Data Processing Addendum
DATA PROCESSING ADDENDUM
This Data Processing Addendum (“DPA”) amends and supplements the Terms of Service found at https://www.lucidchart.com/pages/tos and/or https://www.lucidpress.com/pages/tos, as applicable, as updated from time to time (the “Agreement”), between Lucid Software Inc. (“Lucid”) and an enterprise customer (“Customer”), and will be incorporated by reference into, and subject to the terms and conditions of, the Agreement. If there is any inconsistency or conflict between this DPA and the Agreement as it relates to data protection, this DPA will govern.
This DPA sets out the terms that apply when Customer Personal Data is processed by Lucid under the Agreement. The purpose of the DPA is to ensure such processing is conducted in accordance with the Data Protection Legislation and respects the rights of individuals whose Customer Personal Data is processed under the Agreement.
“Customer Personal Data” means Personal Data that is included or embedded in documents created or uploaded by Customer or its Users using the Services. Customer Personal Data does not include Personal Data that Lucid collects to administer the Services. “Personal Data” as used in this definition includes “personal data,” “personal information,” and “personally identifiable information,” and such terms shall have the same meaning as defined by the Data Protection Legislation.
“Data Subject” means the individual to whom Customer Personal Data relates.
“Data Protection Legislation” means as applicable: (a) the GDPR; (b) any United Kingdom law replacing or succeeding the GDPR; (c) the Federal Data Protection Act of 19 June 1992 (Switzerland); and/or (d) the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”).
“GDPR” means the General Data Protection Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, and any amendment or replacement to it.
“Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored or otherwise processed.
“Standard Contractual Clauses” means the standard contractual clauses, as agreed by the European Commission, for the transfer of personal data to processors established in third countries which do not ensure an adequate level of protection as set out in Commission Decision C(2010) 593, as updated, amended replaced or superseded from time to time by the European Commission, the approved version of which in force at present is that set out in the European Commission's Decision 2010/87/EU of 5 February 2010, available at: http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087.
The terms “controller” “processing”, “processor”, and “supervisory authority” as used in this DPA will have the meanings ascribed to them in the GDPR. All capitalized terms not otherwise defined in this DPA will have the meaning given to them in the Agreement.
2. PROCESSING OF DATA.
2.1. Scope and Purpose of Processing. This DPA applies only where and to the extent Data Protection Legislation applies to Lucid’s processing of Customer Personal Data on behalf of Customer in the course of providing the Services pursuant to the Agreement. The purpose of data processing under this DPA is the provision of the Services pursuant to the Agreement.
2.2. Processor and Controller Responsibilities. The parties acknowledge and agree that: (a) Lucid is a processor of Customer Personal Data under the Data Protection Legislation; (b) Customer is a controller or processor, as applicable, of Customer Personal Data under the Data Protection Legislation; and (c) each party will comply with the obligations applicable to it under the Data Protection Legislation with respect to the processing of Customer Personal Data.
2.3. Authorization by Third Party Controller. If Customer is a processor, Customer warrants to Lucid that Customer’s instructions and actions with respect to Customer Personal Data, including its appointment of Lucid as another processor, have been authorized by the relevant controller.
2.4. Customer Instructions. Customer instructs Lucid to process Customer Personal Data: (a) in accordance with the Agreement, any applicable order form or statement of work, and Customer’s use of the Services; and (b) to comply with other reasonable written instructions provided by Customer or a User where such instructions are consistent with the terms of the Agreement. Customer will ensure that its instructions for the processing of Customer Personal Data comply with the Data Protection Legislation. Customer has sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer obtained the Customer Personal Data. Customer will disclose Customer Personal Data to Lucid solely pursuant to a valid business purpose.
2.5. Lucid’s Compliance with Customer Instructions. Lucid will only process Customer Personal Data in accordance with Customer’s instructions and will treat Customer Personal Data as confidential information. Lucid may process Customer Personal Data other than on the written instructions of Customer if it is required under applicable law to which Lucid is subject. In this situation, Lucid will inform Customer of such requirement before Lucid processes the Customer Personal Data unless prohibited by applicable law. Lucid will not: (a) sell Customer Personal Data; (b) collect, use, disclose, release, disseminate, transfer, or otherwise communicate or make available to a third-party Customer Personal Data except to provide the Services or as expressly permitted by this Agreement. For purposes of this paragraph, “sell” shall have the meaning set forth in the CCPA.
3. SECURITY; PRIVACY IMPACT ASSESSMENTS.
3.1. Lucid Personnel. Lucid will ensure that its personnel engaged in the processing of Customer Personal Data are informed of the confidential nature of the Customer Personal Data and are subject to obligations of confidentiality and such obligations survive the termination of that individual’s engagement with Lucid.
3.2. Security. Lucid will implement appropriate technical and organizational measures to safeguard Customer Personal Data taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
3.3 Data Privacy Impact Assessments. Lucid will take reasonable measures to cooperate and assist Customer in conducting a data protection impact assessment and related consultations with any supervisory authority, if Customer is required to do so under Data Protection Legislation.
4. DATA SUBJECT RIGHTS.
4.1. Assistance with Customer’s Obligations. Lucid provides Customer the ability to correct, amend, restrict, block or delete Customer Personal Data contained in the Services. Lucid shall promptly comply with reasonable requests by Customer to assist with such actions to the extent Lucid is legally permitted and able to do so.
4.2. Notification Obligations. Lucid shall, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject for access to, correction, amendment, deletion of or objection to the processing of Customer Personal Data relating to such individual. Lucid will forward such Data Subject request relating to Customer Personal Data to Customer and Customer will be responsible for responding to any such request using the functionality of Services. Lucid shall provide Customer with commercially reasonable cooperation and assistance in relation to handling of a Data Subject request, to the extent legally permitted and to the extent Customer does not have access to such Customer Personal Data through its use or receipt of the Services.
5.1. General Authorization. Customer generally authorizes the use of subprocessors to process Customer Personal Data in connection with fulfilling Lucid’s obligations under the Agreement and/or this DPA.
5.2 New Subprocessors. When Lucid engages a new subprocessor to process Customer Personal Data, Lucid will, at least ten (10) days before the new subprocessor processes any Customer Personal Data, notify Customer by updating its list of subprocessors located at https://www.lucidchart.com/pages/eu-personal-data-sub-processor-list and give Customer the opportunity to object to such subprocessor.
5.3. Lucid Obligations. Lucid will remain liable for the acts and omissions of its subprocessors to the same extent Lucid would be liable if performing the services of each subprocessor directly under the terms of this DPA. Lucid will contractually impose data protection obligations on its subprocessors that are at least equivalent to those data protection obligations imposed on Lucid under this DPA.
6. DATA TRANSFERS.
6.1. Governing Terms. For transfers of Customer Personal Data under this DPA from the EEA to countries which do not ensure an adequate level of data protection within the meaning of the Data Protection Legislation, to the extent such transfers are subject to the Data Protection Legislation, the parties will transfer Customer Personal Data internationally only pursuant to a transfer mechanism valid under Data Protection Legislation or applicable law, i.e. a valid mechanism in the exporting country (such as the EU-U.S. Privacy Shield Framework) which is approved by the European Commission as ensuring an adequate level of protection. Lucid has certified compliance with the EU-U.S. Privacy Shield Framework. If the transfer mechanism authorizing the transfer of Customer Personal Data from one country to another country as contemplated in this Section is no longer applicable to Lucid, then immediately upon its expiration, Customer and Lucid will enter into the Standard Contractual Clauses, incorporated herein by reference. For purposes of the Standard Contractual Clauses, (a) Customer, the party transferring from the EEA or Switzerland, will be referred to as the “Data Exporter”; and (b) Lucid will be referred to as the “Data Importer.” Annex A to this DPA shall apply as Appendix 1 of the Standard Contractual Clauses. Annex B to this DPA shall apply as Appendix 2 of the Standard Contractual Clauses.
7. SECURITY BREACH.
7.1. Notification Obligations. In the event Lucid becomes aware of any Security Breach, Lucid will notify Customer of the Security Breach without undue delay. The obligations in this Section 7 do not apply to incidents that are caused by Customer or Customer's personnel or Users or to unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
7.2. Manner of Notification. Notification(s) of Security Breaches, if any, will be delivered to one or more of Customer’s business, technical or administrative contacts by any means Lucid selects, including via email. It is Customer’s sole responsibility to ensure it maintains accurate contact information on Lucid’s systems at all times. Furthermore, it is Customer’s sole responsibility to notify the relevant data protection supervisory authority and, when applicable, the Data Subjects of a Security Breach as required under the Article 33 and 34 of the GDPR.
8. TERM AND TERMINATION.
8.1. Term of DPA. This DPA will remain in effect until, and automatically expire upon, deletion of all Customer Personal Data as described in this DPA.
8.2. Deletion of Customer Data. Lucid shall retain Customer Personal Data in its possession until 30 days following the earlier of: (a) written confirmation from Customer that Lucid may delete Customer’s account and all User accounts; or (b) the date that Customer and all Users delete their accounts. Prior to deletion, Lucid will make any Customer Personal Data in its possession available for download by Customer. Lucid shall have no obligation to retain any portion of Customer Personal Data after such period except to the extent that Lucid is required under Data Protection Legislation to keep a copy of the Customer Personal Data.
9.1. Audit Rights. Upon Customer’s written request no more than once per year, Lucid will provide a copy of its then most recent third-party audits or certifications, as applicable, or any summaries thereof, in order that Customer may reasonably verify Lucid’s compliance with the technical and organizational measures as required under this DPA. Audit requests must be sent via certified mail to 10355 South Jordan Gateway, Suite 300, South Jordan, UT, USA 84095, ATTN: Legal. To the extent Customer and this DPA are subject to the GDPR, Lucid will allow Customer or a mutually agreed upon independent auditor appointed by Customer to conduct an audit (including inspection) at Customer’s sole cost and expense, no more than once per year upon eight weeks’ notice sent to the above address complete with a detailed audit plan describing the proposed scope, duration, and start date of the audit. Lucid will contribute to such audits whose sole purpose will be to verify Lucid’s compliance with its obligations under this DPA. The auditor must execute a written confidentiality agreement acceptable to Lucid before conducting the audit. The audit must be conducted during regular business hours, subject to Lucid’s policies, and may not unreasonably interfere with Lucid’s business activities.
9.2. Separate Service. Any request for Lucid to provide assistance with an audit is considered a separate service if such audit assistance requires the use of resources different from or in addition to those required by law. Customer shall reimburse Lucid for any time spent for any such audit at rates mutually agreed to by the parties, taking into account the resources expended by Lucid. Customer shall promptly notify Lucid with information regarding any non-compliance discovered during the course of an audit.
9.3 Limits on Auditing Party. Nothing in this DPA will require Lucid either to disclose to an independent auditor or Customer, or to allow an independent auditor or Customer to access: (a) any data of any other customer of Lucid; (b) Lucid's internal accounting or financial information; (c) any trade secret of Lucid; (d) any premises or equipment not controlled by Lucid; or (e) any information that, in Lucid's reasonable opinion, could: (i) compromise the security of Lucid’s systems or premises; (ii) cause Lucid to breach its obligations under Data Protection Legislation or the rights of any third-party; or (iii) any information that an independent auditor seeks to access for any reason other than the good faith fulfillment of Customer's obligations under the Data Protection Legislation. Customer shall contractually impose, and designate Lucid as a third-party beneficiary of, any contractual terms that prohibit any independent auditor from disclosing the existence, nature, or results of any audit to any party other than Customer unless such disclosure is required by applicable law.
APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES
Lucid Software Inc.
Data Subjects whose personal data the Users upload to or include or embed in documents created using the Services
Categories of data
Any data that the Users upload to the Services or reflect in documents created using the Services, typically name and email address.
Special categories of data (if appropriate)
Lucid will process Customer Personal Data pursuant to the DPA solely for the purpose of providing and improving the Services and administering the Customer’s accounts.
APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES
The data importer maintains reasonable administrative, technical and physical measures to safeguard personal data against unauthorized access, loss, misuse, disclosure, alteration and destruction. These measures include: (1) imposing contractual restrictions and obligations on third party service providers to ensure personal data is properly safeguarded; (2) training data importer employees on privacy and data security policies and procedures; (3) restricting physical access to systems that contain sensitive or critical applications; (4) implementing technical safeguards, such as firewalls, encryption, antivirus software, file permissions, intrusion prevention systems and intrusion detection systems; (5) regular system and server backups; and (6) implementing and maintaining an employee policy that relates to storing and securing physical and electronic copies of personal data.