Data Processing Addendum (DPA)
Last Updated: 20th of August, 2024
This Data Processing Addendum ("DPA") is entered into between Lleverage B.V., a company incorporated in the Netherlands with offices at Parnassusweg 126, 1076AT Amsterdam ("Lleverage AI", "we", "us", "our") and the Customer identified in the relevant Order Form ("Customer") (each a "Party" and together the "Parties"). This DPA is supplemental to, and forms part of, your Contract and the Terms of Service or other written agreement between Lleverage and Customer (in either case, the "Agreement"). This DPA becomes legally binding upon receipt by Lleverage of the validly completed DPA (the "DPA Effective Date").
1. Definitions
In this DPA, the following terms have specific meanings:
"Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity.
"Applicable Data Protection Law" means any data protection and privacy laws applicable to the respective Party in its role in the Processing of Personal Data under the Agreement, including the GDPR, UK Data Protection Laws, Swiss Data Protection Laws, and any other relevant data protection laws.
"Controller" means the entity which determines the purposes and means of the Processing of Personal Data.
"Customer Data" refers to all electronic data, content, or information that the Customer submits to the Services.
"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
"Personal Data" means any information relating to an identified or identifiable natural person.
"Processing" means any operation or set of operations performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, combination, restriction, erasure, or destruction.
"Processor" means the entity that Processes Personal Data on behalf of the Controller.
"Sub-processor" means any entity engaged by Lleverage AI or its Affiliates to Process Personal Data in connection with the Services.
Capitalized terms not defined in this DPA will have the meanings given to them in the Agreement or under applicable Data Protection Laws.
2. Processing of Personal Data
Customer Obligations: Customer shall, in its use of the Services and provision of instructions, Process Personal Data in compliance with applicable Data Protection Laws. Customer has sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired such data.
Lleverage’s Processing of Personal Data: Lleverage shall Process Personal Data only for the following purposes:
Processing in accordance with the Agreement and applicable Order Form(s);
Processing initiated by Authorized Users in their use of the Services;
Processing to comply with instructions provided by the Customer, where such instructions are consistent with the terms of the Agreement.
Lleverage shall ensure that all personnel authorized to Process Personal Data are subject to confidentiality obligations.
3. Sub-processors
Appointment of Sub-processors: Customer acknowledges and agrees that Lleverage may engage third-party Sub-processors to Process Personal Data. Lleverage shall enter into written agreements with Sub-processors that impose data protection obligations that provide the same level of protection for Personal Data as those in this DPA.
List of Sub-processors: A current list of Sub-processors for the Services, including the identities of those Sub-processors and their country of location, is accessible via our Trust Center. Customer consents to these Sub-processors, their locations, and Processing activities as they pertain to Personal Data.
Objection Right for New Sub-processors: Customer may object to Lleverage's use of a new Sub-processor by notifying Lleverage promptly in writing within ten (10) business days after receipt of notice. If Customer reasonably objects and Lleverage cannot accommodate the objection, Customer may terminate the affected Services.
Liability: Lleverage shall be liable for the acts and omissions of its Sub-processors to the same extent Lleverage would be liable if performing the Services directly under this DPA.
4. Data Subject Rights
Data Subject Requests: Lleverage shall, to the extent legally permitted, notify Customer if Lleverage receives a request from a Data Subject to exercise rights under Data Protection Laws. Lleverage shall assist Customer in responding to such requests, to the extent possible and as required by Data Protection Laws.
Regulator Correspondence: Lleverage shall promptly notify Customer of any correspondence from a Supervisory Authority or other regulatory authority related to Personal Data, unless prohibited by law.
5. Security
Security Measures: Lleverage shall implement appropriate technical and organizational measures to protect the security, confidentiality, and integrity of Personal Data. These measures shall include encryption, access controls, and regular security assessments. Lleverage will not materially decrease the overall security of the Services during the subscription term.
Security Incidents: Lleverage shall notify Customer without undue delay of any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data ("Security Incident"). Lleverage AI shall take reasonable steps to mitigate the effects of the Security Incident and prevent further incidents.
6. Data Transfers
Restricted Transfers: To the extent that Customer makes a transfer of Personal Data subject to EU, Swiss, or UK Data Protection Laws, the Parties agree to be bound by the relevant Standard Contractual Clauses, which shall be incorporated into this DPA.
7. Audits and Certifications
Third-Party Certifications: Upon Customer’s request, Lleverage shall make available information regarding its compliance with the obligations set forth in this DPA in the form of third-party certifications or audit reports. Summaries of these are always accessible through the Trust Center.
Customer Audits: Customer may conduct an audit of Lleverage’s compliance with this DPA. Audits shall be conducted at Customer’s expense and shall not disrupt Lleverage AI’s business operations.
8. Return and Deletion of Personal Data
Upon termination of the Services, Lleverage shall, at the choice of Customer, return all Personal Data or delete all Personal Data from its systems, unless applicable law requires the retention of such data.
9. Governing Law and Jurisdiction
This DPA shall be governed by and construed in accordance with the laws of the Netherlands. Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts located in Amsterdam, Netherlands.
Last updated