Data Processing Addendum
This Data Processing Agreement (“DPA”) amends and forms part of the written agreement between Luma AI, inc. (“Company”) and you (“Customer”) under which Company provides the Services and which references and incorporates this DPA (the “Agreement”). This DPA prevails over any conflicting term of the Agreement but does not otherwise modify the Agreement.
1. Definitions
1.1. In this DPA:
a) “Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with a party where "control" means either (a) direct or indirect ownership or control of greater than 50% of the voting securities of such entity; or (b) the ability to control the activities of the entity through contractual rights.
b) “Authorized Affiliate” means a Customer Affiliate that is authorized to use the Services under the Agreement and has not signed their own separate Agreement with Company.
c) “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Process”, “Processing”, “Processor”, and “Supervisory Authority” have the meaning given to them in Data Protection Law;
d) “Customer Personal Data” means Personal Data contained in Customer Content (as defined in the Agreement) that is Processed by Company as a Processor on behalf of Customer or Third Party Controller;
e) “Data Protection Law” means data protection and privacy laws and regulations applicable to a party and its respective processing of Customer Personal Data under the Agreement, including where applicable (i) the General Data Protection Regulation 2016/679 (“GDPR”); (ii) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's (“UK”) European Union (Withdrawal) Act 2018 and the Data Protection Act 2018 (together, “UK GDPR”); and (iii) the Swiss Federal Data Protection Act and its implementing regulations and ordinance (“Swiss Data Protection Act”); the California Consumer Privacy Act (“CCPA”), the Virginia Consumer Data Protection Act (“VCDPA”) and other similar U.S. state data protection laws in effect; in each case, as amended, superseded or replaced from time to time.;
f) “Data Subject Rights” means Data Subjects’ rights to information, access, rectification, erasure, restriction, portability, objection, the right to withdraw consent, and the right not to be subject to automated individual decision-making in accordance with Data Protection Law;
g) “International Data Transfer” means: (i) where the GDPR applies, a transfer of Personal Data from the European Economic Area (“EEA”) to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of personal data from the UK to any other country which is not based on adequacy regulations pursuant to section 17A of the Data Protection Act 2018; and (iii) where the Swiss DPA applies, a transfer of personal data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner, in each case whether such transfer is a direct or onward transfer;
h) “Personal Data Breach” means a confirmed breach of security leading to any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data processed in environments controlled by Company or its Subprocessors. A “Personal Data Breach” does not include activity that does not compromise Customer Personal Data, including (but not limited to) any unsuccessful attempt to access Customer Personal Data or Company equipment or facilities storing Customer Personal Data, including without limitation pings and other broadcast attacks of firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents.
i) “Security Measures” means the security measures set forth in Annex II to this DPA;
j) “Services” means the services provided by Company to Customer under the Agreement;
k) “Subprocessor” means a Processor engaged by Company to Process Customer Personal Data;
l) “SCCs” means the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council as amended or replaced from time to time;
m) “Third-Party Controller” means a Controller for which Customer is a Processor; and
n) “UK Addendum” means the addendum to the SCCs issued by the UK Information Commissioner under Section 119A(1) of the UK Data Protection Act 2018 (version B1.0, in force March 21, 2022).
1.2. Capitalized terms used but not defined herein have the meaning given to them in the Agreement.
2. Scope
2.1. This DPA applies solely to the extent that Company acts as Customer’s Processor under Data Protection Law in the Processing of Customer Personal Data during the provision of the Services.
2.2. The subject matter, nature and purpose of the Processing, the types of Customer Personal Data and categories of Data Subjects are set out in Annex I, which is an integral part of this DPA.
2.3. Customer is a Controller and appoints Company as a Processor on behalf of Customer. Customer is responsible for compliance with the requirements of Data Protection Law applicable to Controllers.
2.4. If Customer is a Processor on behalf of a Third-Party Controller, then Customer: is the single point of contact for Company and Company need not interact directly with (including seeking authorizations directly from or providing notifications directly to) such third party controller other than through the regular provision of the Services; must obtain all necessary authorizations from such Third-Party Controller; and undertakes to issue all instructions and exercise all rights on behalf of such other Third-Party Controller.
2.5. Customer acknowledges that Company may Process Personal Data relating to the operation, support, or use of the Services for its own business purposes, such as billing, account management, data analysis, benchmarking, technical support, product development, and compliance with law. Company is the Controller for such Processing and will Process such data in accordance with Data Protection Law.
3. Instructions
3.1. Company will Process Customer Personal Data to provide the Services and in accordance with Customer’s documented instructions, which instructions shall include processing initiated by Customer in the use of and configuring of the Services. The parties agree that the Agreement (including this DPA) sets out Customer’s complete and final instructions to Company in relation to the processing of Customer Personal Data and processing outside the scope of these instructions (if any) shall require prior written agreement between the parties.
3.2. Unless prohibited by applicable law, Company will inform Customer if Company is subject to a legal obligation that requires Company to Process Customer Personal Data in contravention of Customer’s documented instructions.
4. Customer Responsibilities
Customer shall be responsible for complying with its obligations under Data Protection Law in its processing of Customer Personal Data. In particular, Customer agrees that it shall (a) be responsible for determining whether the Services are appropriate for processing Customer Personal Data consistent with Customer's legal and regulatory obligations; (b) comply with its obligations under Data Protection Law in its use of the Platform Services and any processing instructions it issues to Company; and (c) ensure it has the right make available Customer Personal Data to Company, including providing notice and obtaining all consents necessary under Data Protection Law for Company (and its Subprocessors) to lawfully process Customer Personal Data for the Permitted Purposes. Company is not responsible determining if Customer's instructions are compliant with applicable law, however Company shall inform Customer if, in its opinion, Customer's processing instructions infringe Data Protection Law and Company shall not be required to comply with such instruction. Taking into account the nature of the processing, Customer agrees that it is unlikely that Company would become aware that any Customer Personal Data processed by Company is inaccurate or outdated. To the extent Company becomes aware of such inaccurate or outdated data, Company will inform the Customer.
5. Personnel
5.1. Company will ensure that all personnel authorized to Process Customer Personal Data are subject to an obligation of confidentiality.
6. Security and Personal Data Breaches
6.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company will implement appropriate technical and organizational measures designed to ensure a level of security appropriate to the general risk of processing of Personal Data, as further described the Security Measures listed in Annex II.
6.2. Company may update the Security Measures from time to time, provided that any updates shall not materially diminish the overall security of Customer Personal Data. Customer shall be responsible for reviewing the Security Measures and any other information made available by Company relating to data security and making an independent determination as to whether the Security Measures meets the Customer's requirements and obligations under Applicable Data Protection Law.
6.3. Customer represents that it has reviewed the Security Measures and determined that it has no reason to believe that, if implemented, such Security Measures would be inappropriate in relation to the risks associated with Customer’s particular Customer Personal Data and its intended Processing and will notify Company prior to any intended Processing for which Company’s security measures may not be appropriate.
6.4. Company will notify Customer without undue delay after becoming aware of a Personal Data Breach involving Customer Personal Data. If Company’s notification is delayed, it will be accompanied by reasons for the delay.
7. Subprocessing
7.1. Customer hereby authorizes Company to engage Subprocessors. A list of Company’s current Subprocessors is set forth on Company’s website at https://lumalabs.ai/legal/subprocessors (the “Subprocessor List”).
7.2. Company will: (i) ensure that each Subprocessor shall be bound by a written agreement, including data protection terms and security measures, no less protective of Customer Personal Data than the Agreement and this DPA; and (ii) be liable for any breach of this DPA caused by an act, error or omission of its Subprocessors to the extent Company would have been liable had such breach been caused by Company.
7.3. Company shall notify Customer if it engages a new Subprocessor at least ten (10) days prior to any such change if Customer opts-in to receive such notifications in the manner made available on the Subprocessor List.
7.4. Customer may object in writing to Company’s appointment of a new Subprocessor based on reasonable data protection concerns by emailing privacy@lumalabs.ai a notice detailing the grounds of such objection within five (5) calendar days of notice of a new Subprocessor from Company and the parties will discuss such concerns in good faith. If parties are unable to reach a mutually agreeable resolution, Company shall either: (a) instruct the Subprocessor to not process Customer Personal Data; (b) with respect to new Subprocessors for the Services, permit Customer to continue to use the Services without the functionality offered by the new Subprocessor, or (c) notify Customer of its option to terminate the Agreement and this DPA within fourteen (14) calendar days. If Customer exercises its right to terminate the Agreement and this DPA, Company will provide Customer, as its sole and exclusive remedy, with a pro rata reimbursement of any prepaid, but unused fees.
8. Assistance
8.1. Taking into account the nature of the Processing, and the information available to Company, Company will assist Customer, including, as appropriate, by implementing technical and organizational measures, with the fulfillment of Customer’s own obligations under Data Protection Law to: comply with requests to exercise Data Subject Rights; conduct data protection impact assessments, and prior consultations with Supervisory Authorities; and notify a Personal Data Breach. Any assistance provided shall be relevant to the Services that support the processing of Customer Personal Data and commercially reasonable and proportionate to the objective of the exercise with which Company is requested to assist.
8.2. If Company receives a subpoena, court order, warrant or other legal demand from law enforcement or public or judicial authorities seeking the disclosure of Customer Personal Data, Company shall, where the Customer is identified or identifiable from such disclosure request and to the extent required and permitted by applicable law, promptly notify Customer of such request and reasonably cooperate with Customer to limit, challenge or protect against such disclosure.
8.3. Company may charge a reasonable fee for assistance under this Section 7. If Company is at fault, Company and Customer shall each bear their own costs related to assistance.
9. Audit
9.1. Upon reasonable request, and no more than once per calendar year except as set forth herein, Company (a) must make available to Customer on a confidential basis all information necessary to demonstrate compliance with the obligations of this DPA (“Audit Information”) and (b) only to the extent a Supervisory Authority determines that Company’s provision of such Audit Reports does not provide sufficient information to allow Customer to assess Company’s compliance with this DPA or Data Protection Law, Customer shall have the right, at Customer’s expense, to conduct an audit or assessment of reasonable scope and duration to a mutually agreed-upon audit or assessment plan with Company that is consistent with the Audit Parameters ("Audit").
9.2. Each Audit must conform to the following parameters (“Audit Parameters”): each Audit must (i) be reasonable in scope taking into account the architecture of and use by Customer of the Services; (ii) be conducted by an independent third party that will enter into a confidentiality agreement with Company; (iii) occur at a mutually agreed date and time and only during Company’s regular business hours; (iv) occur no more than once annually with at least three weeks’ advance written notice unless otherwise required by a Supervisory Authority or in the instance in which there has been a Personal Data Breach; (v) extend only to facilities and documents controlled by Company that are relevant and material to the Processing of Customer Personal Data; (vi) not violate any obligation between Company and its service providers or third-party, (vii) restrict findings to only Customer Personal Data relevant to Customer; and (viii) obligate Customer, to the extent permitted by law or regulation, to keep confidential any information gathered that, by its nature, should be confidential.
9.3. Company will inform Customer if Company believes that Customer’s instruction under Section 9.1 infringes Data Protection Law. Company may suspend the audit or inspection or withhold requested information until Customer has modified or confirmed the lawfulness of the instructions in writing.
10. International Data Transfers
10.1. Customer hereby authorizes Company to perform International Data Transfers to any country deemed to have an adequate level of data protection by the European Commission or the competent authorities, as appropriate; on the basis of adequate safeguards in accordance with Data Protection Law; or pursuant to the SCCs and the UK Addendum referred to in Sections 10.2 and 10.3.
10.2. By signing this DPA, Company and Customer conclude Module 2 (controller-to-processor) of the SCCs and, to the extent Customer is a Processor on behalf of a Third-Party Controller, Module 3 (Processor-to-Subprocessor) of the SCCs, which are hereby incorporated and completed as follows: the “data exporter” is Customer; the “data importer” is Company; the optional docking clause in Clause 7 is implemented and Affiliates may accede to the SCCs subject to mutual agreement of the parties;; Option 2 of Clause 9(a) is implemented and the time period therein is specified in Section 7.3 above; the optional redress clause in Clause 11(a) is struck; Option 1 in Clause 17 is implemented and the governing law is the law of the Republic of Ireland, the courts in Clause 18(b) are the Courts of the Republic of Ireland, Annex I and II to Module 2 and 3 of the SCCs are Annex I and II to this DPA respectively.
10.3. By signing this DPA, Company and Customer conclude the UK Addendum, which is hereby incorporated and applies to International Data Transfers outside the UK. Part 1 of the UK Addendum is completed as follows: (i) in Table 1, the “Exporter” is Customer and the “Importer” is Company, their details are set forth in this DPA, and the Agreement; (ii) in Table 2, the first option is selected and the “Approved EU SCCs” are the SCCs referred to in Section 10.2 of this DPA; (iii) in Table 3, Annexes 1 (A and B) and II to the “Approved EU SCCs” are Annex I and II respectively; and (iv) in Table 4, the “Importer” can terminate the UK Addendum.
10.4. For International Data Transfers from Switzerland: (i) Data Subjects who have their habitual residence in Switzerland may bring claims under the SCCs before the courts of Switzerland and (ii) the SCCs cover Personal Data pertaining to legal entities until the entry into force of the revised Swiss Federal Act on Data Protection of 2020. Until such time, in relation to transfers of Customer Personal Data protected by the Swiss Data Protection Act, the SCCs as implemented above shall apply with the following modifications: (1) references to “Regulation (EU) 2016/679” and specific articles therein shall be interpreted as references to the Swiss Data Protection Act and the equivalent articles or sections therein; references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “Switzerland” and “Swiss law” and references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection Information Commissioner” and “competent Swiss courts”; and the SCCs shall be governed by the laws of Switzerland and disputes shall be resolved before the competent Swiss courts.
10.5. If Company’s compliance with Data Protection Law applicable to International Data Transfers is affected by circumstances outside of Company’s control, including if a legal instrument for International Data Transfers is invalidated, amended, or replaced, then Customer and Company will work together in good faith to reasonably resolve such non-compliance. In the event that additional, replacement or alternative standard contractual clauses or UK standard contractual clauses are approved by Supervisory Authorities, Company reserves the right to amend the Agreement and this DPA by adding to or replacing, the standard contractual clauses or UK standard contractual clauses that form part of it at the date of signature in order to ensure continued compliance with Data Protection Law.
11. General
11.1. Notifications
a) Customer will send all notifications, requests and instructions under this DPA to Company’s Legal department via email to legal@lumalabs.ai.
b) Company will send all notifications under this DPA to Customer’s contact at their account email address.
11.2. Authorized Affiliates. Company's obligations set forth in this DPA shall also extend to Authorized Affiliates, subject to the following conditions: (a) Customer is solely responsible for communicating any processing instructions on behalf of its Authorized Affiliates; (b) Customer shall be responsible for Authorized Affiliates’ compliance with this DPA and all acts and/or omissions by an Authorized Affiliate with respect to Customer’s obligations under this DPA; and (c) if an Authorized Affiliate seeks to assert a legal demand, action, suit, claim, proceeding or otherwise against Company (“Authorized Affiliate Claim”), Customer must bring such Authorized Affiliate Claim directly against Company on behalf of such Authorized Affiliate, unless Applicable Data Protection Laws require the Authorized Affiliate be a party to such claim, and all Authorized Affiliate Claims shall be considered claims made by Customer and shall be subject to any liability restrictions set forth in the Agreement, including any aggregate limitation of liability.
11.3. Liability. The total and combined liability of each of the parties (and their respective employees, directors, officers, affiliates, successors, and assigns), arising out of or related to this DPA (including the SCCs), whether in contract, tort (including negligence), or any other theory of liability, shall be subject to the exclusions and limitations of liability set forth in the Agreement, provided that where Company has paid compensation, damages or fines as a result of an action or inaction by Customer, Company is entitled to claim back from Customer that part of the compensation, damages or fines, corresponding to Customer’s part of responsibility for the compensation, damages or fines.
11.4. Termination and return or deletion.
a) This DPA is terminated upon the termination of the Agreement.
b) Customer may request return of Customer Personal Data up to thirty (30) days after termination of the Agreement. Unless required or permitted by applicable law, Company will, upon Customer’s request following termination or expiry of the Agreement, return or delete all Customer Personal Data in its possession or control.
11.5. Third Party Rights. In no event shall this DPA benefit or create any right or cause of action on behalf of a third party (including a third party controller), but without prejudice to the rights or remedies available to data subjects under Applicable Data Protection Law or the Standard Contractual Clauses.
11.6. Applicable law and jurisdiction. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Law.
11.7. Modification of this DPA. This DPA may only be modified by a written amendment signed by both Company and Customer.
11.8. Invalidity and severability. If any provision of this DPA is found by any court or administrative body of a competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
———
ANNEX I
DESCRIPTION OF THE TRANSFER
A. LIST OF PARTIES
Data exporter:
● Name: Customer (as defined above)
● Address: See signature page above.
● Contact person’s name, position and contact details: See signature page above.
● Activities relevant to the data transferred under these Clauses: Customer receives Company’s services as described in the Agreement and Customer provides Personal Data to Company in that context.
● Signature and date: See signature page above.
● Role (controller/processor): Controller, or Processor on behalf of Third-Party Controller
Data importer:
● Name: Company (as defined above)
● Address: See signature page above.
● Contact person’s name, position and contact details: See signature page above.
● Activities relevant to the data transferred under these Clauses: Company provides its services to Customer as described in the Agreement and Processes Personal Data on behalf of Customer in that context.
● Signature and date: See signature page above
● Role (controller/processor): Processor on behalf of Customer, or Subprocessor on behalf of Third-Party Controller
B. DESCRIPTION OF INTERNATIONAL DATA TRANSFER
● Categories of Data Subjects whose Personal Data is transferred:
# | Category of Data Subjects |
|---|---|
1 | Customer's customers or end-users |
2 | Customer's personnel, staff and contractors |
● Categories of Personal Data transferred:
# | Category of Personal Data |
|---|---|
1 | Contact details: email address |
2 | Personal data contained in Customer Content |
● Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
# | #Category of Sensitive Data | Applied restrictions or safeguards |
|---|---|---|
1 | Luma does not purposefully process sensitive data | Not applicable |
● The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis): On a continuous basis.
● Nature of the processing: The Personal Data will be processed and transferred as described in the Agreement.
● Purpose(s) of the data transfer and further processing: The Personal Data will be transferred and further processed for the provision of the Services as described in the Agreement.
● The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws, including laws on the statute of limitations and Data Protection Law.
● For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: For the subject matter and nature of the Processing, reference is made to the Agreement and this DPA. The Processing will take place for the duration of the Agreement.
C. COMPETENT SUPERVISORY AUTHORITY
● The competent authority for the Processing of Personal Data relating to Data Subjects located in the EEA is the Supervisory Authority a) of Customer’s country of establishment, or, where not applicable, b) of the country where Customer’s EU data protection representative is located, or, where not applicable, c) of one of the EEA countries where the Data Subjects are located.
● The competent authority for the Processing of Personal Data relating to Data Subjects located in the UK is the UK Information Commissioner.
● The competent authority for the Processing of Personal Data relating to Data Subjects located in Switzerland is the Swiss Federal Data Protection and Information Commissioner.
——-
ANNEX II
TECHNICAL AND ORGANIZATIONAL MEASURES
Company will, at a minimum, implement the following types of security measures:
1. Physical access control
Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where Customer Personal Data are Processed, include:
🗹 Establishing security areas, restriction of access paths;
🗹 Establishing access authorizations for employees and third parties;
🗹 Access control system (ID reader, magnetic card, chip card);
🗹 Key management, card-keys procedures;
🗹 Door locking (electric door openers etc.);
🗹 Surveillance facilities, video/CCTV monitor, alarm system
2. Virtual access control
Technical and organizational measures to prevent data processing systems from being used by unauthorized persons include:
🗹 User identification and authentication procedures;
🗹 Strong ID/password security procedures (special characters, minimum length and complexity requirements, change of password);
🗹 Automatic blocking (e.g. password or timeout);
🗹 Monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous passwords attempts;
🗹 Creation of one master record per user, user-master data procedures per data processing environment
3. Data access control
Technical and organizational measures designed to limit data processing systems access only to such Customer Personal Data in accordance with their access rights, and to prevent Customer Personal Data from being read, copied, modified or deleted without authorization, include:
🗹 Internal policies and procedures;
🗹 Control authorization schemes;
🗹 Monitoring and logging of accesses;
🗹 Disciplinary action against employees who access Customer Personal Data without authorization;
🗹 Access procedure;
🗹 Change procedure;
🗹 Deletion procedure; and
🗹 Encryption at rest while under Company control.
4. Disclosure control
Technical and organizational measures designed to prevent Customer Personal Data from being read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Customer Personal Data are disclosed, include:
🗹 Encryption of Customer Personal Data at rest when under Company control and encryption/tunneling of data sent via the Services between Customer and Company;
🗹 Logging; and
🗹 Transport security.
5. Control of instructions
Technical and organizational measures designed to ensure that Customer Personal Data are Processed solely in accordance with the instructions of the Controller include:
🗹 Unambiguous wording of the contract;
🗹 Formal commissioning (request form); and
🗹 Criteria for selecting the Processor.
6. Availability control
Technical and organizational measures designed to ensure that Customer Personal Data are protected against accidental destruction or loss (physical/logical) include:
🗹 Backup procedures;
🗹 Mirroring of hard disks (e.g. RAID technology);
🗹 Uninterruptible power supply (UPS);
🗹 Remote storage;
🗹 Anti-virus/firewall systems; and
🗹 Disaster recovery plan.
Notwithstanding the foregoing, Customer acknowledges and agrees that it is solely Customer’s responsibility to backup any Customer Personal Data or other Customer Content that Customer desires to maintain a copy of, as the Services are not intended to be used for backup purposes, and backups are not maintained for the purposes of permitting Customer to restore any deleted data.
7. Testing controls
Technical and organizational measures to test, assess and evaluate the effectiveness of the technical and organizational measures implemented in order to ensure the security of the processing include:
🗹 Testing and evaluation of software updates before they are installed;
🗹 Authenticated (with elevated rights) vulnerability scanning; and
🗹 Test bed for specific penetration tests and Red Team attacks.
8. IT governance
Technical and organizational measures to improve the overall management of IT and align activities associated with information and technology with compliance efforts include:
🗹 Certification/assurance of processes and products;
🗹 Processes for data minimization;
🗹 Processes for data quality;
🗹 Processes for limited data retention;
🗹 Processes for ensuring accountability; and
🗹 Data subject rights policies.
——-
Last Updated April 25, 2025