Data Processing Addendum
This Data Processing Addendum ("DPA"), forms part of, and is subject to, the Master Services Agreement or other written or electronic terms of service or subscription agreement between Lampi AI and Customer that reference this DPA (the “Agreement”), and is effective on the Effective Date of the Agreement.
If the Parties agree that an Affiliate that is listed in the Order Form, should be eligible to use the Services, Customer confirms that it is authorized to enter into relevant data processing agreements with Lampi AI on such Affiliates' behalf. If any deviations are necessary due to mandatory legal requirements applicable to an Affiliate, Customer undertakes to ensure that such issues are raised in advance (prior to any processing on behalf of such Affiliate takes place) in writing to Lampi AI.
This DPA applies where, and to the extent that, Lampi AI (i) processes or collects Customer or End User Personal Information on behalf of Customer when providing Services under the Agreement or (ii) have access to the Customer’s employees and/or customers’ Personal Information.
Consequently, Lampi AI must comply with all applicable Data Applicable Laws and implement the necessary measures to ensure security and confidentiality of the related Personal Information, as described in this DPA.
1. Definitions
Capitalised terms used herein shall have the respective meanings specified below in this Article 1.
Data Applicable Law | refers to all laws and regulations applicable to the processing set forth herein, and, in any case, the GDPR. |
Data Controller | refers to an entity that determines the purposes and means of the processing of Personal Information. |
Data Processor | refers to an entity that processes Personal Information on behalf of a Data Controller. |
DPA | refers to the present agreement, all its amendments and related appendices. |
Sub-Processor | refers to a third party data processor engaged by Data Processor who has or will have access to or process Personal Information from Data Controller. |
This DPA applies where, and to the extent that, Lampi AI processes Personal Information on behalf of Customer (or End Users) when providing Services under the Agreement. All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.
All definitions in section 4 of the GDPR shall apply to the present DPA including but not limited to: processor, Personal Information, data subjects, profiling, pseudonymisation, consent, Personal Information breach, international organization.
2. Purpose
The purpose of this DPA is to define the terms and conditions under which Lampi AI undertakes to perform, on behalf of the Customer, the processing set forth herein.
In the event of any conflict or inconsistency between the provisions of the Agreement and this DPA, the provisions of this DPA shall control and govern.
3. Processing by Lampi AI
As part of delivering the Services under the Agreement, Lampi AI has access to the Personal Information processed by the Customer under its responsibility.
The legal basis for this processing is the provision of the Service by Lampi AI.
In the relationship between Lampi AI and the Customer, the Customer is the Data Controller of Personal Information. Lampi AI will process Personal Information solely as a Data Processor acting on behalf of the Customer.
The Customer agrees that (i) it will fulfill its obligations as a Data Controller under Data Applicable Laws concerning its processing of Personal Information and any processing instructions it issues to Lampi AI and (ii) it will ensure that the processing is lawful, enabling Lampi AI to process Personal Information according to the Agreement and this DPA. The Customer is responsible for providing information (in accordance with Data Applicable Laws requirements) to data subjects when collecting their Personal Information.
Details of data processing are set forth in Appendix 1.
The Customer agrees not to provide Lampi AI, the Data Processor, with any data concerning a natural person’s health, religion, or any special categories of data as defined in Article 9 of the GDPR.
4. Transfer of Personal Information outside of the European Union or to international organizations
Customer hereby consents to processing of the Personal Information in the countries where Sub-Processors maintain data processing operations, as indicated in Appendix 2, as necessary to help ensure the proper functioning of and improvement to the services.
Data storage. Lampi AI will only ever store Personal Information (and Customer Data) on servers located within the European Union.
Data access. Lampi AI may transfer Personal Information outside of the European Union or to international organizations solely for the purposes of our Sub-Processors accessing Personal Information in order to provide the Services.
Customer acknowledges that such transfer of Personal Information is limited to the case where the Customer or End User uses on its own a Third-Party Model provided by a Third-Party Services provider located outside the European Union.
In the event Lampi AI is required by Data Applicable Law to transfer Personal Information to a country outside the European Union or an international organization, Lampi AI must notify the Customer immediately, and in any case before complying with the transfer obligation, unless Data Applicable Law prohibits such notification on important grounds of public interest.
Where relevant, Lampi AI is bound with Sub-Processors by the “standard contractual clauses for the transfer of Personal Data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council” or equivalent legal mechanisms (such as those defined in chapter V of the GDPR, US-EU Privacy Shield, etc.).
In case of any conflict between the standard contractual clauses or equivalent mechanism and this DPA, the standard clauses or equivalent mechanism will control.
5. Designation of Sub-Processors
List of Sub-Processors. Lampi AI engages Sub-Processors to carry out all or parts of the processing. The list of its existing Sub-processors is accessible in Appendix 2.
Lampi AI entered into a written agreement with all Sub-processor.
New Sub-Processors. Lampi AI must notify with reasonable prior notice the Customer prior to the addition or replacement of any Sub-processors. Such subcontracting may only be performed if the Customer has not objected within fifteen (15) days from the date of receipt of the notification, provided that such objection is based on reasonable grounds relating to data protection. Such an objection may be sent by email to the Lampi AI at: privacy@lampi.ai.
6. Data subjects' rights
Lampi AI must assist the Customer in fulfilling its obligations to respond to data subjects’ requests regarding the exercise of their rights, including without limitation right of access, rectification, erasure and opposition, right to restriction of processing, right to portability, right not to be the subject of an automated individual decision-making (including without limitation profiling).
When data subjects send requests regarding their rights to Lampi AI, it must notify the Customer by forwarding the requests within five (5) business days upon receipt. Lampi AI must not respond to data subject requests without the Customer's prior approval.
7. Record of processing activities
Lampi AI agrees to maintain a written record of all categories of processing activities performed on behalf of the Customer, including:
The name and contact details of (i) the Customer entity on whose behalf Lampi AI acts, (ii) any Sub-processors and, where applicable, (iii) the data protection officer;
The categories of processing activities carried out on behalf of the Customer;
A general description of technical and organizational security measures.
8. Security measures and audit
Lampi AI has implemented security measures described in Appendix 3 and must, upon the Customer's request, demonstrate its compliance therewith.
The Customer in its sole discretion, may itself, or through a third party, conduct an audit of Lampi AI’s data security measures, no more than once every twelve (12) months, and Lampi AI must collaborate with such audits. If such review reveals any material vulnerabilities, Lampi AI must fix such vulnerabilities without undue delay, at its own expense.
The Customer, at its election, may block Lampi AI’s receipt of or access to Personal Information until Lampi AI’s data security vulnerabilities have been resolved to the Customer’s satisfaction.
In the event of a Personal Information breach, Lampi AI will also permit the Customer to conduct an exceptional supplementary audit in order to ensure that the proper security requirements and remedies have been put in place.
Lampi AI acknowledges that security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures.
Lampi AI will therefore evaluate the measures as implemented in accordance with this present section and Schedule 1 on an on-going basis in order to maintain compliance with the requirements set out therein.
9. Personal Information breach notification
Lampi AI must notify the Customer of any Personal Information breach within twenty four (24) hours of becoming aware of it.
This notification must be accompanied by all relevant documentation in order to enable the Customer, if necessary, to notify that breach to the competent supervisory authority and the data subjects if need be. The documentation must include the following without limitation:
A description of the nature of the breach, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Information records concerned.
The name, phone number and email address of Lampi AI's contact point.
A description of the likely consequences of the breach.
A description of the measures taken or proposed to be taken by Lampi AI to address the breach including, where appropriate, measures to mitigate its possible adverse effects.
10. Personal Information output
Upon fulfillment of the processing for the purposes agreed, termination of the Agreement, and/or the DPA, and/or upon written request by the Customer, Lampi AI shall, at the discretion of the Customer either delete or return all the Personal Information to the Customer and delete existing copies and backups. Lampi AI agrees to follow the Customer’s instructions within sixty (60) days of receipt.
In the event the Customer does not provide any instructions within thirty (30) days from the reception of Lampi AI's notification, Lampi AI must return all Personal Information to the Customer and delete all existing copies and backups.
11. Assistance and documentation
In addition to its assistance obligation as set forth in section 7, Lampi AI must assist the Customer in ensuring compliance with obligations pursuant to security, and Personal Information breach notifications to a supervisory authority and/or to data subjects.
Lampi AI must provide to the Customer all information necessary to demonstrate compliance with all its obligations.
Lampi AI agrees to assist the Customer in completing data protection impact assessments as required by Data Applicable Law.
12. Terms
The provisions of this DPA shall apply as long as Lampi AI processes Personal Information for which the Customer is Data Controller.
13. Miscellaneous
Notification. Any written notification, contact or notice under this DPA must be sent to the following email address: privacy@lampi.ai.
Liability. For the avoidance of doubt, any claim or remedies the Customer may have against Lampi AI, any of its Affiliates and their respective employees, agents and Sub-Processors arising under or in connection with this DPA, including: (i) for breach of this DPA; (ii) as a result of fines (administrative, regulatory or otherwise) imposed upon Customer; and (iii) under Data Applicable Law will be subject to any limitation of liability provisions that apply under the Agreement.
Force majeure. No Party shall be liable for failure to fulfill any obligation under this DPA which is prevented or delayed by an event of force majeure, as defined by the French civil code and case law. The Party claiming the benefit of this provision shall, as soon as reasonably possible after the occurrence of such event: (i) notify the other Party of the nature and extent of any such force majeure condition and (ii) use all possible means to resume performance under this DPA as soon as possible. If a Party’s performance is affected by force majeure for a period of more than twenty (20) calendar days, then the other Party may terminate this DPA by giving written notice to the other Party, without incurring any cost or liability.
Waiver. Failure by either Party to insist upon the strict performance of the terms and conditions of this DPA shall not be construed as a waiver of such, and shall in no way affect the Party’s right to enforce such provision.
Severability. If any provision of this DPA shall be held invalid or unenforceable by any court of competent authority, this DPA shall continue to be valid as to the other provisions thereof and the remainder of the affected provision.
Governing law. The laws of France shall govern this DPA. Each of the Parties irrevocably submits to the exclusive jurisdiction of the competent courts within the jurisdiction of the Paris Court of Appeal (France) for any suit, action, proceeding or judgment relating to or arising out of the DPA and the transactions contemplated hereby.
Appendix 1 - Specification of data processing
Categories of Personal Information.
User: first and last name, email address, access level and system role, and other attributes that are provided when using the Services. Such personal data might also be collected from third-party systems per the Customer or End User’s instruction.
Customer Data,
Usage (Support purposes): Data about activity on and use of our Services,
Device and Internet data (Support purposes): IP address, browser language, browser type, operating system, city and country, device type. Internet data
Other Information for Support Services: Details such as the content of communications with Lampi AI, including interactions with customer support and contacts through social media channels.
The transfer of any special categories of data as defined in Article 9 of the GDPR, such as health data, genetic, biometric, data revealing racial and ethnic origin, political opinions, religious or ideological convictions, trade union affiliation, or sexual orientation, criminal convictions or offenses, by the Data Controller is strictly prohibited.
Categories of data subjects. Lampi AI will process Personal Data regarding the Subscriber’s end-users of the Services, which includes the following categories of data subjects:
Customer’s employees, clients, customers, end users, contractors, consultants, advisors.
Processing operations. Lampi AI will collect, store, organize, and process, delete, analyze and host the Personal Information for the purpose indicated above, as included in the Agreement and in accordance with instructions of the Customer.
Location of processing operations. France and as specified in the Sub-Processors Notice mentioned in Appendix 2.
Appendix 2 - List of Sub-Processors
Lampi AI engages Sub-Processors to carry out all or parts of the processing.
The list of its existing Sub-processors is available in the Sub-Processors Notice.
Appendix 3 - Security Measures
The list of Security Measures is available in the Security Measures Notice.
Last updated