Data Processing Addendum

Last updated on September 21, 2022

This Data Protection Addendum (the “DPA”) is entered into between Loup Co (“Loup”) and the customer identified in the Agreement (“Customer”). Capitalized terms have the meanings provided in the Agreement defined below except as provided here.

WHEREAS, Loup and Customer are parties to a Master Subscription Agreement regarding Customer’s trial and/or subscription to Loup’s Services (the “Agreement”); and

WHEREAS, Loup and Customer wish to enter this DPA, which will accompany the Agreement and govern the parties’ security and data protection obligations.

  1. Data Protection

    1. Definitions: In this DPA, the following terms shall have the following meanings.
      1. "controller", "processor", "data subject", "personal data", "processing" (and "process") and "special categories of personal data" shall have the meanings given in Applicable Data Protection Law; and
      2. "Applicable Data Protection Law" shall mean the GDPR, UK GDPR, California Data Protection Law and all other laws and regulations applicable to the processing of personal data under the Agreement within the United States, European Union, the European Economic Area and their members states, Switzerland and the United Kingdom.
      3. “California Data Protection Law” means the California Consumer Privacy Act as amended by the California Privacy Rights Act, its associated regulations and their successors.
      4. “GDPR” means the General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
      5. “Standard Contractual Clauses” means the Standard Contractual Clauses for the Transfer of Personal Data to Processors Established in Third Countries under GDPR, as approved by the European Commission Implementing Decision 2021/914. Appendix 1 to this DPA contains certain interpretive and supplementary provisions regarding application of the Standard Contractual Clauses. The information required by Annexes 1 and 2 of the Standard Contractual Clauses is provided in Annexes 1 and 2 of this DPA.
      6. “UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act of 2018 and the Data Protection Act 2018.
    2. Relationship of the parties. Customer (the controller) appoints Loup as a processor to process the personal data described in the Agreement (the "Data") for the purposes described in the Agreement (or as otherwise agreed in writing by the parties) (the "Permitted Purpose"). Each party shall comply with the obligations that apply to it under Applicable Data Protection Law. If Loup becomes aware that processing for the Permitted Purpose infringes Applicable Data Protection Law, it shall promptly inform Customer.
    3. Processing in Accordance with California Law. In accordance with California Data Protection Law, and with respect to personal data to which California Data Protection Law applies: (a) Loup will not “sell” (as defined in the California Data Protection Law) any personal data; and (b) Loup will not collect, share or use any personal data except as necessary to perform services for Customer.
    4. Prohibited data. Customer shall not disclose (and shall not permit any data subject to disclose) to Loup any special categories of personal data or similarly sensitive information, including, but not limited to: (a) protected health information regulated by the Health Insurance Portability and Accountability Act; (b) Social Security numbers, driver’s license numbers or other government-issued identification numbers; (c) financial information, banking account numbers or passwords; (d) payment card data regulated by the Payment Card Industry Data Security Standards; (e) biometric data regulated by the biometric privacy laws; (f) criminal history; (g) racial, ethnic, political or religious affiliation, trade union membership, or information about sexual life or sexual orientation; or (h) personal information of children under 13 years of age. Loup shall have no liability with respect to any such information, notwithstanding anything in this Agreement to the contrary.
    5. International transfers. Loup shall not transfer the Data outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Without prejudice to the foregoing, Customer consents to transfers outside of the EEA where Loup has implemented a transfer solution compliant with Applicable Data Protection Law, which for example may include: (a) where such transfer is subject to an adequacy decision by the European Commission; (b) the Standard Contractual Clauses, which are incorporated herein by reference; (c) another appropriate safeguard applies pursuant to Article 46 of the GDPR or other provisions of Applicable Data Protection Law; or (d) a derogation pursuant to Article 49 of the GDPR.
    6. Confidentiality of processing: Loup shall ensure that any person it authorises to process the Data shall protect the Data in accordance with Loup's confidentiality obligations under the Agreement.
    7. Security: The processor shall implement technical and organisational measures as set out in Annex II to protect the Data (a) from accidental or unlawful destruction, and (b) loss, alteration, unauthorised disclosure of, or access to the Data (a "Security Incident").
    8. Subprocessing: Customer consents to Loup engaging the third party subprocessors listed at the end of this Section 1.8 to process the Data for the Permitted Purpose provided that it: (a) will update its website with any intended changes concerning the addition or replacement of other subprocessors at least ten days prior to any such change, thereby giving Customer the opportunity to object to such changes; (b) Loup imposes data protection terms on any subprocessor it appoints that require it to protect the Data to the standard required by Applicable Data Protection Law; and (c) Loup remains liable for any breach of this Clause that is caused by an act, error or omission of its subprocessor.
    9. Permitted Subprocessors: Amazon Web Services

      1. Cooperation and data subjects' rights. Loup shall provide reasonable and timely assistance to Customer to enable Customer to respond to: (a) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (b) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Loup, Loup shall promptly inform Customer providing full details of the same.
      2. Data Protection Impact Assessment. Loup shall provide reasonable cooperation to Customer (at Customer's expense) in connection with any data protection impact assessment that Customer may be required under Applicable Data Protection Law.
      3. Security incidents. If it becomes aware of a confirmed Security Incident, Loup shall inform Customer without undue delay and shall provide reasonable information and cooperation to Customer so that Customer can fulfil any data breach reporting obligations it may have under (and in accordance with the timescales required by) Applicable Data Protection Law. Loup shall further take such any reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and shall keep Customer informed of all material developments in connection with the Security Incident.
      4. Deletion or return of Data. Within 30 days after a written request by Customer or the termination or expiry of the Agreement, Loup shall (at Customer's election) securely destroy or return to Customer all Data in its possession or control. This requirement shall not apply to the extent that Loup is required by applicable law to retain some or all of the Data, or to Data it has archived on back-up systems, in which event Loup shall securely isolate and protect from any further processing except to the extent required by such law.
      5. Audit. Upon request, Loup shall supply a summary copy of any applicable audit report(s) to Customer, which shall be subject to the confidentiality provisions of the Agreement. Loup shall also respond to any written audit questions submitted to it by Customer, provided that Customer shall not exercise this right more than once per year. In addition, Customer may contact Loup to request an on-site audit, not more than once per year, of the procedures relevant to the protection of Customer’s personal data. Before the commencement of any such on-site audit, Customer and Loup shall mutually agree upon the scope, timing, and duration of the audit and the reimbursement rate for any travel or other expenses Loup incurs in the course of such audit. All reimbursement rates shall be reasonable, taking into account the resources expended by Loup. Customer shall promptly notify Loup with information regarding any non-compliance discovered during the course of an audit.

  2. Miscellaneous

    1. Construction; Interpretation. This DPA is not a standalone agreement and is only effective if the Agreement is in effect between Customer and Loup. This DPA is part of the Agreement and is governed by its terms and conditions, including the limitations of liability therein. This DPA and the Agreement are the complete and exclusive statement of the mutual understanding of the parties and supersede and cancel all previous written and oral agreements and communications relating to the subject matter hereof. Headings contained in this DPA are for convenience of reference only and do not form part of this DPA.
    2. Severability. If any provision of this DPA is adjudicated invalid or unenforceable, this DPA will be amended to the minimum extent necessary to achieve, to the maximum extent possible, the same legal and commercial effect originally intended by the parties. To the extent permitted by applicable law, the parties waive any provision of law that would render any clause of this DPA prohibited or unenforceable in any respect.
    3. Amendment; Enforcement of Rights. No modification of or amendment to this DPA, nor any waiver of any rights under this DPA, will be effective unless in writing signed by the parties to this DPA. The failure by either party to enforce any rights under this DPA will not be construed as a waiver of any rights of such party.
    4. Assignment. This DPA may be assigned only in connection with a valid assignment pursuant to the Agreement. If the Agreement is assigned by a party in accordance with its terms, this DPA will be automatically assigned by the same party to the same assignee.
    5. Governing Law. This DPA will be governed by and construed in accordance with the laws of the jurisdiction governing the Agreement unless otherwise required by Applicable Data Protection Law, in which case this DPA will be governed by the laws of the Republic of Ireland.
    6. Counterparts. This DPA may be executed and delivered by electronic signature and in two or more counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument.

APPENDIX 1: APPLICABLE STANDARD CONTRACTUAL CLAUSES AND SUPPLEMENTAL TERMS

The parties agree that the Standard Contractual Clauses are hereby incorporated by reference into this DPA as follows:

  1. Incorporation of Standard Contractual Clauses

    1. Module 2: Transfer controller to processor, Clauses 1 to 6 and 8 to 18 apply where Loup processes personal data as a processor pursuant to the terms of the Agreement, Loup is located in non-adequacy approved third countries, and Customer is established in the EEA.
    2. Module 3: Transfer processor to processor, Clauses 1 to 6 and 8 to 18 apply where Loup processes personal data as a processor pursuant to the terms of the Agreement, Loup is located in non-adequacy approved third countries, and Customer is established in the EEA.
  2. Standard Contractual Clause Optional Provisions

    In addition to Section 1, where the Standard Contractual Clauses identify optional provisions (or provisions with multiple options) the following shall apply in the following manner:

    1. Clause 7 (Docking Clause) is omitted;
    2. In Clause 9(a) (Use of sub-processors) – Option 2 shall apply and the parties shall follow the process and timings agreed in the DPA to appoint sub-processors;
    3. In Clause 11(a) (Redress) – the Optional provision shall NOT apply;
    4. In Clause 16(b) (Suspension of transfers) if Loup is the data exporter it will suspend transfers of personal data only as required by law and will notify Customer as promptly as possible (before suspension if possible) so that Customer may remedy the condition requiring suspension;
    5. In Clause 17 (Governing Law) – the laws of the Republic of Ireland shall govern;
    6. In Clause 18 (Choice of forum and jurisdiction) - the courts of the Republic of Ireland shall have jurisdiction.
  3. Supplementary Terms to Standard Contractual Clauses

    1. Documentation and compliance. For the purposes of Clause 8.9 –the review and audit provisions in the Agreement and DPA shall apply.
    2. Notification and Transparency.
      1. The Parties acknowledge and agree that Loup, where required by the Standard Contractual Clauses to notify the competent supervisory authority, shall first provide Customer with the details of the notification, permitting Customer to have prior written input into the relevant notification where Customer so desires to do, and without delaying the timing of the notification unduly. 
      2. For purposes of Clause 8.3 – Modules 2 and 3 and Clause 15.1(a), the parties agree and acknowledge that it may not be possible for Loup to make the appropriate communications to data subjects and accordingly, Customer shall (following notification by the data importer) have the option to be the party who makes any communication to the data subject, and Vendor shall provide the level of assistance set out in the DPA
    3. Liability. For the purposes of Clause 12(a), the liability of the parties shall be limited in accordance with the limitation of liability provisions in the Agreement.
    4. Signatories. Notwithstanding the fact that the Standard Contractual Clauses are incorporated herein by reference without being signed directly, Loup and Customer each agrees that their execution of the Agreement is deemed to constitute its execution of the Standard Contractual Clauses, and that it is duly authorized to do so on behalf of, and to contractually bind, the data exporter or data importer (as applicable) accordingly.
  4. Swiss Law Provisions

    1. Personal Data transfers from Switzerland will be governed by the SCCs as conformed to Swiss law as follows:
      1. references to the EU, member states and GDPR in the SCCs are amended mutatis mutandis to refer to Switzerland, the Swiss Federal Data Protection Act, and the Swiss Federal Data Protection and Information Commissioner; and
      2. In Clause 17 (Governing Law) the laws of Switzerland shall govern, and in Clause 18 (Choice of forum and jurisdiction) the courts of Switzerland shall have jurisdiction.
  5. United Kingdom Law Provisions

    1. Personal Data transfers from the United Kingdom will be governed by the SCCs as conformed to UK law pursuant to the International Data Transfer Addendum (the “IDTA”) issued by the UK Information Commissioner’s Office (the “ICO”) and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022.
    2. In Part 1 of the IDTA, the information required by Tables 1 – 3 is provided in the Agreement, DPA and these SCCs.
    3. The IDTA’s Mandatory Clauses are incorporated by reference into this DPA in accordance with Alternative Part 2 of the template IDTA.
    4. References to the EU, member states and GDPR in the Standard Contractual Clauses are amended mutatis mutandis to refer to the United Kingdom, UK GDPR and the ICO.
    5. In Clause 17 of the Standard Contractual Clauses (Governing Law), the laws of England and Wales shall govern, and in Clause 18 (Choice of forum and jurisdiction), the courts in London, England shall have jurisdiction. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts in the UK. 

Annex I - Identification of Parties

The full name, address and contact details for the data exporter and data importer are set out in the Agreement; and

  1. In the case of Module 2, Customer and its relevant affiliates established in the EEA are the data exporter and controller, and Loup and its relevant subprocessor affiliates located in non-adequacy approved third countries the data importer and processor;
  2. In the case of Module 3, Customer and its relevant affiliates established in the EEA are the data exporter and processor, and Loup and its relevant subprocessor affiliates located in non-adequacy approved third countries are the data importer and processor;

Description of Data Processing
The data processing activities carried out by Loup under the Agreement may be described as follows:


Subject Matter and Purpose

The personal data transferred will be subject to the following basic processing activities:

Loup will process Customer personal data in order to provide the services identified in the Agreement.

Data subjects

The personal data transferred concern the following categories of data subjects:

Customer’s employees and consultants who use Loup’s Service.

Categories of personal data

The personal data transferred concern the following categories of data:

Loup may have access to personal data of Customer’s employees and consultants who use Loup’s Service. The types of personal data processed are determined by Customer and may include without limitation: Name, Email address, Physical address, IP-address and other online identifiers, Date of birth, Telephone/mobile number, Location Data.

Special categories of data

The personal data transferred concern the following special categories of data:

As above

Annex II - Technical And Organizational Security Measures

Loup will:

  1. Take all reasonable measures to prevent unauthorized access to the Data through the use of appropriate physical and logical (passwords) entry controls, securing areas for data processing, and implementing procedures for monitoring the use of data processing facilities;
  2. Use built-in system and audit trails;
  3. Use secure passwords, network intrusion detection technology, encryption and authentication technology, secure login procedures, and virus protection;
  4. Account for all risks presented by processing, for example, from an accidental or unlawful destruction, loss, or alteration, unauthorized or unlawful storage, processing, access, or disclosure of the Data;
  5. Ensure pseudonymization and/or encryption of the Data where appropriate;
  6. Maintain the ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and Services;
  7. Maintain the ability to restore the availability and access to the Data in a timely manner in the event of a physical or technical incident;
  8. Implement a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing of the Data;
  9. Monitor compliance on an ongoing basis;
  10. Implement measures to identify vulnerabilities concerning the processing of the Data in systems used to provide Services to Customer;
  11. Provide employee and contractor training to ensure ongoing capabilities to carry out the security measures established in policy.