Data Processing Agreement for Lucidworks Suppliers

This Data Processing Agreement (“DPA”), is dated effective as of the date of the last signature below (“Effective Date”), and is made by and between the organization identified below (“Supplier”) and Lucidworks, Inc., a Delaware corporation, having a principal place of business at 235 Montgomery Street, San Francisco, CA, USA, and its Affiliates (“Lucidworks”), each a “Party” and collectively the “Parties.” This DPA applies where, and only to the extent that, Supplier Processes Lucidworks Data in the course of providing Services to Lucidworks under the Agreement and forms a part of the Agreement.

1. 1. Definitions.
      1. “Affiliate” has its meaning as set forth in the Agreement (if defined) or means any entity (i) that is owned more than 50% by a Party, (ii) over which a Party exercises management control, (iii) that is under common control with a Party, or (iv) that owns more than 50% of a Party’s voting securities or other voting interests of an entity. As to Lucidworks, any reference to “Affiliate” herein is strictly limited to those Affiliates of Lucidworks that qualify as a Controller and are permitted to use the Services pursuant to the Agreement.
      2. “Agreement” means the existing agreement(s), order(s), purchase orders and statements of work, or other commercial arrangement, pursuant to which Supplier provides the Services to Lucidworks and includes any exhibits and subsequent amendments, or orders.
      3. “Lucidworks Data” means that Personal Data that Supplier Processes in the course of providing the Services to Lucidworks.
      4. “Data Protection Laws” means all data protection, privacy and cyber security laws and regulations of any country applicable to Supplier’s Processing of Lucidworks Data under the Agreement, including (where applicable and without limitation) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”), GDPR as it forms parts of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”), the revised Swiss Data Protection Act (“revDPA”), data protection laws of the European Union (“EU”) or European Economic Area member states (“EEA”) or the United Kingdom (including Gibraltar) (“UK”) that supplement GDPR or UK GDPR (respectively), and California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively referred to as the “CCPA”) in each case as may be amended or superseded from time to time.
      5. “Data Subject” means the individual to whom the Personal Data relates, which is Processed for the performance of the Agreement by Supplier.
      6. “ex-EEA Transfer” means a Processing activity whereby Lucidworks Data which is Processed in accordance with the GDPR is transferred from Lucidworks to Supplier outside the EEA, and such transfer is not governed by an adequacy decision made by the European Commission in accordance with the relevant provisions of the GDPR.
      7. “ex-Swiss Transfer” means a Processing activity whereby Lucidworks Data which is Processed in accordance with Swiss Data Protection Laws is transferred from Lucidworks to Supplier outside Switzerland and such transfer is not governed by an adequacy decision made by the Federal Data Protection and Information Commissioner of Switzerland (“FDPIC”) in accordance with the relevant provisions of the revDPA.
      8. “ex-UK Transfer” means a Processing activity whereby Personal Data which is Processed in accordance with the UK Data Protection Laws is transferred from Lucidworks to Supplier outside the UK or Gibraltar, and such transfer is not governed by an adequacy decision pursuant to Section 17A of the UK Data Protection Act 2018.
      9. “Personal Data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. This definition includes “Personal Data,” “Personal Information,” or “Personally Identifiable Information,” as defined by any applicable Data Protection Laws. Personal Data does not include information or data that has been Processed in such a manner that no longer identifies, relates to, describes, or is capable of being associated or linked with a particular Data Subject.
      10. “Personal Data Breach” means any unauthorized or unlawful breach of security leading to the unauthorized access to, disclosure of, loss of, alteration of, or acquisition of Lucidworks Data.
      11. “Processing” or “Process” means any operation or set of operations performed on Personal Data or on sets of Personal Data, whether by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
      12. “Restricted Transfer” means (i) where the GDPR applies, an ex-EEA Transfer, (ii) where the UK GDPR applies, an ex-UK Transfer, and (iii) where the revDPA applies, an ex-Swiss Transfer.
      13. “Services” means the software, software as a service, software-related products, support and maintenance services, professional services, and such other activities to be supplied to or carried out by or on behalf of Supplier for Lucidworks per the Agreement, or as otherwise defined in the Agreement.
      14. “Subprocessor” means any third party (including any Supplier Affiliate) appointed by or on behalf of Supplier or any Supplier Affiliate to Process Lucidworks Data in connection with the Services or the Agreement.
   2. Scope and Applicability. Lucidworks hereby instructs Supplier to Process Lucidworks Data on Lucidworks’s behalf.In respect of such Processing, and as between Supplier and Lucidworks, Lucidworks will be the controller (or, where Lucidworks is instructing Supplier on behalf of a third-party controller, a processor on behalf of that controller) and Supplier will be a processor (or, where Lucidworks is a processor on behalf of a third-party controller, Supplier will be a subprocessor to Lucidworks). The “Business Purpose” for Supplier’s Processing of Lucidworks Data on Lucidworks’s behalf is identified in Schedule 1. The duration of processing, the nature and purpose of the processing, the types of Lucidworks Data, and the categories of data subjects processed under this DPA are further specified in Schedule 1.
   3. Supplier Obligations. Supplier may Process Lucidworks Data on behalf of Lucidworks solely in accordance with the terms of the Agreement, this DPA, the Data Protection Laws applicable to such Processing by Supplier, and Lucidworks’s lawful instructions. Supplier shall ensure that any person who is authorized by Supplier to Process Lucidworks Data shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty), with respect to such Personal Data. Supplier shall implement and maintain throughout the term of this DPA appropriate technical and organizational measures as set forth in Schedule 2. In assessing the appropriate level of security, Supplier will take into account the risks, including those resulting from a Personal Data Breach, that are presented by the Processing at issue. Lucidworks acknowledges that these technical and organizational measures are subject to technical progress and development and that Supplier may update or modify these technical and organizational measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by Lucidworks.
   4. Lucidworks Representations and Warranties. Lucidworks hereby represents and warrants that it: (a) will maintain appropriate notice and consent mechanisms, consistent with applicable Data Protection Laws, for the collection, use, and disclosure of Lucidworks Data; (b) has any and all consents, authorizations, rights, and authority necessary to transfer or disclose, and permit Supplier to Process, any and all Lucidworks Data in connection with the Agreement; and (c) will have sole responsibility for the accuracy, quality, and legality of any and all Lucidworks Data Processed by Supplier. Lucidworks will promptly notify Supplier if it is unable to comply with any of its obligations hereunder.
   5. Subprocessors. Lucidworks acknowledges and expressly agrees that Supplier may retain its Affiliates or certain third parties as Subprocessors to Process Lucidworks Data in order for Supplier to provide the Services. Lucidworks hereby authorizes Supplier to engage the Subprocessors set forth in Schedule 3. Lucidworks shall have notification rights and rights to object to such Subprocessors in accordance with Schedule 3. Prior to a Subprocessor’s Processing of Lucidworks Data, Supplier shall: (a) enter into an agreement with the Subprocessor that imposes data protection terms on the Subprocessor regarding the processing of Lucidworks Data to the standard required by Data Protection Laws, and (b) remain responsible for its compliance with the obligations subcontracted to the Subprocessor.
   6. Personal Data Breach. In the event that Supplier becomes aware of a Personal Data Breach, Supplier will notify Lucidworks without undue delay, in accordance with Data Protection Laws, and shall provide timely information relating to the Personal Data Breach as it becomes known or as is reasonably requested by Lucidworks, unless otherwise prohibited by law or otherwise instructed by a law enforcement or supervisory authority. Following such notification, Supplier will take reasonable steps to mitigate the effects of the Personal Data Breach and provide reasonable assistance and cooperation regarding any notifications that Lucidworks is legally required to send to affected Data Subjects and regulators.
   7. Security Reports and Audit Obligations. Supplier shall provide written responses (on a confidential basis) to all reasonable requests for information made by Lucidworks that Lucidworks (acting reasonably) considers necessary to confirm Supplier’s compliance with this DPA, as well as applicable Data Protection Laws (including the GLBA Safeguards Rule as it relates to service providers). Lucidworks consents to Supplier satisfying the foregoing audit obligation by providing Lucidworks with attestations, certifications, and summaries of audit reports conducted by accredited third party auditors.
   8. Lucidworks Security Responsibilities. Notwithstanding anything herein to the contrary, Lucidworks agrees that except as provided by this DPA, Lucidworks is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Lucidworks Data when in transit to and from the Services and taking any appropriate steps to securely encrypt or backup any Lucidworks Data uploaded to the Services. Supplier’s liability for a Personal Data Breach toward Lucidworks and any third party is subject to the following conditions: (a) the Personal Data Breach is caused by a violation of Supplier’s or its Subprocessor’s obligations set forth in this DPA (including violation of Data Protection Laws); and (b) excluding liability caused by acts or omissions of Lucidworks, or any person acting on behalf of or jointly with Lucidworks.
   9. Information and Assistance. To the extent required by an applicable Data Protection Law, Supplier will cooperate with Lucidworks in compiling necessary records of processing activities for Lucidworks as well as in necessary data protection impact assessments of the Lucidworks or subsequent consultation with a data protection supervisory authority or regulator.
   10. Data Subject Requests. To the extent that Lucidworks is unable to independently access the relevant Lucidworks Data within the Services, Supplier shall (to the extent permitted by law, at Lucidworks’s expense) taking into account the nature of the Processing, provide reasonable cooperation to assist Lucidworks by appropriate technical and organizational measures, in so far as is possible, to respond to any requests from individuals or applicable data protection authorities relating to the processing of Lucidworks Data under the Agreement. In the event that any such request is made directly to Supplier, Supplier shall not respond to such communication directly without Lucidworks’s prior authorization, unless legally compelled to do so.
   11. Subpoenas and Court Orders. If a law enforcement agency sends Supplier a demand for Lucidworks Data (for example, through a subpoena or court order), Supplier shall give Lucidworks reasonable notice of the demand to allow Lucidworks to seek a protective order or other appropriate remedy unless Supplier is legally prohibited from doing so.
   12. Return or Disposal of Data. Upon termination or expiration of the Agreement for any reason, Supplier will destroy or return Lucidworks Data (including copies) in its possession or control at Lucidworks’s request and choice in accordance with the Agreement. Notwithstanding, this requirement shall not apply to the extent Supplier is required by applicable law to retain some or all of the Lucidworks Data.
   13. Limitation of Liability. Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the limitations and exclusions of liability in the Agreement, and any reference in provisions to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and this DPA together.
   14. International Data Transfers. Supplier may transfer Lucidworks Data to, and process Lucidworks Data in, the United States and anywhere else in the world where Supplier or its Subprocessors maintain data processing operations, upon and consents to the transfer of Lucidworks Data to Supplier and Subprocessor data processing operations located in the United States or anywhere else in the world where Supplier or its Subprocessors maintain data processing operations, provided that any transfers by Supplier that constitute Restricted Transfers will be subject to a transfer impact assessment and/or any other legally-required transfer mechanism, which will be available to Lucidworks for review upon request.
       1. 1. The Parties agree that when the transfer of Lucidworks Data from Lucidworks (as data exporter) to Supplier (as data importer) is an ex-EEA Transfer, such transfers will be subject to Module Two (Controller to Processor), in the case of Lucidworks acting as the controller, or Module Three (Processor to Processor), in the case of Lucidworks acting as the Processor to its Customer who is the controller, of the Standard Contractual Clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021 (as amended and updated from time to time) (“EU SCCs”). The EU SCCs are deemed incorporated into the Agreement by reference, replace and supersede any former SCCs, take precedence over the rest of the Agreement to the extent of any conflict, and, for the purposes of this DPA (and the UK and Swiss provisions below), are completed as follows:
             1. The optional docking clause in Clause 7 does not apply;
             2. In Clause 9, Option 2 (general written authorization) applies, and the minimum time period for prior notice of Subprocessor changes shall be as set forth in Schedule 3 to this DPA;
             3. In Clause 11, the optional language does not apply;
             4. In Clause 17 (Option 1), the EU SCCs will be governed by law of Ireland;
             5. In Clause 18(b), disputes will be resolved before the courts of Ireland;
             6. Schedule 1 to this DPA contains the information required in Annex I of the EU SCCs;
             7. Schedule 2 to this DPA contains the information required in Annex II of the EU SCCs; and
             8. Schedule 3 to this DPA contains the information required in Annex III of the EU SCCs.
          2. The Parties agree that when the transfer of Lucidworks Data from Lucidworks to Supplier is an ex-UK Transfer, such transfer will be subject to the EU SCCs, as amended by and together with the following terms which the Parties hereby agree are legally binding upon the parties with the same effect as the terms and conditions of this DPA:
       1. 1. Part 1:
             1. Start Date. The effective date of this Addendum is this DPA Effective Date.
             2. Parties’ Details. The “Lucidworks” as defined in this DPA is the “Exporter.” Supplier is the “Importer.” The Parties’ details are set forth in the Signature Section and Schedule 1.
             3. Addendum EU SCCs. For the purposes of this Addendum, the “Addendum EU SCCs” means the EU SCCs identified in Section 6(a) to this DPA, including the Appendix Information (defined below) and with only the modules, clauses, and optional provisions of the EU SCCs brought into effect for the purposes of this section as set forth in Section 6(a) of this DPA.
             4. Appendix Information. “Appendix Information” or “Table 3” for the purposes of the Mandatory Clauses, means the information which must be provided for the Approved EU SCCs and which for this section is set forth as follows:
                1. “Annex 1A” shall be deemed to mean that information as per Part 1, Section 2 above.
                2. “Annex 1B” shall be deemed to mean that information in Schedule 1.
                3. “Annex II” shall be deemed to mean that information in Schedule 2.
                4. “Annex III” shall be deemed to mean that information in Schedule 3.
             5. Ending the Addendum when the Approved Addendum Changes. The Importer may end the terms of this section as set forth in the Mandatory Clauses, Section 19.

       Part 2:

       Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.

       3. The Parties agree that when the transfer of Lucidworks Data from Lucidworks (as data exporter) to Supplier (as data importer) is an ex-Swiss Transfer, such transfers are made pursuant to the EU SCCs with the modifications set forth below:

1. 1. The terms of this section apply solely to the Processing of Lucidworks Data of Data Subjects who are residents of Switzerland and not to the Processing of any other Personal Data.
   2. The transfer of Personal Data shall, to the extent legally permitted, be governed by the provisions of the revDPA; references to provisions of the GDPR in the EU SCCs shall be understood to be referring to the equivalent provisions of the revDPA.
   3. Clause 13 is modified so that the Federal Data Protection and Information Commissioner is the competent supervisory authority with respect to Personal Data transfers governed by the revDPA.
   4. For the purposes of the Clauses, the term “Member State” shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence in accordance with Clause 18.c.

15. CCPA. This section only applies to the Personal Information of California Consumers included in the Lucidworks Data. For the purposes of this section, “Collects,” “Consumer,” “Personal Information,” “Processing,” “Sell,” and “Share” shall have their meanings as set forth in the CCPA. The Parties acknowledge and agree that Supplier is Processing Personal Information pursuant to the Agreement as a “service provider” (as defined by the CCPA) of Lucidworks for the Business Purposes (as defined in this DPA). As such, Supplier represents and warrants as follows: (a) Supplier will not retain, use, or disclose any Personal Information it Collects pursuant to the Agreement for any purpose other than the Business Purposes or as otherwise permitted by the CCPA; (b) Supplier shall not Sell or Share any Personal Information it Collects pursuant to the Agreement; (c) Supplier shall not retain, use, or disclose the Personal Information that it Collects pursuant to the Agreement outside of the direct business relationship between Supplier and Lucidworks, except as permitted by the CCPA; and (d) Supplier shall not combine any Personal Information it Collects pursuant to the Agreement with Personal Information that it receives from, or on behalf of, another person or business, or that it Collects from its own interactions with individuals, except as permitted by the CCPA. The parties acknowledge and agree that any combining contemplated by the Services is being performed by Supplier for the Business Purposes and such purposes constitute a “business purpose” (as defined by the CCPA). Supplier further agrees as follows: (a) Supplier will comply with all applicable sections of the CCPA, including by providing the same level of privacy protection as required by businesses subject to the CCPA; (b) Supplier will implement those reasonable security procedures and practices set forth in this DPA with respect to the Personal Information it Collects pursuant to the Agreement; (c) Lucidworks may monitor Supplier’s compliance with this section and Lucidworks’s obligations under the CCPA, in accordance with the audit terms set forth in this DPA; (d) Lucidworks may, upon notice, take those reasonable and appropriate steps set forth in this DPA and the Agreement to stop and remediate any unauthorized use of Personal Information by Supplier; (e) Supplier will notify Lucidworks of any Consumer requests pursuant to the terms of this DPA; (f) Supplier will notify Lucidworks after it makes a determination that it can no longer meet its obligations under the CCPA; and (g) if Supplier subcontracts with another person in providing services to Lucidworks, Supplier will have a contract with such subcontractor that complies with the CCPA.
16. Miscellaneous. To the extent applicable, the parties agree that by entering into and executing this DPA, the EU SCCs and all Schedules constitute legally binding contracts between the parties and are hereby deemed to be signed by the parties. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict. Unless otherwise provided for in this DPA or required by applicable Data Protection Law, this DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement. Any disputes between the parties arising under this DPA are to be handled as set out in the Agreement.

Authority of Signatories. By signing below, each Party: (i) indicates that it agrees to all terms and conditions of this DPA; and (ii) further warrants to the other Party that (A) it has the authority to enter into this DPA, (B) all necessary corporate or other approvals have been or will be obtained, and (C) the individual who has signed this DPA on behalf of a Party is authorized to do so.

SCHEDULE 1:

DETAILS OF PROCESSING OF PERSONAL DATA

1. LIST OF PARTIES
   **For the purposes of the EU SCCs, this information constitutes the details of “Annex 1.A”.

Data exporter(s): Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union

Name: Lucidworks, Inc.

Address: 235 Montgomery Street, San Francisco, CA 94104

Contact person’s name, position, and contact details: xxx

Activities relevant to the data transferred under these Clauses: xxx

Signature and date: ____________________________________

Role (controller/processor): Controller or Processor (where Lucidworks is acting on behalf of a third-party controller)

Data importer(s):

Name: Supplier Software, Inc.

Address:

Contact person’s name, position, and contact details:

Activities relevant to the data transferred under these Clauses: Supplier’s provision of the Services under the Agreement.

Signature and date: _____________________________________________

Role (controller/processor): Processor or subprocessor (where Lucidworks is a processor acting on behalf of a third-party controller)

1. DESCRIPTION OF TRANSFER

Categories of Data Subjects whose Personal Data may be Processed and/or transferred as Lucidworks Data: Employees and third-party contractors of Lucidworks.

Categories of Personal Data that may be Processed and/or transferred as Lucidworks Data: Business email address, business telephone, business address, job title.

Sensitive/special categories of data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved (such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures): None.

Frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis): Continuous during the term of the Agreement.

Nature of the processing: The Lucidworks Data transferred will be Processed in accordance with this DPA and the Agreement and may be subject to the following processing activities:

• storage and other processing necessary to provide, maintain and improve the Services provided to Lucidworks;
• to provide technical support to Lucidworks; and
• disclosures in accordance with the Agreement, as compelled by law.

Purpose(s) of the data transfer and further processing: For the purposes of: (i) providing the Services described in the Agreement, (ii) to prevent fraud and ensure the security of the Services, (iii) to perform any steps necessary for the performance of its obligations under the Agreement, (iv) as initiated by any Authorized User (as such term is defined in the Agreement) in its use of the Services, and (v) to comply with other reasonable and lawful instructions provided by Lucidworks.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Within 60 calendar days of the date of cessation of any Services involving the Processing of Personal Data, unless retention is required by applicable law or regulations.

For transfers to (sub-) processors, also specify subject matter, nature, and duration of the processing: See details of Schedule 3. The subject matter of the Processing by such Subprocessors is described in Schedule 3 and above. The Processing is for the purposes described below and in Schedule 3, and for the duration of the Agreement, consistent and coterminous with the duration of Processing expected by Supplier under the Agreement, subject to the retention period criteria described above: Necessary for purposes of providing services under the contract with Lucidworks, the information captured is the Lucidworks employee’s name, business email, job title, business address, and business phone numbers.

1. COMPETENT SUPERVISORY AUTHORITY
   Competent Supervisory Authority (identify the competent supervisory authority/ies in accordance with Clause 13 of the EEA Standard Contractual Clauses): The competent supervisory authority will be determined in accordance with Clause 13 (a) of the EEA Standard Contractual Clauses or as otherwise provided herein.**For the purposes of the EU SCCs, this information constitutes the details of “Annex 1.C”.

SCHEDULE 2:

TECHNICAL AND ORGANIZATIONAL MEASURES

Supplier will have in place technical, physical, and organizational security measures that minimally meet the requirements set forth in this Schedule 2.

1. The technical and organizational security measures applicable to Personal Data will provide the same or better data–security protections as the Processor applies to its own Personal Data and confidential information, but in no event may those protections be anything less than that required to comply with Data Protection Laws and company policies. The Processor’s technical and organizational security measures will ensure the protection of Personal Data, Lucidworks systems, and the Processor’s systems from unauthorized use, alteration, access, or disclosure and will ensure overall confidentiality, integrity, and availability of Personal Data.
2. Without limiting any other obligations and requirements, Processor has implemented and will maintain a comprehensive, written information security program that materially conforms to the American Institute of Certified Public Accountants (AICPA) System and Organization Controls (SOC) 2 Type II audit control requirements. One or more designated qualified individuals will be responsible for maintaining the Processor information security program. Processor will regularly review the information security program, at least annually and whenever there is a material change in practice, to identify and assess reasonably foreseeable internal and external risks to the privacy, security, and/or integrity of any electronic, paper, or other records containing Personal Data and to ensure that Processor ‘s information security program continues to comply with applicable Data Protection Laws.
3. Any Processing of Personal Data will take place on information processing systems for which commercially reasonable technical and organizational measures for protecting Personal Data have been implemented. Each Processor will maintain reasonable and appropriate technical, physical, and administrative measures to protect Personal Data under its possession or control against unauthorized or unlawful Processing or accidental loss, destruction, or damage in accordance with the applicable Data Protection Laws, considering the harm that might result from unauthorized or unlawful processing or accidental loss, destruction, or damage and the sensitivity of the Personal Data.
4. Each Processor will take reasonable steps to ensure the reliability of employees, temporary workers, contractors, and other personnel (collectively “Personnel”) having access to Personal Data and will limit access to Personal Data to those Personnel who have a business need to have access to such Personal Data and have received reasonable training regarding Processor’s policies and procedures on privacy and security, appropriate handling of Personal Data, and Data Protection Laws.
5. Appropriate due diligence will be conducted on each Subprocessor to ensure that each can provide the level of protection for Personal Data that is required by this DPA and applicable Data Protection Laws.
6. Each Processor will ensure that its Personnel, agents, Sub-processors, and any authorized third parties with access to Lucidworks’s (or the relevant Processor’s) premises follow all applicable general, visitor, privacy and physical security policies and only access authorized areas. The access rights to facilities must be removed upon termination of employment, contract or agreement, or adjusted upon change. Additionally, each Processor will take commercially reasonable steps to secure Personal Data, including confidential and private documents and media, during non-working hours (e.g., locked cabinets).
7. Minimum Controls. Without limiting any other obligations herein, Processor will implement the following security controls:
   1. Train Personnel handling Personal Data at least annually on appropriate and relevant information security–related policies, procedures, and agreements, the importance of privacy, security, and data protection, and the need to comply with obligations to properly handle Personal Data.
   2. Document policies, procedures, and processes to manage the security risks related to Processing of Personal Data and review and update them as needed but at least annually.
   3. Identify and manage Personnel, devices, systems, facilities, and other assets (“Assets”) that access, store, and Process Personal Data and those that are material to the provision of the Services to Lucidworks under the Agreement.
   4. Perform security risk assessments regularly to identify and assess reasonably foreseeable internal and external security risks. Such risk assessments must be aligned with an enterprise–wide risk assessment framework and be performed at least annually to determine the likelihood and impact of all identified risks, using qualitative and quantitative methods. Such risk assessments must consider all relevant risk categories (e.g., audit results, threat and vulnerability analysis, and regulatory compliance).
   5. Limit access to Assets to authorized users, collect and analyze access logs, and further review them as appropriate.
   6. Restrict and securely manage remote access to Assets by Personnel and others with multi-factor authentication (e., authentication through verification of at least two of the following types of authentication factors (i) knowledge factors, such as a password, (ii) possession factors, such as a token or text message on a mobile phone, or (iii) inherence factors, such as a biometric characteristic).
   7. Identify Personal Data and related records and manage access to them to protect the confidentiality, integrity, and availability of such information.
   8. Physically and logically separate Personal Data from the Personal Data of other Processor clients.
   9. Manage and control physical access to Assets, including measures to prevent and detect unauthorized access to Assets (including facilities). Monitoring equipment should be in place to allow for the review of unauthorized activity.
   10. Securely destroy electronic and paper records containing Personal Data in accordance with secure destruction policies and procedures.
   11. Implement and manage appropriate technical security solutions to protect the confidentiality, integrity, and availability of Personal Data.
   12. Install critical operating system and software security patches in a timely manner on all devices used to Process Personal Data, and promptly install security-related fixes identified by Processor’s hardware or software vendors.
   13. Install and configure anti-malware software to check for updates on at least a daily basis on all devices used to Process Personal Data.
   14. Deploy data loss prevention software or other technical solutions to prevent unauthorized copying or downloading Personal Data to removable drives or devices and/or unauthorized uploading or transferring Personal Data to unauthorized locations or recipients.
   15. Run internal and external network vulnerability scans at least monthly and after any change in the network configuration.
   16. Perform maintenance and repair of information system components in a controlled and secure manner.
   17. Monitor Processor’s network and Assets to detect vulnerabilities, threats, anomalous or unauthorized activity, and other potential cyber security events (collectively “Events”) in a timely manner.
   18. Personal Data will not be stored on any portable or removable media.
   19. Personal Data will not be stored or used in test or other non-production environments.
   20. Maintain and execute incident response processes and procedures to ensure timely response to detected Events. Ensure the following activities take place according to such established processes and procedures:
       1. Investigate, understand, and categorize Events;
       2. Perform activities to contain an Event, mitigate its effects and address any remaining threat or vulnerability;
       3. Restore affected Assets and Personal Data, and take other appropriate mitigating actions;
       4. Document response and recovery activities; and
       5. Routinely review and update policies and procedures to incorporate lessons learned and address potential threats and vulnerabilities.
   21. Maintain a disaster recovery plan to ensure the continuation of Services under the Agreement and backup of Personal Data in the event of a material disruption or impact to data or Assets.
   22. Coordinate restoration activities with Lucidworks where Personal Data has been impacted.
8. Encryption and Infrastructure Protection.
   1. Personal Data, including Personal Data on portable devices and backup media, will be encrypted in transmission and at rest, using industry-standard cryptographic techniques and secure management of keys; and
   2. Each Processor will use appropriate encryption in connection with any transfer, communication, remote access, or storage involving Personal Data, using best industry standards considering the nature and extent of the Personal Data. Contractor will only use remote access or wireless connectivity to Lucidworks systems or other storage involving Personal Data where Lucidworks consents in writing.
9. System Authentication and Authorization. Access to Personal Data will be granted solely on a “need to know” basis, based on individual roles and responsibilities, and will be subject to secure user authentication protocols, including controls around user IDs, other identifiers, passwords, biometrics, authentication token devices, active account log-in procedures, log records that record access attempts, and blocking after multiple unsuccessful log-in attempts. Processor will:
   1. Implement a formal documented process to grant, modify, and remove access to systems containing Personal Data;
   2. Formally review user access rights to systems containing Personal Data at least semi-annually;
   3. Not permit access permissions that allow public groups (g., global, world, everyone, etc.) to have read or write access to Personal Data;
   4. Ensure there are no common or group system user IDs on systems where Personal Data is maintained (i.e., users must be uniquely identified);
   5. Conduct revalidation of access rights to Personal Data at least annually;
   6. Maintain electronic logs of Personnel accessing Personal Data depicting the details of the access and transactional changes made and provide such electronic logs to Lucidworks for inspection upon reasonable request; and
   7. Conduct background checks for Personnel with responsibilities for or access to Personal Data, if permissible under applicable law.
10. Business Continuity. Each Processor will ensure that it always has in place an appropriate business continuity and disaster recovery plan for its business (the “Business Continuity Plan”) that will ensure the continued performance of its obligations under this DPA and operational resilience generally. In addition, each Processor will:
    1. Develop and update the Business Continuity Plan from time to time, and in any event annually, in accordance with good industry practice, and the Processor will, upon request, deliver a copy of the current Business Continuity Plan to Lucidworks.
    2. If required by Lucidworks, explain how the procedures set out in the Business Continuity Plan will interface with any of Lucidworks’s business continuity and disaster recovery plans and procedures of Lucidworks that are known to the Processor.
    3. Test the Business Continuity Plan at least annually, or when significant organizational or environmental changes are made by Processor, and, upon request, report results to Lucidworks.
    4. Provide geographically resilient hosting or backups.
    5. Provide infrastructure service failover.
    6. Report any disruption of business activities related to an emergency to Lucidworks.
11. Software Development. For any Services or deliverable that includes software or computer coding, Processor will take all necessary precautions to ensure the software is free of viruses, time bombs, worms, Trojan horses, or other intentionally destructive, disabling, or harmful devices (“Destructive Code“). If Lucidworks discovers any Destructive Code or other verifiable security vulnerability at any time during the term of the Agreement, Processor will promptly remediate it. Processor must:
    1. Follow a documented secure software development process.
    2. Use automated or manual source code analysis tools to detect and remediate security defects in code prior to production deployment. Static application security testing (SAST) and dynamic application system testing (DAST) of the application code should be performed.
    3. Perform application penetration testing on any publicly facing systems that contain Personal Data used in the Services provided to Lucidworks.
    4. Conduct, at Processor’s expense, regular industry-standard reviews of Processor’s software for security flaws. Reviews will cover all aspects of the software delivered, including third-party components and libraries. At a minimum, the review will cover common software vulnerabilities. The review may include a combination of static analysis of the binary code, dynamic web application vulnerability scanning, and manual penetration testing.
    5. Processor will track all security issues (including but not limited to specific vulnerability instances and a summary of open security issues) uncovered during the security review of Processor’s software and make available a report of the same to Lucidworks upon Lucidworks’s reasonable demand. Processor will appropriately protect information regarding security issues and associated documentation to help limit the likelihood that vulnerabilities in operational software are exposed. Processor will use all commercially reasonable efforts consistent with sound software development practices, considering the nature and severity of the risk, to remediate all security issues as quickly as possible.

SCHEDULE 3:

APPROVED SUB-PROCESSORS

Below is a list of current Supplier Subprocessors. Not all Subprocessors process Personal Data in every case. Supplier may update this list as Subprocessors are added or deleted and provide updated lists to Lucidworks. Supplier will provide thirty (30) days’ prior notice to Lucidworks of any changes to the below list of approved Subprocessors. If Lucidworks objects to Supplier’s appointment of a Subprocessor on reasonable grounds relating to the protection of Lucidworks Data, then Supplier shall have the right to cure the objection through one of the following options (at Supplier’s reasonable election) within sixty (60) days following Lucidworks’s objection: (a) Supplier will cease to use the new Subprocessor with regard to Lucidworks Data; (b) Supplier will take the corrective steps requested by Lucidworks in its objection and proceed to use the Subprocessor to Process Lucidworks Data; or (c) Supplier may cease to provide, or Lucidworks may agree not to use (temporarily or permanently), the particular aspect of a Service that would involve use of the Subprocessor to Process Lucidworks Data.