LeanTek Product Update: New Decision Intelligence Capabilities
DATA PROCESSING ADDENDUM
This Data Processing Addendum (“DPA”) forms part of and is incorporated by reference into the Agent Edge Master Subscription Terms (“Terms”) governing Customer’s access to and use of the Services provided by Lean Staffing Solutions Inc. (“LSG”). This DPA is effective as of the beginning of the Term applicable to the Services involving the Processing of Personal Information. In the event of any conflict between the provisions of these Terms and this DPA, the provisions of this DPA shall prevail solely with respect to data protection and privacy matters. All capitalized terms not defined in this DPA shall have the meanings assigned to them in the Terms. Customer’s execution of an Order, Statement of Work, pilot or trial document referencing the Terms, or Customer’s access to or use of the Services, constitutes acceptance of this DPA.
IT IS AGREED AS FOLLOWS:
1.0 Definitions and Interpretation. Capitalized terms and expressions used in this DPA shall have the meanings set forth below. Capitalized terms not otherwise defined herein shall have the meanings assigned to them in the Terms.
1.1 “Data Protection Laws“ means all data protection and privacy laws to the extent applicable to the respective party in its role in the Processing of Personal Information under the Terms, including, where applicable, EU & UK Data Protection Laws, the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.), and similar laws and associated regulations and regulatory guidance, all as may be amended.
1.2 “Data Subject” means any identified or identifiable natural person who can be identified, directly or indirectly, by Personal Information.
1.3 “Data Transfer(s)“ means: (i) a transfer of Personal Information from Customer to a Subprocessor; (ii) a transfer of Personal Information from LSG to a Subprocessor; or (iii) an onward transfer of Personal Information from a Subprocessor to another Subprocessor, or between two establishments of a Subprocessor;
1.4 “EEA“ means the European Economic Area.
1.5 “EU & UK Data Protection Laws” means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Information and on the free movement of such data (General Data Protection Regulation) (“GDPR”); and (ii) the GDPR as it forms part of United Kingdom law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”) and the Data Protection Act 2018.
1.6 “SCCs” means, together (i) “EU SCCs,” which means the standard contractual clauses for the transfer of personal data to third countries approved pursuant to Commission Decision (EU) 2021/914 of 4 June 2021, currently found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en, (ii) “UK Addendum,” which means the International Data Transfer Addendum (“IDTA”) issued by the Information Commissioner’s Office under § 119(A) of the UK Data Protection Act 2018, currently found at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf, (iii) “ASEAN MCCs,” which means the model contractual clauses for the cross-border transfer of personal data issued by the Association of Southeast Asian Nations, currently found at https://asean.org/wp-content/uploads/3-ASEAN-Model-Contractual-Clauses-for-Cross-Border-Data-Flows_Final.pdf, and (iv) “Switzerland Addendum,” which means the Switzerland Addendum to the EU SCCs issued by the Federal Data Protection and Information Commissioner (“FDPIC”) in accordance with Article 16 of the Federal Act on Data Protection (“FADP”), currently found at https://www.edoeb.admin.ch/dam/en/sd-web/smvG75WY5Vsi/%C3%9Cbermittlung%20von%20Personendaten%20-%20SCC_EN.pdf.
1.7 “Subprocessor(s)“ means any entity contracted by LSG to process Personal Information in connection with the Terms.
2.0 Restrictions on Processing of Personal Information.
2.1 LSG shall: (i) only Process Personal Information in accordance with Customer’s instructions in this DPA, the Terms, and any applicable Order, which Customer shall ensure comply with all applicable Data Protection Laws; (ii) use commercially reasonable efforts to select and engage Subprocessors that maintain appropriate technical and organizational measures designed to protect Personal Information, consistent with industry standards and the nature of the Services; (iii) only Process Personal Information for purposes of providing, operating, supporting, and improving the Services, including the development and enhancement of features and functionality, in each case as described in the applicable Order or otherwise permitted by Customer; (iv) not sell, combine, retain, share, or disclose Personal Information for any purpose besides compliance with this Section 2.1, except as permissible by Data Protection Laws and consistent with this DPA.
2.2 LSG certifies that it understands the restrictions in this DPA’s Section 2.1 and will comply with them.
2.3 LSG shall inform Customer if it becomes unable or unwilling to comply with Data Protection Laws regarding the Personal Information.
2.4 LSG may de-identify Personal Information in accordance with applicable Data Protection Laws using reasonable technical and organizational measures designed to ensure that such data cannot reasonably be used to identify an individual, directly or indirectly, taking into account available technology and means reasonably likely to be used for re-identification. Data that has been de-identified such that it no longer constitutes Personal Information and cannot reasonably be used to identify an individual (“De-identified Data”) shall not be considered Personal Information and shall not be subject to the restrictions set forth in this DPA.
2.5 LSG shall Process Personal Information only to the extent necessary for the purposes described in this DPA and the Terms.
3.0 Data Subject Rights.
3.1 Taking into account the nature of the Processing and information available to Customer, LSG shall provide Customer reasonable assistance responding to, and complying with, requests to exercise Data Subject rights under the Data Protection Laws.
3.2 LSG shall: (i) promptly notify Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Customer Data, unless prohibited by applicable law; and (ii) ensure that it does not respond to such request except on the documented instructions of Customer or as required by applicable laws to which LSG is subject, in which case LSG shall, to the extent permitted by applicable law, inform Customer of such legal requirement prior to responding.
4.0 Transparency.
4.1 LSG’s list of current Subprocessors may be viewed at https://www.leangroup.com/subprocessors-agentedge. LSG shall notify Customer of changes to this Subprocessor listing via email or portal notification. If Customer, acting in good faith, objects to the addition of a new Subprocessor on reasonable data protection grounds, Customer shall notify LSG within thirty (30) days of such notice. The Parties shall discuss the objection in good faith. If the Parties are unable to resolve the objection, Customer may terminate the affected Order without penalty by providing written notice to LSG prior to the effective date of such Subprocessor’s engagement.
4.2 For at least the Term, LSG shall maintain administrative, technical, and organizational measures designed to protect Personal Information that are no less protective than those generally accepted as reasonable in the industry, taking into account the nature of the Services and the Personal Information Processed.
4.3 LSG and its Subprocessors may Process Personal Information in the United States and in other jurisdictions as described at https://www.leangroup.com/data-processing-locations-agentedge, which may be updated from time to time in accordance with the Terms.
5.0 Customer Commitment.
5.1 Customer represents and warrants that: (i) it is only providing Personal Information that is necessary, reasonable, and proportionate for the business purpose of the Processing; (ii) Customer has assessed and determined that LSG’s cybersecurity measures, as described in the Terms and this DPA, are reasonable and sufficient for Customer’s intended Processing of Personal Information in compliance with applicable Data Protection Laws; and (iii) if, based on the Processing locations disclosed in this DPA or the Data Transfers contemplated herein, additional safeguards or contractual measures are required under applicable Data Protection Laws, Customer shall notify LSG prior to providing such Personal Information, and the Parties shall discuss in good faith whether such additional measures can be implemented. If the Parties are unable to reach agreement, Customer shall not provide Personal Information requiring such additional safeguards.
6.0 Cross-Border Data Transfers.
6.1 To the extent required for Data Transfers to comply with applicable Data Protection Laws, the following standard contractual clauses shall apply and be deemed executed as of the effective date of the Terms.
6.2 For Data Transfers from within the EEA to a country the European Commission has not decided ensures an adequate level of protection pursuant to Article 45 of the GDPR, the EU SCCs issued on June 4, 2021 by the European Commission shall apply. As between Customer and LSG, Module 2 shall apply, with the following selections: (i) optional Clause 7 is omitted; (ii) for Clause 9, Option 2 is selected, and the time period for the addition or replacement of Subprocessors shall be thirty (30) days; and (iii) for Clause 17 and Clause 18, the Member State for purposes of governing law and jurisdiction shall be Ireland. The Annexes shall be deemed completed based upon the Terms and this DPA.
6.3 For Data Transfers from the United Kingdom to a country with materially lower protections, the IDTA or UK Addendum to the EU SCCs shall apply, as appropriate. As between Customer and LSG, the following shall apply: (i) for Table 1, the Parties agree that the information required is deemed to be completed in accordance with the Terms and this DPA; (ii) for Table 2, the option labeled “the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum” is selected, and the selections in Section 6.2 of this DPA apply; (iii) Table 3 is deemed to be completed consistent with the Terms and this DPA; and (iv) for Table 4, both importer and exporter are selected.
6.4 For Data Transfers from Switzerland to a country that the Federal Council has not decided ensures an adequate level of data protection, the Switzerland Addendum to the EU SCCs shall apply. To the extent that the FADP and the GDPR both apply to the Data Transfer, referred to in the Switzerland Addendum as “Case 2,” the following shall apply: (i) Option 2 is selected; (ii) to the extent required by the Switzerland Addendum, the FDPIC is designated as a supervisory authority under Annex 1.C of the EU SCCs; (iii) the applicable law for contractual claims under Clause 17 and the place of jurisdiction pursuant to Clause 18 shall be Ireland; and (iv) the term “member state” under the EU SCCs must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs. To the extent FADP, but not GDPR, applies to the Data Transfer, referred to in the Switzerland Addendum as “Case 1,” the Parties agree: (i) Case 1 of the Swiss Addendum shall apply; and (ii) the applicable law and jurisdiction shall be Ireland.
6.5 For Data Transfers from a member country of the Association of Southeast Asian Nations across borders to another country, the ASEAN MCCs shall apply. As among the Customer and LSG, Module 1 shall apply, with the following selections: (i) optional Clause 2.2 is selected; (ii) optional Clauses 3.4, 3.6, and 3.7 are omitted; (iii) for Clause 3.10, “without undue delay,” is selected, and LSG will notify the Customer of a Data Breach accordingly; and (iv) for Clause 1.5 under Individual Remedies, the option, “in such manner as the Data Subjects may determine,” is selected.
7.0 Security.
7.1 LSG shall implement and maintain reasonable administrative, technical, and organizational measures designed to protect Personal Information, taking into account the nature of the Services, the Personal Information Processed, and applicable Data Protection Laws. Customer is solely responsible for determining whether LSG’s and its Subprocessors’ cybersecurity protections are reasonable for the Personal Information provided by Customer to LSG, and shall hold LSG harmless against any Losses, whether first-party or third-party, alleged to be caused by the alleged insufficiency of such measures for the particular Personal Information Processed by LSG or Subprocessors. In determining the sufficiency of LSG’s and its Subprocessors’ cybersecurity measures, Customer shall consider the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, and the risk and varying likelihood of potential impact on Data Subjects.
7.2 LSG shall take reasonable steps to ensure the reliability of any employee, agent, or contractor of any Subprocessor who may have access to Personal Information, using reasonable steps to limit access to those individuals who need to know or access the relevant Personal Information for the purposes of the Services, and to comply with applicable laws, including requiring all such individuals be subject to confidentiality undertakings or professional or statutory obligations of confidentiality. LSG shall ensure that all personnel authorized to Process Personal Information are subject to appropriate confidentiality obligations.
8.0 Security.
8.1 LSG shall notify Customer without undue delay upon LSG becoming aware of a Security Event affecting Customer Data and shall offer Customer reasonable assistance to allow Customer to gather sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Security Event under the Data Protection Laws.
8.2 Processor shall co-operate with the Customer and take reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation, and remediation of each such Security Event.
8.3 Customer is solely responsible for determining whether LSG’s administrative, technical, and organizational cybersecurity measures, as described in the Terms and this DPA, are appropriate for the nature of the Personal Information provided by Customer to LSG. Customer acknowledges and agrees that LSG does not provide customized or bespoke security controls unless expressly agreed in an Order. Customer shall hold LSG harmless from any Losses arising solely from Customer’s decision to Process Personal Information requiring safeguards beyond those described in the Terms and this DPA, except to the extent such Losses result from LSG’s breach of its obligations under applicable Data Protection Laws.
9.0 Oversight and Audit Rights.
9.1 LSG shall make available to the Customer, upon reasonable request, all information necessary to demonstrate LSG’s compliance with (i) this DPA and (ii) Data Protection Laws. No more than once per calendar year during the Term, Customer may, at its sole expense, hire a mutually agreed upon independent third-party, subject to a nondisclosure agreement with LSG, to audit LSG’s controls relevant to its security, confidentiality, and privacy of Customer Data. LSG grants Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate any and all unauthorized use of Personal Information.
9.2 Upon termination or expiration of the Services, LSG shall, at Customer’s election and subject to applicable law, delete or return Personal Information in its possession or control within a reasonable period, except to the extent retention is required by applicable law or for legitimate business purposes in accordance with the Terms and this DPA.
