Data Processing Addendum

This Data Processing Agreement, including its schedules and annexes, (collectively, this “DPA”) forms part of the LaderaAI Terms of Service Agreement, any subsequent Order Forms, or any other legally entered and binding written or electronic agreement (collectively, the “Agreement”) entered into between LaderaAI, Inc. (“LaderaAI”) and Customer, acting on its own behalf and on behalf of its Affiliates (defined below). This DPA sets forth each party’s respective obligations regarding the processing of Personal Data (defined below) in connection with the Services (defined below) provided pursuant to the Agreement. 

This DPA shall become effective as of the Effective Date of the Agreement. All capitalized terms not defined in this DPA will have the meaning given to them in the Agreement. 

​

AGREED TERMS

1.0. Definitions 

The following definitions and rules of interpretation apply in this DPA.

​

1.1. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity.

​

1.2. “Business Purposes” means the Services described in the Agreement and any other purposes identified in ANNEX A. DETAILS OF PROCESSING, Section 4. Processing Details.

​

1.3. “Customer Authorized Privacy Contact” means the persons or categories of persons that Customer authorizes to give LaderaAI personal data processing instructions as identified in ANNEX A. DETAILS OF PROCESSING, Section 1. Data Exporter.

​

1.4. “Customer Personal Data” means Personal Data provided by or made available by Customer to the LaderaAI or collected by LaderaAI on behalf of Customer, which LaderaAI Processes to perform the Services. Customer Personal Data is a subset of “Customer Data” and, as applicable, “Usage Data,” as defined in the LaderaAI Terms of Service.

​

1.5. “Data Protection Laws” means all applicable global laws, regulations, or treaties concerning privacy, data security, data protection, or the Processing of Personal Data including, but not limited to, European Data Protection Laws and United States privacy laws, such as the California Consumer Privacy Act of 2018 (“CCPA”), each as amended, replaced, or superseded from time to time and the guidance and codes of practice issued by the relevant data protection or supervisory authorities and applicable to a Party.

​

1.6. “Disclosure Request” means (a) any order, demand, warrant, or any other document requesting or purporting to compel the production of Customer Personal Data (for example, by oral questions, interrogatories, requests for information or documents in legal proceedings, subpoenas, civil investigative demands, regulatory inspection or other similar processes); or (b) any other request, inquiry, or complaint involving Customer Personal Data or the Processing of such Customer Personal Data from any governmental, regulatory authority or law enforcement department, including, but not limited to, a data protection authority, or similar regulatory authority.

​

1.7. “European Data Protection Laws” means (a) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (b) the European Union (“EU”) e-Privacy Directive (Directive 2002/58/EC); (c) any and all applicable local data protection laws of any Member State of the EU or country within the European Economic Area (“EEA”) made under or pursuant to (a) or (b); (d) Swiss Data Protection Laws; and (e) United Kingdom (“UK”) Data Protection Laws; in each case as may be amended, superseded, or replaced from time to time.

​

1.8. “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored or otherwise Processed.

​

1.9. The “Parties” means LaderaAI and Customer.

​

1.10. “Sensitive Personal Data” or “Sensitive Personal Information” has the same meaning as “Sensitive Data” as defined in the LaderaAI Terms of Service.

​

1.11. “Standard Contractual Clauses” (“SCCs”) means the Standard Contractual Clauses for the transfer of Personal Data to third countries approved pursuant to Commission Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en, as updated, amended, or replaced from time to time.

​

1.12. “Sub-Processor” means any Processor engaged by LaderaAI in accordance with the terms of this DPA, including, but not limited to, any Affiliate of LaderaAI. “Sub-processor” shall include the entities set forth under ANNEX C. APPROVED LIST OF SUB-PROCESSORS to this DPA.

​

1.13. “Swiss Data Protection Laws” means all laws relating to data protection, the Processing of Personal Data, privacy and/or electronic communication in force from time to time in Switzerland, including the Swiss Federal Act on Data Protection of 19 June 1992, SR 235.1, as amended, superseded, or replaced from time to time.

​

1.14. “UK Data Protection Laws” means all laws relating to data protection, the Processing of Personal Data, privacy and/or electronic communication in force from time to time in the UK including the Data Protection Act 2018, the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426), each as amended, superseded, or replaced from time to time.

​

1.16. “UK International Transfer Addendum” means the United Kingdom’s addendum to the European Commission’s Standard Contractual Clauses for international data transfers version B1.0 issued by the UK Information Commissioner under Section 119A of the UK Data Protection Act of 2018 and entering into force on 21 March 2022, as updated, amended, or replaced from time to time.

​

1.16. Except as otherwise defined in this DPA, “Business,” “Controller,” “Data Subject,” “Personal Data” or “Personal Information,” “Process” or “Processing,” “Processor,” “Sell” or “Selling,” “Service Provider,” and “Share” or “Sharing” are as defined under the relevant Data Protection Laws, and the conjugation of these terms shall be defined accordingly. For purposes of this DPA, the term “Controller” shall also refer to the term “Business” and the term “Processor” shall also refer to the term “Service Provider.”

 

2.0. Purpose and Scope of Processing

 

2.1. Roles of the Parties. Customer and LaderaAI acknowledge and agree that under Data Protection Laws and this DPA, Customer may act as either a Controller or Processor. Where Customer is a Controller, LaderaAI is a Processor. Where Customer is a Processor, LaderaAI is a Sub-processor. All obligations placed on Processors under this DPA shall apply to LaderaAI regardless of whether LaderaAI acts as a Processor or Sub-processor. 

​

2.2. Details of Processing. The subject matter, duration, nature and purpose of Processing, categories of Customer Personal Data, and Data Subject type(s), in respect of which LaderaAI may Process to fulfill the Business Purposes are described in ANNEX A. DETAILS OF PROCESSING of this DPA.

​

3.0. Customer Processing Obligations

​

3.1. Processing Instructions. Customer warrants and represents that Customer shall comply with, and Customer’s instructions for the Processing of the Customer Personal Data shall comply with, Data Protection Laws. Customer is solely responsible for the accuracy, quality, and legality of (a) the Customer Personal Data provided to LaderaAI by or on behalf of Customer, (b) the means by which Customer acquired the Customer Personal Data provided to LaderaAI, and (c) the instructions it provides to LaderaAI regarding the Processing of Customer Personal Data. Customer shall provide to LaderaAI the minimum amount of Customer Personal Data necessary for the provision of the Services and shall not provide or make available to LaderaAI any Customer Personal Data other than as specified in ANNEX A. DETAILS OF PROCESSING, Section 4. Processing Details.

​

3.2. Sensitive Personal Data. To the extent that Customer chooses to use any Services to Process Sensitive Personal Data, Customer acknowledges and agrees that Customer is Processing such Sensitive Personal Data in accordance with Data Protection Laws and the Agreement.

​

3.3. Customer Affiliates. Customer enters into this DPA on behalf of itself and in the name and on behalf of its Affiliates, as applicable, thereby establishing a separate DPA between Customer and each such Customer Affiliate. Customer Affiliates shall be entitled to enforce the terms of this DPA as if each was a signatory to it. Customer shall remain responsible for coordinating all communication with LaderaAI under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Affiliates.

​

4.0. LaderaAI Processing Obligations

​

4.1. Compliance with DPA and Data Protection Laws. LaderaAI shall comply with all Data Protection Laws with respect to performing the Services and Processing the Customer Personal Data. LaderaAI shall not Process Customer Personal Data for any other purpose or in a way that does not comply with this DPA or applicable laws, including the Data Protection Laws. 

 

4.2. Processing Limitations. LaderaAI shall only Process Customer Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with this DPA and Customer's written instructions. LaderaAI shall not collect, disclose, use, or otherwise Process Customer Personal Data: (a) except as necessary to perform the Services and the Business Purposes described this DPA; (b) outside of the direct business relationship between Customer and LaderaAI; or (c) for its own purposes or those of any third party. LaderaAI shall not sell or share Customer Personal Data, as “sell” and “share” are defined under Data Protection Laws. LaderaAI shall not combine the Customer Personal Data received with Personal Data received from another business or that LaderaAI collects itself (unless such combination is necessary for certain business purposes identified in the Applicable Data Protection Laws).

 

4.3. Artificial Intelligence (AI) Training. LaderaAI will not use Customer Personal Data to train or otherwise improve any AI Feature or services, or features connected to or that feed into any AI Feature.

​

4.4. Confidentiality. LaderaAI shall protect the confidentiality of the Customer Personal Data in accordance with the terms of this DPA and ensure that any Customer Personal Data is not disclosed or otherwise made available to other persons or used in violation of this DPA. LaderaAI shall ensure that any person that it authorizes to Process Customer Personal Data are informed of the confidential nature of the Customer Personal Data and are subject to an appropriate duty of confidentiality. 

​

4.5. Compliance Assistance. LaderaAI shall reasonably assist Customer with meeting Customer's compliance obligations under the Data Protection Laws, taking into account the nature of LaderaAI's Processing and the information available to LaderaAI. For example, LaderaAI shall provide reasonable information to enable Customer to carry out Data Protection Impact Assessments or similar evaluations or assessments required under Data Protection Laws, and LaderaAI shall provide reasonable assistance to Customer in its cooperation or prior consultation with supervisory or other regulatory authorities.

​

4.6. Data Subject Rights. If LaderaAI receives a request from a Data Subject for access to Customer Personal Data or to exercise any of their related rights under the Data Protection Laws, LaderaAI shall notify Customer. Upon Customer’s reasonable request, LaderaAI shall reasonably assist Customer to comply with the rights of Data Subjects under the Data Protection Laws and to respond to any inquiry, complaint, or other correspondence from a Data Subject. 

​

4.7. Disclosure Requests, Complaints, and Other Communications. If LaderaAI receives a Disclosure Request, complaint, or any other communication regarding the Processing of Customer Personal Data or about either party's compliance with the Data Protection Laws, LaderaAI shall promptly notify Customer, unless prohibited to do so by law. Unless required by law, LaderaAI shall not disclose Customer Personal Data with any third party other than at Customer’s request or instruction. Subject to applicable law, LaderaAI shall oppose any Disclosure Request, and if legally required to respond, shall provide the minimal amount of Customer Personal Data or information about Processing of Customer Personal Data in response to such request or inquiry. LaderaAI shall reasonably assist Customer in responding to any Disclosure Requests, complaints, or other communications regarding the processing of Customer Personal Data by LaderaAI.

​

4.8. Data Destruction or Return. LaderaAI shall securely destroy or return and not retain, all Customer Personal Data Processed subject to this DPA in its possession promptly after the expiry or termination of the Agreement, except where retention of Customer Personal Data is required by any law, regulation, or government or regulatory body, in which case the protections of this DPA shall continue to apply to such retained Customer Personal Data for the period of time during which it is retained.

​

5.0. Security and Audits

​

5.1. Security Measures. LaderaAI shall implement appropriate technical and organizational measures against unauthorized or unlawful Processing, access, or disclosure of Customer Personal Data and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Customer Personal Data including, but not limited to, the security measures set out in ANNEX B. SECURITY MEASURES. LaderaAI shall periodically review and test the effectiveness of such security measures.

​

5.2. Data Breach. LaderaAI shall notify the Customer Authorized Privacy Contact no later than forty-eight (48) hours upon becoming aware of a Data Breach and promptly take such steps as LaderaAI deems necessary and reasonable to investigate, contain, and mitigate such Data Breach. When notice is provided, LaderaAI shall provide all reasonable information in LaderaAI’s possession to the extent it affects Customer, including: (a) a summary of the nature of the Data Breach, including the types of Customer Personal Data impacted and, to the extent Personal Data is impacted, the categories and approximate number of both Data Subjects concerned; (b) the likely consequences; and (c) description of the measures taken or proposed to be taken to mitigate its possible adverse effects. LaderaAI shall use reasonable efforts to provide Customer with additional updates regarding the Data Breach to the extent it affects Customer.

​

5.3. Audit Reports and Documentation. At Customer’s written request at reasonable intervals, LaderaAI shall provide Customer with the most recent copies of external third-party audit reports, certifications, or other documentation regarding LaderaAI’s compliance with the obligations in this DPA.

​

5.4. On-Site Audits. If the Customer reasonably believes the audit reports, certifications, or other documentation provided under Section 5.3 “Audit Reports and Documentation” above are inadequate to demonstrate compliance with the obligations of this DPA, Customer may reasonably request an on-site audit in writing and with no less than 30 days notice. An on-site audit may also be requested if LaderaAI has notified Customer of a Data Breach affecting Customer Personal Data or such an audit is required by Data Protection Laws or by the Customer’s competent supervisory authority. LaderaAI shall cooperate in good faith with Customer to schedule any such audit on a mutually agreed upon date and time during LaderaAI’s normal business hours (such agreement not to be unreasonably withheld by either party). In the event any data protection deficiencies are identified by the audit, LaderaAI shall produce and provide Customer with a copy of a written report that includes plans to remedy such deficiencies and remedy any deficiencies identified within a reasonable time period mutually agreed between the parties.

​

6.0. Cross-border Transfers

​

6.1. Adequate Measures for Transfers. LaderaAI shall not transfer or otherwise Process Personal Data outside of the country of origin of such Personal Data, either directly or via onward transfer, unless LaderaAI takes measures to ensure the transfer in compliance with Data Protection Laws and guidance from data protection regulatory authorities in relevant jurisdictions.

​

6.2. Transfer Assessment. To the extent required under or necessitated by Data Protection Laws and/or guidance issued by data protection regulatory authorities in relevant jurisdictions, LaderaAI shall conduct a risk assessment of any such international transfer to determine if the level of protection provided under the laws of the recipient country are adequate to protect the Personal Data in advance of engaging in any such transfer (“Transfer Assessment”) and implement additional measures as necessary to ensure the protection of the Personal Data.

​

6.3. Standard Contractual Clauses. The Parties agree that the Standard Contractual Clauses shall apply to transfers of Personal Data from the EEA, UK, or Switzerland to LaderaAI under this DPA where such Personal Data is Processed in third countries not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection for Personal Data. 

​

7.0. Sub-processors

​

7.1. General Authorization. Customer acknowledges and agrees that LaderaAI may subcontract Processing of Customer Personal Data to a Sub-processor to provide Services. LaderaAI’s current list of Sub-processors are listed in ANNEX C. APPROVED LIST OF SUB-PROCESSORS of this DPA.

​

7.2. Liability for Sub-processors. Prior to disclosing any Customer Personal Data to any Sub-processor, LaderaAI shall: (a) enter into a written agreement with each such Sub-processor that imposes obligations that are no less protective than the obligations in this DPA; and (b) remain liable to Customer and responsible for the Sub-processor’s acts, errors, and omissions, and any failure to perform its obligations with respect to the Processing of Customer Personal Data and under Data Protection Laws.

​

7.3. New Sub-processor. Prior to engaging any new Sub-processors that Process Customer Personal Data, LaderaAI shall notify Customer via email (including details of the Processing it performs or shall perform) and allow Customer ten (10) calendar days to object. If Customer has legitimate objections to the appointment of any new Sub-processor, the Parties shall work together in good faith to resolve the grounds for the objection for no less than thirty (30) calendar days. Failing any such resolution, Customer may terminate the part of the Services performed under this DPA that cannot be performed by LaderaAI without use of the objectionable Sub-processor. For the avoidance of doubt, LaderaAI shall comply with the obligations set forth in Section 7.2 with respect to any new Sub-processor.

​

8.0. Term and Termination

​

8.1. Survival. This DPA shall remain in full force and effect so long as LaderaAI retains any Customer Personal Data in its possession or control, even if LaderaAI has fulfilled its obligations under all existing Order Forms.

​

8.2. Material Breach. A party’s failure to comply with the terms of this DPA is a material breach. In the event of a material breach by either party, the other party may terminate this DPA, in whole or in part, effective immediately on written notice without further liability or obligation.

​

8.3. Noncompliance. If a change in any Data Protection Law prevents either party from fulfilling all or part of its obligations under this DPA, the Parties shall suspend the Processing of Customer Personal Data until that Processing complies with the new requirements. If the Parties are unable to bring the Processing of Customer Personal Data into compliance with the Data Protection Laws within sixty (60) days, they may terminate this DPA on written notice to the other Party.

​

9.0. General

​

9.1. Annexes. The Annexes form part of this DPA and shall have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annexes.

​

9.2. Conflicts with SCCs or DPA. In the event of any conflict or inconsistency between the Agreement, the DPA, the provisions of the following documents (in order of precedence) shall prevail: (a) the Standard Contractual Clauses or International Data Transfer Addendum; then (b) the DPA; and then (c) the Agreement.

​

9.3. Limitation of Liability. Liability arising out of or related to this DPA shall be subject to the liability terms in the Agreement.

Choice of Law. Without prejudice to Standard Contractual Clauses or the UK International Data Transfer Addendum, this DPA shall be governed by and construed in accordance with the laws of the Agreement. Any disputes or claims arising under this DPA shall be brought in the State of Delaware.

​

9.4. Changes in Data Protection Laws. In the event of any changes to Data Protection Laws that may require variation to this DPA, and upon notice from Customer, the Parties shall promptly discuss such variations and negotiate in good faith with a view to agreeing on and implementing variations to the DPA designed to address the requirements of any such changes in Data Protection Laws as soon as reasonably practical.

​

 

ANNEX A. DETAILS OF PROCESSING

​

1. Data Exporter

• Company Name:  Customer, as specified in the Agreement

• Address: Customer’s as specified in the Agreement

• Customer Authorized Privacy Contact, position, and contact information: Customer’s contact information, as specified in the Agreement

• Role:  Controller/Business

 

2. Data Importer

• Company Name: LaderaAI, Inc.

• Address: 441 Grand Street, Redwood City, CA 94062

• Contact name, position, and contact information: Privacy Officer, privacy@ladera.ai

• Role: Processor/Service Provider

​

3. Activities relevant to the data transferred

​

Activities related to data transferred are described below in Section 4. Processing Details, under the “Nature of the processing” and “Purpose of the data transfer and further processing” fields.

​

4. Processing Details​

​

Categories of data subjects whose Customer Personal Data is Processed by the LaderaAI

Customer may use Services to process any data subjects as they determine is necessary, including, but not limited to:

• Customer’s employees, contractors, and other workers; and

• Customer’s end users.

 

Categories of Customer Personal Data Processed by the LaderaAI

Customer may use Services to process any data categories as they determine is necessary, including, but not limited to:

• Identification data (e.g., personal identification data including, amongst others, name, title, employee number, address, telephone number, email, IP address);

• Financial data (e.g., identification numbers, account information, payroll and compensation information, income, expenses, tax details);

• Personal characteristics (e.g., physical, physiological, economic, cultural, or social identity, family/household information, marital status);

• Educational data (e.g., resumes, professional expertise, qualifications, skills, languages);

• Employment-/business-related data (e.g., job, title, manager, role, current employment information, performance review, career history, absence and work records, management of product orders);

• Compliance-related data (e.g., disciplinary records, compliance events, reports of ethics and other violations);

• Geo-location identifier (e.g., location tracking);

• Online behavior/preferences (e.g., browsing history, purchasing habits), 

• Device/usage data (e.g., MAC address, hostnames); and

• IT-related data (e.g., audio/voice recording, e-mail and internet usage logs).

 

Sensitive Personal Information Processed by the LaderaAI

Customer may use Services to process any Sensitive Data categories as they determine is necessary, including, but not limited to:

• Social security numbers, tax file numbers, passport numbers, driver’s license numbers, or similar identifiers (or any portion thereof);

• Credit or debit card numbers (other than the truncated (last four digits) of a credit or debit card);

• Employment, financial, credit, genetic, biometric or health information;

• Racial, ethnic, political or religious affiliation, trade union membership, information about sexual life or sexual orientation, or criminal record;

• Account passwords; or

• Other information that falls within the definition of “special categories of data” under applicable Data Protection Laws.

 

Frequency of the transfer

Continuous

 

Nature of the processing

LaderaAI processes Personal Data to provide Customer with Services as described in the Agreement.

​

Purpose of the data transfer and further processing

LaderaAI processes Personal Data to provide Customer with Services as described in the Agreement.

​

For Processing involving California consumers, select purpose(s) for Processing Customer Personal Data

• Helping to ensure security and integrity to the extent the use of the consumer’s personal information is reasonably necessary and proportionate for these purposes. 

• Debugging to identify and repair errors that impair existing intended functionality.

• Performing services on behalf of Customer, including maintaining or servicing accounts, providing customer service, processing, or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of Customer. 

• Undertaking internal Services for technological development and demonstration.

• Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by Customer, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by Customer.

• To retain and employ a Subprocessor (subject to the requirements of this DPA). 

• To build or improve the quality of the services it is providing to Customer provided that LaderaAI does not use the Customer Personal Data to perform services on behalf of another person. 

• To prevent, detect, or investigate data security incidents or protect against malicious, deceptive, fraudulent, or illegal activity. 

 

Period for which the Customer Personal Data will be retained or criteria used to determine that period

The period for which Customer Personal Data will be retained is as described in this DPA.

​

Sub-processor transfers – subject matter, nature, and duration of processing

The subject matter, nature, and duration of the Processing is described in ANNEX C. APPROVED LIST OF SUB-PROCESSORS of this DPA.

 

ANNEX B. SECURITY MEASURES

​

Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of LaderaAI’s Processing, as well as the risks to individuals, LaderaAI will implement and maintain the following industry-standard technical and organizational security measures:

1. Information Security Policies and Standards. LaderaAI will implement and maintain industry-standard security requirements and measures for staff and all subcontractors, vendors, and agents who have access to Customer Personal Data, that are reasonably designed to:

   • prevent unauthorized persons from gaining access to Customer Personal Data processing systems;

   • prevent Customer Personal Data processing systems being used without authorization;

   • ensure that persons entitled to use a Customer Personal Data processing system gain access only to such Customer Personal Data as they are entitled to access in accordance with their access rights and that, in the course of processing or use and after storage, Customer Personal Data cannot be read, copied, modified or deleted without authorization;

   • ensure that Customer Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage, and that the target entities for any transfer of Customer Personal Data by means of data transmission facilities can be established and verified;

   • ensure the establishment of an audit trail to document whether and by whom Customer Personal Data have been entered into, modified in, or removed from Customer Personal Data processing;

   • ensure that Customer Personal Data are processed solely in accordance with the instructions;

   • ensure that Customer Personal Data are protected against accidental destruction or loss; and

   • ensure that these measures are kept up to date, and revised whenever relevant changes are made to the information system that uses or houses Customer Personal Data, or to how that system is organized.

2. Physical Security. LaderaAI will maintain commercially reasonable security systems at all LaderaAI sites at which an information system that uses or houses Customer Personal Data is located. LaderaAI will ensure that such systems reasonably restrict access to such Customer Personal Data as appropriate.

3. Organizational Security. LaderaAI will ensure that when media are to be disposed of or reused, procedures have been implemented to prevent any subsequent retrieval of any Customer Personal Data stored on them before they are withdrawn from the inventory. LaderaAI will ensure that all Customer Personal Data security incidents are managed in accordance with appropriate incident response procedures.

4. Network Security. LaderaAI will maintain and implement network security using commercially available equipment and industry standard techniques, including firewalls, intrusion detection and/or prevention systems, access control lists and routing protocols.

5. Access Control. LaderaAI will ensure that only authorized staff can grant, modify or revoke access to an information system that uses or houses Customer Personal Data. LaderaAI will implement and maintain commercially reasonable physical and electronic security to create and protect passwords.

6. Personnel. LaderaAI will implement and maintain a security awareness program to train personnel about their security obligations. LaderaAI will ensure this program includes training about data classification obligations, physical security controls, security practices and security incident reporting.

 

 

ANNEX C. APPROVED LIST OF SUB-PROCESSORS

 

The Sub-processors authorized to Process Customer Personal Data to help LaderaAI provide Services are listed here: https://www.ladera.ai/terms-of-service/subprocessors

​

 

ANNEX D. APPROVED STANDARD CONTRACTUAL CLAUSES – INTRODUCTION AND SUPPLEMENTAL TERMS

​

1.0. EEA Personal Data Transfers

Transfers of Customer Personal Data originating in the EEA by Customer to LaderaAI or LaderaAI to Customer in Third Countries are subject to: (a) Module Two (Controller to Processor) where Customer is a Data Controller and LaderaAI is a Data Processor; and (b) Module Three (Processor to Processor) where Customer is a Data Processor and LaderaAI is a Sub-Processor. The information required for the purposes of the SCCs is provided in ANNEX B. SECURITY MEASURES to this DPA.

​

2.0. Swiss Personal Data Transfers

Where the Customer Personal Data is subject to the Swiss Federal Data Protection Act (“Swiss DPA”), the SCCs above shall apply and be read to be modified as follows:

• References to “Regulation (EU) 2016/679” and any articles therefrom shall be interpreted to include references to the Swiss DPA.

• References to “EU,” “Union,” and “Member State” shall be interpreted to include references to “Switzerland.”

​

3.0. UK Personal Information Transfers

• For Customer Personal Data transfers subject to UK Data Protection Laws and transferred in accordance with the UK International Transfer Addendum, the Parties agree as follows:

• Each Party agrees to be bound by the terms and conditions set out in the UK International Transfer Addendum, in exchange for the other Party also agreeing to be bound by the UK International Transfer Addendum.

• The SCCs shall be interpreted in accordance with Part 2 of the UK International Transfer Addendum.

• Sections 9 to 11 of the UK International Transfer Addendum override Clause 5 (Hierarchy) of the SCCs.

• For the purposes of Section 12 of the UK International Transfer Addendum, the EU SCCs shall be amended in accordance with Section 15 of the UK International Transfer Addendum.

• Information required by Part 1 of the UK International Transfer Addendum is provided as ANNEX A. DETAILS OF PROCESSING of this DPA.

• To the extent that any revised transfer addendums or mechanisms are issued by the UK ICO, the Parties agree to incorporate such revisions in accordance with Section 18-20 of the UK International Transfer Addendum.

 

4.0. Other Country Transfers

For Customer Personal Data transfers subject to other Data Protection Laws which require the use of SCCs (or other measures) to transfer Customer Personal Data to Third Countries, the parties agree to implement such SCCs or other measures as soon as practicable and document such requirements for implementation.

​

5.0. Signatures

The Parties agree that the SCCs and the UK International Transfer Addendum are incorporated by reference and that by executing this DPA each party is deemed to have executed the SCCs and the UK International Transfer Addendum.

​

6.0. European Area SCC and UK Transfer Addendum Information

Where this Section 6 does not explicitly state that it applies to a particular Module of the Standard Contractual Clauses, it applies to both Modules.

​

SCC Modules in Operation

Module Two (Controller to Processor)

Module Three (Processor to Processor)

 

SCC Clause

GDPR, Swiss DPA, UK Data Protection Laws

​

Clause 7- Docking Clause

An entity that is not a party to these clauses may, with the agreement of the parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex 1.A.

​

Clause 9(a)- Use of Sub-processors (Module 2 and Module 3)

GENERAL WRITTEN AUTHORISATION: The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 15 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.

​

Clause 11 (Redress)

Optional language in Clause 11 shall not apply.

​

Clause 17- Governing Law

• These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.

• These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Switzerland.

• These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of England and Wales.

 

Clause 18 – Choice of Forum and Jurisdiction

• (b) The parties agree that those shall be the courts of Ireland.

• The parties agree that those shall be the competent courts of Switzerland.

• The parties agree that those shall be the competent courts of England and Wales.

 

Annex 1A – List of Parties

Each party’s name, address, contact person’s contact details, and role in Processing Customer Personal Data are provided in ANNEX A. DETAILS OF PROCESSING, Section 1. Data Exporter and Section 2. Data Importer, of this DPA above.

​

Annex 1B – Description of Transfer

This information can be found in ANNEX A. DETAILS OF PROCESSING, Section 4. Processing Details of this DPA above.

To the extent applicable, the descriptions of safeguards applied to the special categories of Customer Personal Data can be found in ANNEX B. SECURITY MEASURES of this DPA.

​

Clause 13 and Annex 1C – Competent Supervisory Authority

• Identify the competent supervisory authority/ies in accordance with Clause 13: Irish Data Protection Commission 

• Identify the competent supervisory authority/ies in accordance with Clause 13: FDPIC

• Identify the competent supervisory authority/ies in accordance with Clause 13: UK Information Commissioner

​

Annex II – Technical and Organizational Measures

The description of technical and organization measures designed to ensure the security of Customer Personal Data is described more fully in ANNEX B. SECURITY MEASURES of this DPA.

​

Annex II – Technical and Organizational Measures – Sub-processors

The description of technical and organization measures designed to ensure the security of Customer Personal Data Processed by Sub-processors is described more fully in ANNEX B. SECURITY MEASURES of this DPA.

​

Annex III – List of Sub-processors

The list of sub-processors is included in ANNEX C. APPROVED LIST OF SUB-PROCESSORS of this DPA. 

​

Ending the UK Transfer Addendum when the Approved Addendum changes

N/A

Which Parties may end this Addendum as set out in Section 19:

☐ Importer

☐ Exporter

☒ neither Party