor.
  27. ASSISTANCE
  28. Data Subject Requests. Customer is responsible for responding to and complying with data subject requests (“DSR”). The LakeSail Services may include controls that Customer may use to assist it to respond to DSR. If Customer is unable to access or delete any Customer Personal Data using such controls, LakeSail shall, taking into account the nature of the processing, reasonably cooperate with Customer to enable Customer to respond to the DSR. If a data subject sends a DSR to LakeSail directly and where Customer is identified or identifiable from the request, LakeSail will promptly forward such DSR to Customer and LakeSail shall not, unless legally compelled to do so, respond directly to the data subject except to refer them to the Customer to allow Customer to respond as appropriate.
  29. Legal Requests. If LakeSail receives a subpoena, court order, warrant or other legal demand from law enforcement or any public or judicial authority seeking the disclosure of Customer Personal Data, LakeSail will attempt to redirect the governmental body to request such Customer Personal Data directly from Customer. As part of this effort, LakeSail may provide Customer’s basic contact information to the governmental body. If compelled to disclose Customer Personal Data to a governmental body, LakeSail will give Customer reasonable notice of the legal demand to allow Customer to seek a protective order or other appropriate remedy, unless LakeSail is legally prohibited from doing so.
  30. SECURITY
  31. Security Measures. LakeSail has implemented and will maintain appropriate technical and organizational security measures as set forth in the Security Addendum (“Security Measures”). The Security Measures are subject to technical progress and development and LakeSail may update the Security Measures, provided that any updates shall not materially diminish the overall security of Customer Personal Data or the LakeSail Services.
  32. Security Breach Notification. In the event of a Security Breach, LakeSail will (a) notify Customer in writing without undue delay and in accordance with Applicable Data Protection Laws after becoming aware of the Security Breach; and (b) promptly take reasonable steps to contain, investigate, and mitigate any adverse effects resulting from the Security Breach. LakeSail will reasonably cooperate with and assist Customer with respect to any required notification under Applicable Data Protection Laws, taking into account the nature of the processing, the information available to LakeSail, and any restrictions on disclosing the information (such as confidentiality).
  33. COMPLIANCE REVIEW
  34. Compliance Review. Only to the extent Customer cannot reasonably satisfy itself of LakeSail’s compliance with this DPA through then-current compliance information made available by LakeSail, or where required by Applicable Data Protection Laws, Customer may send a written request to conduct a compliance review of LakeSail’s applicable controls on an annual basis. LakeSail and Customer shall mutually agree on the details of the compliance review, including the reasonable start date, scope and duration of, and security and confidentiality controls applicable to, any such compliance review. The compliance review, any information provided in connection with the compliance review, and any information arising therefrom shall be considered LakeSail Confidential Information and may only be shared with a third party (including a third party controller) with LakeSail’s prior written agreement.
  35. BACKUP, DELETION & RETURN
  36. No Backups. The LakeSail Services do not include backup services or disaster recovery for Customer Personal Data. LakeSail does provide functionality within the LakeSail Services that may permit Customer to backup certain Customer Personal Data on its own. It is the Customer’s obligation to backup any Customer Personal Data if desired.
  37. Deletion. The LakeSail Services may include controls that Customer may use during the term of the Agreement to retrieve or delete Customer Personal Data. Subject to the terms of the Agreement, LakeSail will delete Customer Personal Data from the LakeSail Services when Customer uses such controls to send an instruction to delete.
  38. CCPA COMPLIANCE
  39. LakeSail shall not process, retain, use, or disclose Customer Personal Data for any purpose other than for the purposes set out in the Agreement, DPA and as permitted under the CCPA. LakeSail shall not sell or share information as those terms are defined under the CCPA.
  40. GENERAL
  41. The parties agree that this DPA shall replace any existing data processing addendum, attachment, exhibit or standard contractual clauses that the parties may have previously entered into in connection with the LakeSail Services. LakeSail may update this DPA from time to time, with such updated version posted to lakesail.com/legal/dpa or a successor website designated by LakeSail; provided, however, that no such update shall materially diminish the privacy or security of Customer Personal Data.
  42. If any part of this DPA is held unenforceable, the validity of all remaining parts will not be affected.
  43. LakeSail’s obligations set forth in this DPA shall also extend to Authorized Affiliates, subject to the following conditions: (a) Customer is solely responsible for communicating any additional processing instructions on behalf of its Authorized Affiliates; (b) Customer shall be responsible for Authorized Affiliates’ compliance with this DPA and all acts and/or omissions by an Authorized Affiliate with respect to Customer’s obligations under this DPA; and (c) if an Authorized Affiliate seeks to assert a legal demand, action, suit, claim, proceeding or otherwise against LakeSail (“Authorized Affiliate Claim”), Customer must bring such Authorized Affiliate Claim directly against LakeSail on behalf of such Authorized Affiliate, unless Applicable Data Protection Laws require the Authorized Affiliate be a party to such claim, and all Authorized Affiliate Claims shall be considered claims made by Customer and shall be subject to any liability restrictions set forth in the Agreement, including any aggregate limitation of liability.
  44. In the event of any conflict between this DPA and any data privacy provisions set out in any agreements between the parties relating to the LakeSail Services, the parties agree that the terms of this DPA shall prevail. If there is any conflict between this DPA and a Business Associate Agreement entered into between the parties (“BAA”), then the BAA shall prevail to the extent of any conflict solely with respect to any PHI (as defined in such BAA).
  45. Notwithstanding anything to the contrary in the Agreement or this DPA and to the maximum extent permitted by law, each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA (including all Annexes hereto), the SCCs or any data protection agreements in connection with the Agreement (if any), whether in contract, tort or under any other theory of liability, shall remain subject to the limitation of liability section of the Agreement and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and this DPA, including all Annexes hereto. Customer agrees that any regulatory penalties incurred by LakeSail that arise in connection with Customer’s failure to comply with its obligations under this DPA or any laws or regulations including Applicable Data Protection Laws shall reduce LakeSail’s liability under the Agreement as if such penalties were liabilities to Customer under the Agreement.
  46. This DPA will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Laws.
  47. The obligations placed upon each party under this DPA and the Standard Contractual Clauses shall survive so long as LakeSail processes Customer Personal Data on behalf of Customer.

[SIGNATURE PAGE FOLLOWS]

Signature pages provided in LakeSail's automated signature workflow

ANNEX A
DESCRIPTION OF THE PROCESSING / TRANSFER

ANNEX 1(A): LIST OF PARTIES
Data exporterName of the data exporter: The entity identified as the “Customer” in the Agreement and this DPA. Contact person’s name, position and contact details: The address and contact details associated with Customer’s LakeSail account, or as otherwise specified in this DPA or the Agreement. Activities relevant to the data transferred: The activities specified in Annex 1(B)below. Signature and date: See front end of the DPA.
Data importerName of the data importer: LakeSail, Inc. Contact person’s name, position and contact details: Haitham Amin, General Counsel, dpa@lakesail.com Activities relevant to the data transferred: The activities specified in Annex 1.B below. Signature and date: See front end of the DPA.
ANNEX 1(B): DESCRIPTION OF THE PROCESSING / TRANSFER
Categories of data subjects whose personal data is transferred:Data subjects include individuals about whom data is provided to LakeSail via the LakeSail Services (by or at the direction of Customer), which shall include: ______________________________________ ______________________________________ ______________________________________ ______________________________________ ______________________________________ ______________________________________ ____________________________________________________________________________ IF CUSTOMER HAS NOT FILLED OUT THE ABOVE SECTION: Customer shall be deemed to have declared that the categories of data subjects include: (a) individual contacts, prospects, customers, business partners and vendors of Customer (who are natural persons); (b) employees or contact persons of Customer’s prospects, customers, business partners and vendors; (c) employees, agents, advisors, freelancers of Customer (who are natural persons); (d) Customer’s Authorized Users or (e) other individuals whose personal data is included in Customer Content.
Categories of personal data transferred:The types of Customer Personal Data are determined and controlled by Customer in its sole discretion, and may include, but are not limited to: ______________________________________ ______________________________________ ______________________________________ ______________________________________ ______________________________________ ____________________________________________________________________________ IF CUSTOMER HAS NOT FILLED OUT THE ABOVE SECTION: Customer shall be deemed to have declared that the types of Customer Personal Data may include but are not limited to the following types of Customer Personal Data: (a) name, address, title, contact details; and/or (b) any other personal data processed in the course of the Services as Customer Content.
Sensitive data transferred (if appropriate):Subject to any applicable restrictions and/or conditions in the Agreement and this DPA, Customer may include ‘special categories of personal data’ or similarly sensitive personal data (as described or defined in Applicable Data Protection Laws) in Customer Personal Data, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Customer Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data processed for the purposes of uniquely identifying a natural person, data concerning health and/or data concerning a natural person’s sex life or sexual orientation.
Frequency of the Transfer:Continuous or one-off depending on the services being provided by LakeSail.
Nature, subject matter and duration of the processing:Nature: LakeSail provides a cloud-based unified data computation platform and related services, as further described in the Agreement. Subject Matter: Customer Personal Data. Duration: The duration of the processing will be for the term of the Agreement and any period after the termination or expiry of the Agreement during which LakeSail processes Customer Personal Data.
Purpose(s) of the data transfer and further processing:LakeSail shall process Customer Personal Data for the following purposes: (a) as necessary for the performance of the LakeSail Services and LakeSail’s obligations under the Agreement (including the DPA), including processing initiated by Authorized Users in their use and configuration of the LakeSail Services; and (b) further documented, reasonable instructions from Customer agreed upon by the parties (the “Purposes”).
Period for which the personal data will be retained:LakeSail will retain Customer Personal Data for the term of the Agreement and any period after the termination of expiry of the Agreement during which LakeSail processes Customer Personal Data in accordance with the Agreement.