DPA | LiftLab

Data Processing Addendum

Last Updated August 3, 2023

This Customer Data Processing Addendum ("DPA") is entered into between LiftLab Analytics, Inc. (“LiftLab”) and the customer whose agreement incorporates this DPA (“Customer”) and forms part of the written or electronic terms of service or subscription agreement, including the Terms of Use, or other agreement executed between LiftLab and Customer (the “Agreement”) for Customer’s purchase of LiftLab’s marketing business intelligence platform and associated support and other services (collectively, the “Services”). By entering into the Agreement, the parties enter into this DPA on behalf of themselves and, to the extent required under applicable Data Protection Laws, in the name and on behalf of their Affiliates, and this DPA shall be effective on the effective date of the Agreement ("Effective Date").

All capitalized terms not defined in this DPA shall have the meanings given in the Agreement.

1. Definitions

"Affiliate" has the meaning given in the Agreement.

"Customer Data" has the meaning given in the Agreement.

"Customer Personal Data" means any Customer Data that is Personal Data.

"Data Protection Laws" means all data protection and privacy laws applicable to the respective party in its role in the processing of Personal Data under the Agreement in any relevant jurisdiction, including, where applicable, the EU Data Protection Law, and, in Switzerland, the Switzerland Federal Act on Data Protection (“FADP”) and the revised FADP (“revFADP”), and, in the UK, the UK Data Protection Act of 2018 and the United Kingdom General Data Protection Regulation ("UK GDPR”), and any legislation and/or regulation implementing or made pursuant to the foregoing, or which amends, replaces, re-enacts or consolidates any of them.

"Data Controller" means an entity that determines the purposes and means of the processing of Personal Data.

"Data Processor" means an entity that processes Personal Data on behalf of a Data Controller.

"EU Data Protection Law" means Directive 2002/58/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of Personal Data, and Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) ("GDPR").

"EEA" means, for the purposes of this DPA, the European Economic Area and/or its member states, United Kingdom and/or Switzerland.

"Model Clauses" means, with respect to regulated processing transfers originating in the European Union, the Standard Contractual Clauses for Processors as approved by the European Commission and set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021, in the forms set out at: (1) for regulated processing transfers originating in the EU, the clauses incorporated by reference in Annex C, and (2) for regulated processing transfers originating from the UK, the Standard Data Protection Clauses as approved by the Information Commisioners Office under S119A(1) UK Data Protection Act 2018, incorporated by reference in Annex C, or (3) other applicable Model Clauses as the parties may agree upon, acting in good faith, based on the parties respective roles and type of transfer.

"Personal Data" means any information relating to an identified or identifiable natural person.

"Processing" has the meaning given to it under the Data Protection Laws and "process", "processes" and "processed" will be interpreted accordingly.

"Purposes" shall mean the data processing purposes described and defined in Section 3.4 of this DPA.

"Security Incident" means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data, but does not include any Unsuccessful Security Incident.

"Sub-processor" means any Data Processor engaged by LiftLab or its Affiliates to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA. Sub-processors may include third parties or LiftLab’s Affiliates.

"Unsuccessful Security Incident” means an unsuccessful attempt or activity that does not compromise the security of Customer Personal Data, including (without limitation) pings and other broadcast attacks of firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents.

2. Scope and Applicability of this DPA

2.1 This DPA applies where and only to the extent that LiftLab Processes Customer Personal Data on behalf of Customer as Data Processor in the course of providing Services pursuant to the Agreement.

2.2 Notwithstanding expiry or termination of the Agreement, this DPA and the Model Clauses (if applicable) will remain in effect until, and will automatically expire upon, deletion of all Customer Personal Data by LiftLab as described in this DPA.

3. Roles and Scope of Processing

3.1 Role of the Parties. As between LiftLab and Customer, Customer is either a Data Controller or a Data Processor of Customer Personal Data, and LiftLab is only a Data Processor of Customer Personal Data acting on behalf of Customer.

3.2. Customer Processing of Personal Data. Customer agrees that: (i) it will comply with its obligations under Data Protection Laws in respect of its processing of Personal Data, including any obligations specific to its role as a Data Processor or Data Controller (where Data Protection Laws recognise such concept); (ii) it has provided all notices and obtained all consents, permissions and rights necessary under Data Protection Laws for LiftLab to lawfully process Personal Data for the Purposes; and (iii) it shall ensure its processing instructions are lawful and that the processing of Customer Personal Data in accordance with such instructions will not violate applicable Data Protection Laws. If Customer is itself a Data Processor acting on behalf of a third-party Data Controller, Customer warrants to LiftLab that Customer's instructions and actions with respect to that Customer Personal Data, including its appointment of LiftLab as another Data Processor, have been authorized by the relevant Data Controller.

3.3. Customer Instructions. LiftLab will process Customer Personal Data only for the Purposes and in accordance with Customer’s documented lawful instructions. The parties agree that the Agreement (including this DPA), and Customer’s selected configurations of the Services, sets out the Customer’s complete and final instructions to LiftLab in relation to the processing of Customer Personal Data. Additional processing outside the scope of these instructions (if any) will require prior written agreement between Customer and LiftLab.

3.4. Details of Data Processing

a. Subject matter: The subject matter of the data processing under this DPA is the Customer Personal Data.

b. Duration: As between LiftLab and Customer, the duration of the data processing under this DPA is until the termination of the Agreement in accordance with its terms or the period of retention of the Customer Personal Data, whichever is longer.

c . Purpose: Customer Personal Data may be processed by LiftLab solely for the following purposes: (i) the provision of the Services to the Customer as further described in the Agreement and the performance of LiftLab's obligations or the exercise of express rights under the Agreement (including this DPA) or as otherwise agreed by the parties, (ii) as necessary for LiftLab to comply with law or governmental order consistent with Data Protection Laws; and (iii) processing initiated by users in their use of the Services (collectively, the "Purposes").

d. Nature of the processing: LiftLab provides the Services as described in the Agreement, which process Customer Personal Data and the instructions of the Customer in accordance with the terms of this DPA (including Exhibit A) and the Agreement.

e. Categories of data subjects: Customer Personal Data submitted to the Services may consist of Business Contact Information as defined in the Agreement or other Customer Personal Data of Customer’s website visitors, customers, prospects, vendors, or that are otherwise contained in communications or systems monitored via the Services. The parties specifically intend, however, that no Barred Data as defined in the Agreement may or will be provided to LiftLab or submitted to the Services.

f. Types of Personal Data: Customer may submit Customer Personal Data to the Services, which may include, but is not limited to, the following types of Business Contact Information:

I. Name, email address, or other Customer Personal Data exchanged in the course of requesting or receiving the Services.

3.5 Access or Use. LiftLab will not access or use Customer Personal Data, except as necessary for the Purposes, or as necessary to comply with the law or binding order of a governmental body.

4. Subprocessing

4.1 Authorized Sub-processors. Subject to Section 10 (Changes to Sub-Processors), Customer agrees that LiftLab may engage Sub-processors to process Customer Personal Data on Customer's behalf. The Sub-processors currently engaged by LiftLab and authorized by Customer are listed here.

4. 2 Sub-processor Obligations. LiftLab will: (i) enter into a written agreement with the Sub-processor imposing data protection terms that require the Sub-processor to protect the Customer Personal Data to the standard required by Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause LiftLab to breach any of its obligations under this DPA. To the extent required under Data Protection Laws, and unless otherwise noted on the Model Clauses applicable between LiftLab and Customer, LiftLab will provide written notice to Customer of its intent to use a new Sub-processor at least thirty (30) days prior to providing such Sub-processor with access to the Customer Personal Data, and if Customer provides written notice to LiftLab (email privacy@LiftLab.com) within such thirty (30) day period that Customer objects to the use of such Sub-processor on grounds related to Data Protection Laws, and LiftLab is unable to provide the Services without the use of the Sub-processor, then (a) LiftLab will not provide the Customer Personal Data to the Sub-Processor and (b) LiftLab or Customer may terminate or suspend the provision of Services.

5. Security

5.1 Security Measures. LiftLab shall implement and maintain appropriate technical and organizational security measures to protect Customer Personal Data from Security Incidents and to preserve the security and confidentiality of the Customer Personal Data, in accordance with LiftLab's security standards described in the attached Annex B ("Security Measures"). For purposes of the Model Clauses, the Security Measures constitute the agreed-to description of the data safeguards to be used by LiftLab in connection with all Processing subject to the Model Clauses.

5.2 Updates to Security Measures. Customer is responsible for reviewing the information made available by LiftLab relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Data Protection Laws. Customer acknowledges that the Security Measures are subject to technical progress and development and that LiftLab may update or modify the Security Measures from time to time provided that such updates and modifications do not result in a material degradation of the overall security of the Services subscribed to by Customer.

5.3 Confidentiality of processing. LiftLab shall ensure that any person who is authorized by LiftLab to process Customer Personal Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

5.4 No Assessment of Customer Data by LiftLab. Customer acknowledges that LiftLab will not assess the contents of Customer Data in order to identify information subject to any specific legal requirements. Customer is solely responsible for complying with incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Security Incidents.

6. Security Reports and Audits

6.1 Customer acknowledges that LiftLab may be audited by independent third-party auditors and/or internal auditors against the standards specified in the Security Measures. Upon request, and if available, LiftLab shall supply (on a confidential basis) a summary copy of its then-current audit report(s) ("Report") to Customer, so that Customer can verify LiftLab's compliance with this DPA and the Security Measures. Notwithstanding the foregoing, Customer may disclose a Report as allowed under the applicable confidentiality section of the Agreement, including where requested or required by data protection authorities having jurisdiction over Customer even if not legally required (“Data Protection Authority Request”), provided, however, that Customer shall, unless legally prohibited, give LiftLab prior written notice of the Data Protection Authority Request such that LiftLab can attempt to secure confidential treatment for the Report. If Customer is not legally permitted to give LiftLab prior notice, Customer agrees to use reasonable efforts to secure confidential treatment for the Report and further agrees to not remove or obscure any “confidential”, “proprietary”, or similar markings from the Report.

6.2 LiftLab shall also provide written responses (on a confidential basis) to all reasonable requests for information made by Customer related to its Processing of Customer Personal Data, including responses to information security and audit questionnaires that are necessary to confirm LiftLab's compliance with this DPA, provided that Customer shall not exercise this right more than once per year, except that this right may also be exercised if Customer is expressly requested or required to provide this information to a data protection authority, or if LiftLab has experienced a Security Incident, or where otherwise required under Data Protection Laws.

7. International Transfers

7.1. LiftLab hosts Customer Data in the United States or such other regions as mutually agreed in writing with LiftLab or that are noted on the Order Form, if different, provided, however that LiftLab may process Customer Data anywhere in the world where LiftLab, its Affiliates or its Sub-processors maintain data processing operations. LiftLab will at all times provide appropriate safeguards for the Customer Personal Data wherever it is processed, in accordance with the requirements of Data Protection Laws.

7.2. Customer authorizes the transfer of the personal data to LiftLab and Sub-processors located outside the EEA where such transfer is required in connection with the provision of Services and/or is necessary in the normal course of business. To the extent that Customer Personal Data is to be transferred from the EEA to a country not designated by the European Commission, ICO or Swiss Federal Data Protection Authority as providing an adequate level of protection for Personal Data, the parties agree to rely on the applicable Model Clauses to provide adequate protection for any Customer Personal Data. Customer and LiftLab shall enter into the Model Clauses in accordance with Annex C. For onward transfers from LiftLab to relevant Sub-processors, Customer consents to such onward transfers provided that LiftLab and relevant Sub-processors enter into a written agreement which imposes materially the same obligations on the Sub-processors as are imposed on LiftLab under the Model Clauses. As may be legally required, Customer shall execute this DPA including the applicable referenced Model Clause form and transmit a copy to LiftLab at the email address provided on the template, which will become effective as of the date countersigned by Customer.

8. Co-operation

8.1 If a law enforcement agency sends LiftLab a demand for Customer Personal Data (e.g., a subpoena or court order), LiftLab will attempt to redirect the law enforcement agency to request that data directly from Customer. As part of this effort, LiftLab may provide Customer’s contact information to the law enforcement agency. If compelled to disclose Customer Personal Data to a law enforcement agency, then LiftLab will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy to the extent LiftLab is legally permitted to do so.

9. Return or Deletion of Data

9.1. Deletion by Customer. LiftLab will enable Customer to delete Customer Data during the Subscription Term in a manner consistent with the functionality of the Services.

9.2. Deletion on Termination. LiftLab shall delete Customer Personal Data and other Customer Data upon termination or expiration of the Agreement in accordance with the provisions of the Agreement. LiftLab shall not be required to delete Customer Personal Data to the extent (i) LiftLab is required by applicable law or order of a governmental or regulatory body to retain some or all of the Customer Personal Data; and/or (ii), Customer Personal Data has been archived on back-up systems, which Customer Personal Data LiftLab shall remain subject to the terms of the Agreement and this DPA for the period of retention.

9.3. Security Incident Response. Upon confirming a Security Incident, LiftLab shall: (i) notify Customer without undue delay, and in any event such notification shall, where feasible, occur no later than 48 hours from LiftLab confirming the Security Incident; (ii) provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer; and (iii) LiftLab shall promptly take reasonable steps to contain, investigate, and mitigate any Security Incident. LiftLab's notification of or response to a Security Incident under this Section 9.3 (Security Incident Response) will not be construed as an acknowledgment by LiftLab of any fault or liability with respect to the Security Incident.

10. Changes to Sub-processors.

10.1. LiftLab shall (i) provide an up-to-date list of the Sub-processors it has appointed upon written request from Customer; and (ii) notify Customer (by email, posting to the LiftLab website or other means in the normal course of LiftLab business ) if it adds or removes Sub-processors at least thirty (30) days' prior to allowing such Sub-processor to process Customer Personal Data.

10.2. Customer may object in writing to LiftLab’s appointment of a new Sub-processor within five (5) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties will discuss such concerns in good faith with a view to achieving resolution. If LiftLab cannot provide an alternative Sub-processor, or the parties are not otherwise able to achieve resolution as provided in the preceding sentence, Customer, as its sole and exclusive remedy, may terminate the Agreement (including this DPA), but shall not be eligible for any refund and Customer must immediately pay all outstanding fees payable under the Agreement.

11. Cooperation

11.1. To the extent that Customer is unable to access the relevant Customer Personal Data within the Services using controls or tools provided by LiftLab via the Services (such as the administrative features of the Services), taking into account the nature of the Processing, LiftLab shall (at Customer's request and expense) provide reasonable cooperation to assist Customer to respond to any requests from individuals or applicable data protection authorities relating to the processing of Customer Personal Data under the Agreement. In the event that any request from individuals or applicable data protection authorities is made directly to LiftLab where such request identifies Customer, LiftLab shall not respond to such communication directly without Customer's prior authorization, unless legally compelled to do so, and instead, after being notified by LiftLab, Customer shall respond. If LiftLab is required to respond to such a request, LiftLab will promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.

11.2. Customer acknowledges that LiftLab is required under the GDPR to: (a) collect and maintain records of certain information, including the name and contact details of each Data Processor and/or Data Controller on behalf of which LiftLab is acting and, where applicable, of such Data Processor’s or Data Controller's local representative and data protection officer; and (b) make such information available to the supervisory authorities. Accordingly, if GDPR applies to the processing of Customer Personal Data, Customer will, where requested, provide such information to LiftLab via the Services or other means provided by LiftLab, and will ensure that all information provided is kept accurate and up-to-date.

11.3 To the extent LiftLab is required under EU Data Protection Law, LiftLab shall (at Customer's request and expense) provide reasonably requested information regarding the Services to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.

12. Relationship with the Agreement

12. 1 The parties agree that this DPA shall replace and supersede any existing data processing addendum, attachment or exhibit (including the Model Clauses (as applicable)) the parties may have previously entered into in connection with the Services.

12.2 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict in connection with the Processing of Customer Personal Data.

12.3. Notwithstanding anything to the contrary in the Agreement or this DPA, the liability of each party and each party’s Affiliates under this DPA shall be subject to the limitations on liability set out in the Agreement.

12.4. Any claims against LiftLab or its Affiliates under this DPA shall only be brought by the Customer entity that is a party to the Agreement against the LiftLab entity that is a party to the Agreement. In no event shall this DPA or any party restrict or limit the rights of any data subject or of any competent supervisory authority.

12.5. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.

ANNEX A

Parties, Description Of Processing

A.   LIST OF PARTIES

Data exporter(s): 

Name: see Customer name referenced on the first page of DPA

Address: see Customer address on Order Form

Contact person’s name, position and contact details: see Customer contact information on Order Form.

Activities relevant to the data transferred under these Clauses:

Please see Section 3.4 (Details of Processing) of DPA for a description of the data subjects, categories of data, special categories of data and processing operations.

Signature and date: See signature on Order Form, or signature or order with Reseller.

Role: X controller X processor

Data importer(s): 

Name: LiftLab Analytics, Inc.

Address: 1111 Broadway 5th Floor, Oakland, CA 94607

Contact person’s name, position and contact details: Neil Hillis (CISO) neil@liftlab.com

Activities relevant to the data transferred under these Clauses:

Please see Section 3.4 (Details of Processing) of DPA.

Signature and date: See signature on Order Form or Agreement, as applicable.

Role: X Processor X sub-processor

B.   DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Please see Section 3.4 (Details of Processing) of DPA.

Categories of personal data transferred

Please see Section 3.4 (Details of Processing) of DPA.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Not applicable

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous

Nature of the processing

LiftLab’s Services are used to provide marketing measurement services and help analytics teams understand the ROI of each and every marketing campaign using LiftLab’s proprietary business intelligence software and methodologies. In the course of providing the Services, and conducting this analysis, LiftLab may have access to Customer Data, including, where agreed between both parties, Personal Data contained therein (but in all events excluding Barred Data as defined in the Agreement). Customer’s authorized Users with login credentials to the Services will, where so configured by Customer, receive user-based notifications via the notification functionality within the Services. Customer Personal Data consisting of Business Contact Information of internal Users is also used by LiftLab in order to administer the Services, including engaging in routine business communications, such as invoices, business emails, other system notifications, including downtime alerts or other product notifications and/or the provision of support services, maintenance, training, or other services requested by the Customer or required to be provided by LiftLab.

Purpose(s) of the data transfer and further processing

For delivery of the Services under the Agreement and as described in nature of processing.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Please see section 3.4 of the DPA

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Subprocessors are used for data importers hosting infrastructure and as further described at the URL www.liftlab.com/subprocessors. Duration of processing is in accord with section 3.4 of DPA

C.   COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

Please see clause 13 of EU Standard Contractual Clauses.

ANNEX B

LiftLab Data Safeguards Statement

These Data Safeguards (the “Data Safeguards Statement”) define the technical controls and security configurations that LiftLab uses in connection with the hosting and provision of the Services that process Customer Data (as each term is defined in the Agreement). LiftLab implements a comprehensive documented security program under which LiftLab implements and maintains physical, administrative, and technical safeguards designed to protect the confidentiality, integrity, availability, and security of the Services and Customer Data (the “Security Program”), including, but not limited to, as set forth below. LiftLab regularly tests and evaluates its Security Program and may review and update its Security Program as well as this Data Safeguards Statement, provided, however, that such updates shall be designed to enhance and not materially diminish the Security Program.

Scope. This Data Safeguards Statement covers the LiftLab company network system used to deliver the Service and process Customer Data, which network system is comprised of various hardware, software, communication equipment and other devices designed to assist LiftLab in the creation, receipt, storage, processing, and transmission of Customer Data via the Services. This scope includes equipment connected to any LiftLab domain or VLAN, either hardwired or wirelessly, and includes all stand-alone equipment that is deployed by LiftLab at its office locations or at remote locales.
Hosting Partners. LiftLab utilizes third party Hosting Partners (currently, AWS/Google Cloud/Azure) as further described in the Agreement and/or Documentation (each, a “Hosting Partner") and provides the Service to Customer from a VPC/VNET hosted by the applicable Hosting Partner (the “Cloud Environment").
Security Officer Role. LiftLab’s Chief Information Security officer is Security Officer in charge of oversight and enforcement of the Security Program. The Security Officer is responsible for creating and enforcing the Security Policies herein; including the monitoring, vulnerability management, and incident detection and response initiatives; and tracking and reducing risk organization-wide. 
Employee Security

4.1 Security Awareness Training. LiftLab employees and contractors with privileged access to Customer Data are provided training on the company’s security policies and procedures annually.

4.2 Unattended Computers. LiftLab requires that all unattended company computers be locked by LiftLab employees or contractors when leaving the work area.

4.3 Background Screens. Newly-hired LiftLab employees in the United States undergo pre-employment background checks consistent with applicable law where permitted in the jurisdiction in which the candidate and/or employee are located. LiftLab may rescind an employee’s offer letter if their background check is found to be falsified, erroneous, or misleading and will not assign personnel to any role in which such personnel has access to Customer Data unless a background check has been completed for that individual and no issues were found. 

4.4. Working Remotely. Remote workers are required to follow LiftLab information security policies, must use LiftLab provided computer and network equipment unless other devices that are compliant with Liftlab’s Bring Your Own Device Policy (BYOD), and have been approved by the IT Department. Remote workers may not use their own mobile computing devices, computers, computer peripherals, or computer software for LiftLab business without prior authorization.

4.5 Use of LiftLab Corporate Assets. Only software that has been approved for corporate use by LiftLab may be installed on LiftLab equipment such as individual computer workstations or laptops. Personal computers and laptops supplied by LiftLab are to be used solely for business purposes and unauthorized access and use is prohibited.

4.6. Disciplinary Action. Employees who violate LiftLab company policies or this Data Safeguards Statement may face disciplinary consequences in proportion to their violation. LiftLab management will determine how serious an employee’s offense is and take the appropriate action. For serious violations, employees may face severe disciplinary actions up to and including termination.

5. Identification and Authentication. Individual users have unique logon IDs and passwords. Each access control system identifies each user and is designed to prevent unauthorized users from entering or using information resources. Security requirements for user identification require that (i) each user be assigned a unique identifier, (ii) all user login IDs be audited at least twice yearly, and (iii) all inactive logon IDs are revoked. LiftLab department heads are required to create appropriate offboarding tickets and/or notify appropriate personnel upon the departure of all employees and contractors, at which time login IDs are revoked. The logon ID is locked or revoked after a maximum of ten (10) unsuccessful logon attempts which then require the passwords to be reset by the appropriate administrator. New SlashNest employee or contractor users who desire to obtain access to LiftLab systems or networks must have approval from the supervisor or department head of each user requesting access.

6. Passwords. User IDs and passwords are required to gain access to all LiftLab networks and workstations. Passwords are required to follow industry security requirements. Currently, these are required to be a minimum of twelve characters, contain a combination of upper- and lower-case alphabetic characters, numeric characters, and special characters. Passwords must be changed every 90 days. Compromised passwords shall be changed immediately. Passwords are not permitted may only be shared in LiftLab’s enterprise password manager with users based on role and must be kept confidential. Passwords are masked or suppressed on all online screens and are never printed or included in reports or logs. Passwords are stored in an encrypted format.

7. Access Control. LiftLab’s information resources are protected using access control systems. Access control systems implemented by LiftLab are both internal (i.e. passwords, encryption, access control lists, constrained user interfaces, etc.) and external (i.e. port protection devices, firewalls, host-based authentication, etc.). Rules for access to LiftLab resources (including internal and external telecommunications and networks) have been established by the information/application owner or manager responsible for the resources on a "need to know" basis.

8. Identification and Authentication Requirements. The host security management program maintains current user application activity authorizations. Each initial request for a connection or a session is subject to the authorization process previously addressed.

9. User Login Entitlement Reviews. If an employee changes positions at LiftLab, the employee’s new supervisor or department head shall promptly notify the Information Technology (“IT”) department of the change of roles or access that need to be added and the roles or access that need to be removed so that employee has access to the minimum necessary data to effectively perform their new job functions. No less than annually, the IT Manager conducts entitlement reviews with department heads to verify that all employees have the appropriate roles, access, and software necessary to perform their job functions effectively while being limited to the minimum necessary data to protect PII data.

10. Termination of User Logon Account. Upon termination of an employee, whether voluntary or involuntary,the employee’s access is revoked. No less than quarterly, the IT Manager or their designee provides a list of active user accounts for both network and application access, including access to the electronic record and the LiftLab management system, to department heads for review to verify the employee’s termination status.

11. Network Connectivity.

11.1 Telecommunication Equipment. Certain direct link connections used by LiftLab may require a dedicated or leased phone line. These facilities are authorized only by the Data Protection Administrator or appropriate personnel and ordered by the appropriate personnel.

11.2. Firewalls. Authorization from the Data Protection Administrator or appropriate personnel must be received before any employee or contractor is granted access to a LiftLab router or firewall.

11.3 New Software Distribution. Only software created by LiftLab application staff, if applicable, or software approved by the Data Protection Administrator or appropriate personnel will be used on internal computers and networks. All new software will be tested by appropriate personnel in order to verify compatibility with currently installed software and network configuration.

11. 4 Virus Scanning. In addition, appropriate personnel or systems are configured to scan for software for viruses before installation. This includes shrink-wrapped software procured directly from commercial sources as well as shareware and freeware obtained from electronic bulletin boards, the Internet, or other sources.

12. Encryption. LiftLab uses encryption keys to specify the transformation of plain text into cipher text, or vice versa during decryption. If justified by risk analysis, sensitive data, and files shall be encrypted before being transmitted through networks. When encrypted data are transferred between agencies, the agencies devise a mutually agreeable procedure for secure key management. In the case of conflict, LiftLab establishes the criteria in conjunction with the Data Protection Administrator or appropriate personnel. LiftLab employs several methods of secure data transmission.

12.1 E-mail Encryption System: Any user desiring to transfer secure e-mail with a specific identified external user will be able to safely exchange secure e-mail using Email Encryption service made available by LiftLab.

12.2. File Transfer Protocol (FTP): Files may be transferred to secure FTP sites using appropriate security precautions. Requests for any FTP transfers should be directed to the Data Protection Administrator or appropriate personnel.

12.3. Secure Socket Layer (SSL) Web Interface: Any API hosted (ASP) system, if applicable, requires access to a secure SSL website. Any such access must be requested and have appropriate approval from the supervisor or department head as well as the Data Protection Administrator or appropriate personnel before any access is granted.

13. Wireless Procedures. LiftLab implements processes and procedures for acquiring wireless access privileges, utilizing wireless access, and ensuring the security of LiftLab laptops and mobile devices. Use of removable media is not allowed.

14. Disposal of Hardware. All equipment to be disposed of must be wiped of all data, and all settings and configurations reset to factory defaults. No other settings, configurations, software installation or options will be made. Asset tags and any other identifying logos or markings are required to be removed.

15. Information System Activity Review. LiftLab conducts, on a periodic basis, an operational review of system activity including, but not limited to, user accounts, system access, file access, security incidents, audit logs, and access reports. Such reviews are at least annual. Audits are also conducted if LiftLab has reason to suspect wrongdoing. In conducting these reviews, LiftLab examines audit logs for security-significant events including, but not limited to, the following:

Logins – Scan successful and unsuccessful login attempts. Identify multiple failed login attempts, account lockouts, and unauthorized access.

File accesses – Scan successful and unsuccessful file access attempts. Identify multiple failed access attempts, unauthorized access, and unauthorized file creation, modification, or deletion.
Security incidents – Examine records from security devices or system audit logs for events that constitute system compromises, unsuccessful compromise attempts, malicious logic (e.g., viruses, worms), denial of service, or scanning/probing incidents.
User Accounts – Review of user accounts within all systems to ensure users that no longer have a business need for information systems no longer have such access to the information and/or system.

All significant findings are recorded. Completed reports, as well as recommended actions to be taken in response to findings.

16. Data Integrity. LiftLab implements and maintains appropriate electronic mechanisms to corroborate that Customer Data has not been altered or destroyed in an unauthorized manner. To the fullest extent possible, LiftLab utilizes applications with built-in intelligence that automatically checks for human errors. LiftLab acquires appropriate network-based and host-based intrusion detection systems. To prevent transmission errors as data passes from one computer to another, LiftLab uses encryption consistent with this Data Safeguards Statement, as determined to be appropriate, to preserve the integrity of data. LiftLab checks for possible duplication of data in its computer systems to prevent poor data integration between different computer systems. To prevent programming or software bugs, LiftLab tests its information systems for accuracy and functionality before it starts to use them. LiftLab will update its systems when IT vendors release fixes to address known bugs or problems.

17. Security Awareness and Training. All LiftLab workforce members receive appropriate training concerning LiftLab’s security policies and procedures. Such training is repeated annually for all employees. Attendance and/or participation in such training is mandatory for all workforce members. All workforce members receive routine security reminders on a regular basis. Periodic reminders address password security, malicious software, incident identification and response, and access control. Reminders may be provided through formal training, e-mail messages, discussions during staff meetings, screen savers, log-in banners, newsletter/intranet articles, posters, promotional items such as coffee mugs, mouse pads, sticky notes, etc.

18. Protection from Malicious Software. As part of the above awareness and training efforts, LiftLab provides training concerning the prevention, detection, containment, and eradication of malicious software. Such training includes relevant topics such as guidance on opening suspicious e-mail attachments, e-mail from unfamiliar senders, and hoax e-mail, instructions to never download files from unknown or suspicious sources, recognizing signs of a potential virus, the importance of backing up critical data on a regular basis and storing the data in a safe place, damage caused by viruses and worms, and what to do if a virus or worm is detected.

19. Incident Response and Notification Procedures.

19.1 General. For purposes of this Section, an “Incident” means any act or omission that compromises LiftLab’s or its providers’ physical, technical, or organizational safeguards for the Service or that breaches this Data Safeguards Statement and leads to the actual or suspected unauthorized access, use, disclosure, or processing of Customer Data. LiftLab will maintain an Incident response function capable of identifying, mitigating the effects of, and preventing the recurrence of Incidents. If an Incident occurs, LiftLab will (i) promptly take all necessary steps to prevent any further compromise of Customer Data or any future Incidents; (ii) notify Customer within forty-eight (48) hours (unless earlier notification is required by law) of the Incident being identified and provide updates regarding the status of the remediation at Customer’s reasonable request; and (iii) respond promptly to any reasonable request from Customer for additional information pertaining to the Incident. LiftLab’s notice will contain a description of the known or suspected nature of the Incident, its impact, and relevant investigative, corrective, or remedial actions taken or planned (unless disclosure of the same may compromise the integrity of an ongoing investigation or forensic analysis, in which case LiftLab will share the portion of those actions taken or planned it is reasonable able to).

19.2 Audit and Reporting. Upon reasonable request, LiftLab will permit Customer or its third-party auditor to review and verify relevant logs and data pertaining to any Incident investigation unless doing so impacts LiftLab’s ability to maintain other customer commitments concerning confidentiality and security. Upon conclusion of investigative, corrective, and remedial actions with respect to an Incident, LiftLab will prepare and deliver to Customer, at its request, a final report that describes (i) the known extent of the Incident; (ii) the Customer Data subject to the Incident; (iii) all critical corrective and remedial actions completed or in process; (iv) the efforts taken to mitigate the risks of further Incidents.

ANNEX C

Standard Contractual Clauses

1. EU Standard Contractual Clauses:

For data transfers from the EEA to locations outside the EEA or the UK, the 2021 EU Standard Contractual Clauses will apply in the following manner. Where the applicable sections of the Standard Contractual Clauses require the data exporter and the data importer to select a module Customer has selected the following:

1.1. Applicable SCC Module (check as applicable): X Module 2 (C2P) X Module 3 ( P2P)

1.1.1 Module Two of the Standard Contractual Clauses (Transfer controller to processor) shall apply where LiftLab, as data importer, is acting as Customer’s Data Processor; and

1.1.2 Module Three of the Standard Contractual Clauses (Transfer processor to processor) shall apply where Customer is acting as a processor, and LiftLab, as data importer, is acting as Customer’s data sub- Processor;

1.2. Clause 7, the optional docking clause will not apply.

1.3 Clause 9(a), Option 2 (“General Written Authorisation”) will apply. The notification, authorization, and applicable time period will be as set forth in Sections 4.1, 4.2 of the DPA.

1.4 Clause 17, Option 1 will apply. These Standard Contractual Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The parties agree that this shall be the law of the Netherlands.

1.5 Clause 18(b), disputes will be resolved before the courts of the Netherlands.

2. UK Standard Contractual Clauses: For data transfers from the United Kingdom, the applicable Model Clauses shall be the UK International Data Transfer Agreement, or the UK International Data Transfer Addendum (altogether, the “UK SCCs”) as applicable. For data transfers subject to the UK SCCs, Annex A and Annex B of this DPA shall apply as Annexes 1A, 1B. and Annex II respectively of the UK SCCs. For personal data subject to the privacy laws of the UK, references to the GDPR in the Addendum will be deemed to be references to the the UK GDPR and Data Protection Act 2018, and, to the extent possible, Modules and optional clauses shall apply as set forth above in Sections 1.1, 1.2 “EU Standard Contractual Clauses.”

3. UK Standard Contractual Clauses- Applicability. The UK SCCs will apply in the following manner:

3.1 Table 2:

3.1.1 Exporter Status: Customer, as exporter is a (pick as may be applicable): X controller X processor

3.1.2 Importer Status: LiftLab, as importer is a (pick as may be applicable): X processor X sub-processor

3.2 Table 3, list of Sub-processors: see URL www.liftlab.com/subprocessors.

3.3 Table 4: both the Importer and the exporter may end the UK SCCs in accordance with the terms of the UK SCCs.

3.4 In the event both the EU Standard Contractual Clauses and the UK SCC’s apply, then the UK International Data Transfer Addendum shall apply.

3.5 Conflict. To the extent there is any conflict or inconsistency between the EU Standard Contractual Clauses or UK SCCs and any other terms in this Addendum, or the Agreement, the provisions of the EU Standard Contractual Clauses or UK SCCs as applicable, will prevail.

3.6 Jurisdiction. With regard to personal data subject to the data privacy laws of the UK, this Annex C and the UK SCCs are governed by the laws of England and Wales, and any dispute arising under the UK SCCs will be resolved by the courts of England and Wales.

4. Conflict: To the extent that there is any conflict between the terms of the DPA and the Model Clauses, the relevant term(s) of the applicable Model Clauses will control.