Data Processing Addendum

Updated as at September 2022
PARTIES AND ACCEPTANCE
The Parties
Controller
Processor or Lexer
Parties’ details
The entity specified in the Main Agreement between Controller and Lexer.
The entity specified in the Main Agreement between Controller and Lexer.
Key Contact
The key contact specified in the Main Agreement between Controller and Lexer.
Information Security Officer
℅ Lexer Pty Ltd
80-86 Inkerman Street
St Kilda, Victoria, Australia 3182
privacy@lexer.io
Acceptance of DPA
By entering into the Main Agreement between Controller and Lexer, the Controller and Lexer each agree that this DPA is incorporated by reference.

If the Controller requires the additional mandatory Standard Contractual Clauses (SCCs) for EU data subjects, or International Data Transfer Agreement (IDTA) for UK data subjects (refer to Figure 1 below), please submit a request for an addendum to be sent to you via DocuSign
DPA VARIABLES
Parties’ relationship
Controller to Processor
Parties’ roles
The legal entity listed as the Controller in the ‘Parties and Execution’ section above will act as the Controller and Business (as defined in Section 1 of the DPA Terms)

Lexer Pty Ltd will act as the Processor and Service Provider (as defined in Section 1 of the DPA Terms)
Main Agreement
Master Services Agreement between the Controller and Lexer for the provision of services by Lexer to the Controller.
Term
This DPA will commence on the final date of signature or acceptance and will continue until the Main Agreement has expired or is terminated.
Breach notification period
5 business days, or sooner if required by a Data Protection Law
Liability Cap
As per the Main Agreement.
Governing Law
As per the Main Agreement.
Data Protection Laws

All laws, regulations and court orders which apply to the processing of Personal Data in:

  • the European Economic Area (‘EEA’)
  • the United Kingdom (‘UK’)
  • the United States (‘US’)
  • Australia
  • Singapore
  • New Zealand

This includes the European Union Regulation (EU) 2016/679 (‘GDPR’), the Data Protection Act 2018 (‘UK DPA’), California Consumer Privacy Act of 2018 (‘CCPA’), California Privacy Rights Act of 2020 (‘CPRA’)], the Privacy Act 1988 (‘AU PA’), the Personal Data Protection Act 2012 (‘SG PDPA’) and the Privacy Act 2020 (‘NZ PA’), each as amended from time to time.

Services related to processing

As described in the Main Agreement.

Duration of processing

For the Term of this DPA, and the additional period specified in clause 11.7 of the Main Agreement ('Your Data Portability and Deletion'). 

Nature and purpose of processing

The processing of personal data for the purposes of providing the services, as further described in the Main Agreement, including, for the avoidance of doubt, to provide the Controller with, and update and improve, Lexer’s services (or as otherwise agreed in writing by the parties).

Frequency of the processing

The frequency of data transfer depends on the type of data. The range of frequency is between real-time and quarterly, depending on the data. Most data is transferred at least daily. 

Personal Data

The types of personal data processed are:

  • Name
  • Address
  • Email address
  • Social media handles
  • Purchase history
  • Commercial behaviour characteristics
Data subjects

The individuals whose Personal Data will be processed are end user customers and prospects of the Controller.

Transfer mechanism

For EU Data Subjects: The Standard Contractual Clauses approved by the European Commission Decision of 4 June 2021 (as amended from time to time), for the transfer of personal data from the EEA or adequate country to a third country, as shown in Figure 1 below.

For UK Data Subjects: International Data Transfer Addendum issued by the Information Commissioner’s Office under Section 119A of the Data Protection Act 2018, effective from 21 March 2022 (see Annex IV of Lexer’s Standard Contractual Clauses version). See Figure 1 below.

ANNEX I OF THE DPA: SECURITY MEASURES
Security measures
Technical and organisational measures to ensure the security of Personal Data
Information regarding the technical and organisational measures We have in place to protect Data in accordance with clause 1.6 of this Addendum is available in Our Trust and Compliance section of Our website at https://www.lexer.io/trust-and-compliance/security/   

For processors requiring EU resident and UK data subject protection under the Standard Contractual Clauses or UK IDTA (see Figure 1 below), Annex II of the Standard Contractual Clauses may also list the technical and organisational security measures.
ANNEX II OF THE DPA: SUB-PROCESSORS
Sub-processors
Current sub-processors
Amazon Web Services (AWS)

DPA Terms

1. What is this agreement about?

1.1.
Purpose. The parties are entering into this Data Processing Agreement (‘DPA’) for the purpose of processing Personal Data (as defined in the DPA Variables section above).
1.2
Definitions. Under this DPA:
1.2.1
adequate country means a country or territory that is recognised under Data Protection Laws from time to time as providing adequate protection for processing Personal Data, and
1.2.2
Controller, data subject, personal data breach, process/processing, Processor and supervisory authority have the same meanings as in the Data Protection Laws; and
1.2.3
Business and Service Provider have the same meanings as in the CCPA/CPRA; and
1.2.4
Sub-Processor means another processor engaged by the Processor to carry out specific processing activities with Personal Data.

2. What are each party’s obligations?

2.1.
Controller obligations. Controller instructs Processor to process Personal Data in accordance with this DPA, and is responsible for providing all notices and obtaining all consents, licences and legal bases required to allow Processor to process Personal Data.
2.2.
Processor/Sub-Processor obligations. Processor will:
2.2.1.
only process Personal Data in accordance with this DPA and Controller’s instructions (unless legally required to do otherwise);
2.2.2.
not sell, retain or use any Personal Data for any purpose other than as permitted by this DPA and the Main Agreement;
2.2.3.
inform Controller immediately if (in its opinion) any instructions infringe Data Protection Laws;
2.2.4.
use the technical and organisational measures described in Annex I when processing Personal Data to ensure a level of security appropriate to the risk involved;
2.2.5.
notify Controller of a Personal Data breach within the Breach Notification Period and provide assistance to Controller as required under Data Protection Laws in responding to it, as set out in more detail in clauses 6.2. to 6.5.;
2.2.6.
ensure that anyone authorised to process Personal Data is committed to confidentiality obligations;
2.2.7.
without undue delay, provide Controller with reasonable assistance with:
2.2.7.1.
data protection impact assessments;
2.2.7.1.
responses to data subjects’ requests to exercise their rights under Data Protection Laws in accordance with clause 6.3.; and 
2.2.7.1.
engagement with supervisory authorities;
2.2.8.
if requested, provide Controller with information necessary to demonstrate its compliance with obligations under Data Protection Laws and the DPA;
2.2.9.
allow for audits at Controller’s request, if the requirements of clause 7 are met; and
2.2.10.
return Personal Data upon Controller’s written request or delete Personal Data by the end of the Term, unless retention is legally required.
2.3.
Warranties. The parties warrant that they and any staff and/or subcontractors will comply with their respective obligations under Data Protection Laws for the Term.

3. Sub-processing

3.1.
Use of sub-processors. Controller authorises Processor engage other processors (referred to in this section as Sub-Processors) when processing Personal Data. Processor’s existing Sub-Processors are listed in Annex II.
3.2.
Sub-processor requirements. Processor will: 
3.2.1.
require its Sub-Processors to comply with equivalent terms as Processor’s obligations in this DPA;
3.2.2.
ensure appropriate safeguards are in place before internationally transferring Personal Data to its Sub-Processor; and
3.2.3.
be liable for any acts, errors or omissions of its Sub-Processors as if they were a party to this DPA.
3.3.
Approvals. Processor may appoint new Sub-Processors provided that they notify the Controller in writing in accordance with the Sub-Processor Notification Period.
3.4.
Objections. Controller may reasonably object in writing to any future sub-processor. If the parties cannot agree on a solution within a reasonable time, either party may terminate this DPA.

4. International Personal Data transfers

4.1.
Instructions. Processor will transfer Personal Data outside the UK, the EEA or an adequate country only on documented instructions from Controller, unless otherwise required by law.
4.2.
Transfer mechanism. Where a party is located outside the UK, the EEA or an adequate country and receives Personal Data: 
4.2.1.
that party will act as the data importer;
4.2.2.
the other party is the data exporter; and
4.2.3.
the relevant Transfer Mechanism will apply.
4.3.
Additional measures. If the Transfer Mechanism is insufficient to safeguard the transferred Personal Data, the data importer will promptly implement supplementary measures to ensure Personal Data is protected to the same standard as required under Data Protection Laws.
4.4.
Disclosures. Subject to terms of the relevant Transfer Mechanism, if the data importer receives a request from a public authority to access Personal Data, it will (if legally allowed):
4.4.1.
challenge the request and promptly notify the data exporter about it; and
4.4.2.
only disclose to the public authority the minimum amount of Personal Data required and keep a record of the disclosure. 

5. Other important information

5.1.
Survival. Any provision of this DPA which is intended to survive the Term will remain in full force.
5.2.
Order of precedence. In case of a conflict between this DPA and other relevant agreements, they will take priority in this order: 
5.2.1.
Transfer Mechanism;
5.2.2.
DPA; and
5.2.3.
Main Agreement.
5.3.
Notices. Formal notices under this DPA must be in writing and sent to the Contact on the DPA’s front page as may be updated by a party to the other in writing.
5.4.
Third parties. Except for affiliates, no one other than a party to this DPA has the right to enforce any of its terms.
5.5.
Entire agreement. This DPA supersedes all prior discussions and agreements and constitutes the entire agreement between the parties with respect to its subject matter (i.e. data protection) and neither party has relied on any statement or representation of any person in entering into this DPA.
5.6.
Amendments. Any amendments to this DPA must be agreed in writing.
5.7.
Assignment. Neither party can assign this DPA to anyone else without the other party's consent. 
5.8.
Waiver. If a party fails to enforce a right under this DPA, that is not a waiver of that right at any time.
5.9.
Governing law and jurisdiction. The Governing Law applies to this DPA and all disputes will only be litigated in the courts of the Jurisdiction.

6. Privacy and security

6.1.
Controller’s  Privacy Requirements. Without limiting any other clause of the DPA or the Main Agreement:
6.1.1.
Controller must publish a privacy policy that complies with applicable Data Protection Laws; and
6.1.2.
Controller is responsible for the accuracy, quality, integrity and legality of its Data (including Personal Data) and the means by which Controller acquired its Data (including ensuring a legal basis for collection and sharing of Personal Data with the Processor before transferring to Processor).
6.2.
Processor’s Privacy Requirements: Without limiting any other clause of the DPA or the Main Agreement:
6.2.1.
Processor must, in respect of all Personal Data held in connection with the DPA or the Main Agreement, comply with any reasonable requests or directions issued by Controller from time to time arising from the exercise of the functions of any privacy regulator;
6.2.2.
Processor must not, in respect of any Personal Data held in connection with the DPA, without the prior written approval of Controller (including in the Main Agreement), disclose, transfer or permit the disclosure or transfer outside of the information outside of the data location specified (if any) in the Main Agreement.
6.3.
Complaints handling:  We must inform You within the Breach Notification Period:
6.3.1.
if a request is received from a data subject to inspect, access or change Personal Data relating to that person; or
6.3.2.
of any privacy complaints received from a data subject or any events relating to Personal Data which may cause the Data Protection Laws to be breached, and comply with the reasonable directions of Controller regarding any request or complaint received.
6.4.
Mandatory Data Breach Protection: If Processor becomes aware of, or has a reasonable suspicion that there has been any unauthorised access to, or disclosure or loss of, any Personal Data that has been collected from or on behalf of Controller, directly or indirectly, pursuant to the DPA or the Main Agreement, Processor must notify Controller immediately ('Breach'). In the event of a Breach, Processor must:
6.4.1.
cooperate with Controller or any appointed authority in relation to any ensuing investigation or enquiry relating to the Breach;
6.4.2.
cooperate with Controller or any appointed authority in relation to the preparation of any determination, statement or notice regarding the Breach, and any notifications to affected individuals; and
6.4.3.
cooperate with Controller or any appointed authority in relation to the provision of information surrounding the circumstances of the Breach, such information which should include: the Personal Data in question; the data subjects that are likely to be affected by the Breach; details of the security measures in place and how these may be improved; and all other information relevant for an investigation.
6.4.4.
Processor must follow Controller’s reasonable directions in relation to any interactions We have with any individuals who may be potentially potentially affected by a Breach or a notification under clause 6.5.
6.5.
Notification processes:
6.5.1.
In the event of a disagreement between You and Us as to whether or not a Notification should be provided, the disagreeing Party must provide written notice of the basis of its disagreement to the other Party. The Parties must act in good faith to agree on whether or not to provide the Notification.
6.5.2.
If a party reasonably believes there is a legal requirement to submit a Notification, following the process set out in clause 6.7.1 above, either party may elect to provide a Notification, with written notice to the other party.

7. Audit

7.1.
SOC 2 report. Controller acknowledges that Processor is regularly audited against SOC 2 standards by an independent third-party auditor. Controller acknowledges that a recent SOC 2 audit report will, unless clause 7.2. or 7.3. applies, satisfy any requirement of the Controller with respect to a request to conduct an audit of Processor.
7.2.
Breach as exceptional circumstances. In the event of a Breach as defined in clause 6.4., Controller may request an audit of Processor’s security and data processing practices.
7.3.
Conditions on audits. If Controller requires an audit of Processor’s practices which does not fall under clauses 7.1. or 7.2. above, Controller may request an audit of Processor’s practices, provided:
7.3.1.
audits are limited to once a year, conducted during business hours; and
7.3.2.
Controller reimburses Processor for its reasonable costs in participating in the audit (including internal resources at Processor’s hourly rate).

Schedule 1: Standard Contractual Clauses

The standard contractual clauses between data controllers and data processors adopted by the European Commission in its Implementing Decision (EU) 2021/91 of 4 June 2021, and currently located here (SCCs) Throughout these SCCs, some are specified as optional. These Variables below specify which optional Clauses are incorporated into these Clauses between the Parties.

Variables

Docking clause
(See Clause 7)
Applies
Authorisation type
(See Clause 9(a))
Option 2: General written authorisation for sub-processors applies

The time period referenced in this Clause is 14 days
Dispute Resolution
(See Clause 11(a))
Does not apply
Liability
(See Clause 12)
Module 2 applies
Governing law
(See Clause 17)
Option 1 applies: Governing law of these SCCs is an EU Member State that recognises third party rights. The Parties agree that the Member State applicable for the purposes of Clause 17 is the Republic of Ireland
Jurisdiction of courts
(See Clause 18.2.)
The parties agree that disputes relating to these SCCs are to be determined by the courts of the Republic or Ireland
Incorporation of UK International Data Transfer Agreement (IDTA)
(See Annex IV)
Where the activities incorporate UK personal data, Annex IV for UK-specific terms is included in these SCCs

SCC Appendix

ANNEX I

A.   LIST OF PARTIES
Data exporter(s):
Name
A Customer that has engaged the Data Importer to provide the Services pursuant to the Main Agreement, such agreement as may be updated from time to time
Address
As set out in the Agreement  or as supplied to the Data Importer by way of specific notice of written acceptance
Contact person’s name, position and contact details
Contact person’s name, position and contact details: As set out in the Main Agreement,  or as supplied to the Data Importer by way of specific notice of written acceptance
Activities relevant to the data transferred under these Clauses
Data Importer provides the Service and Data exporter uses the Services. The Data Importer processes personal data as described in the Main Agreement
Signature
Each of the parties agree that execution of the Main Agreement shall constitute execution of these SCCs, unless expressly stated otherwise that a different set of data processing terms should apply. Any Agreement by the Data Exporter to a version of the Data Importer’s standard Data Processing Agreement prior to 12 September 2022 is deemed to be updated to this version by no later than 27 December 2022.
Date
The date of the Main Agreement or as supplied to the Data Importer by way of specific notice of written acceptance
Role
Controller / Processor
Data importer(s): 
Name
Lexer Pty Ltd (ABN 59 146 105 320)
Address
80-86 Inkerman Street, St Kilda, Victoria, Australia 3182
Contact person’s name, position and contact details
Chris Brewer
CFO & Information Security Officer
privacy@lexer.io
Activities relevant to the data transferred under these Clauses
As described in the Variables table in the DPA
Signature
Each of the parties agree that execution of the Main Agreement shall constitute execution of these SCCs, unless expressly stated otherwise that a different set of data processing terms should apply. Any Agreement by the Data Exporter to a version of the Data Importer’s standard Data Processing Agreement prior to 12 September 2022 is deemed to be updated to this version by no later than 27 December 2022.
Date
The date of the Main Agreement or as supplied to the Data Importer by way of specific notice of written acceptance
Role
Processor
B.   DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
As described in the Variables table in the DPA.
Categories of personal data transferred
As described in the Variables table in the DPA.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved
As described in the Variables table in the DPA.
The frequency of the transfer 
As described in the DPA Variables table in the DPA.
Nature of the processing
As described in the DPA Variables table in the DPA.
Purpose(s) of the data transfer and further processing
As described in the DPA Variables table in the DPA.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
As described in the DPA Variables table in the DPA.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
As described in Annex II.
C.   COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13 of the SCCs: 

If the Data Exporter is established an EU Member State: the supervisory authority will be the relevant supervisory body of that Member State.

If the Data Exporter is not established in an EU Member State,  but falls within the territorial scope and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative is established shall act as competent supervisory authority. 

If the Data Exporter is not established in an EU Member State, but falls within the territorial scope without having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them shall act as competent supervisory authority.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter
Technical and organisational measures of the data importer to ensure security of the data

A complete description of Lexer’s security and information security practices are published on our website.

Pseudonymisation: Pseudonymisation is generally not applicable to data processed in the application(s), unless specifically requested by the client and at additional cost.

Encryption: Personal data in application(s) is encrypted in transit and at rest. Personal data is encrypted for transit both to and from the data exporter and for any server-to-server communication necessary for the normal functioning of the application(s). The application(s) uses only private asymmetric keys and prohibits the use of master symmetric keys. Data at rest is encrypted and protected by access controls. Only authenticated users can read, modify, or delete data as specified by the permissions associated with their account.

Confidentiality, integrity and resilience: Disaster recovery plans are in place for all application(s). All employees of processor, by written policy, are provided access on a least-privilege basis and must conduct specialised privacy awareness training.

Restoration availability: Data backups are geo-replicated for applications that store data.

Testing, assessing, evaluating: During each phase of application(s) development, security measures are in place to identify and manage potential vulnerabilities throughout development and release. These include, but are not limited to: OWASP 10 and SANS 25 vulnerabilities, security and privacy risk assessments, third party penetration testing, SOC 2 auditing, ISO27001 certification

User ID and authentication: Features include privilege levels, automatic sign out, failed login restrictions , password based authentication (including using multi-factor authentication), strength and complexity of passwords enforced, passwords stored in encrypted format, single-sign on in certain circumstances where requested by the data exporter as part of their agreement with the processor.  

Protection of data in transit: All data is encrypted in transit.

Protection of data in storage: All data is encrypted at rest.  

Physical security: Amazon Web Services (AWS) is our sub-processor who processes all personal data and manages physical security of data servers. See Annex III for details.

Ensuring events logging: Security logs capture the following events: 

User, system, or process identifier that triggered the event

Description of event

Date and time of event

Authorization information associated with the event

Security logs, which are protected from modification and destruction, are maintained for at least 1 year.

Measures ensuring system configuration: Penetration tests, vulnerability management, peer reviews.

IT security governance and management: The processor maintains an information security management system (ISMS), including risk management, change control, incident management, corrective measures and management oversight.

Measures for certification/assurance of processes and products: ISO27001 certification, SOC 2 reports

Data quality / data retention: Please see the applicable section of processors application agreement.

Ensuring accountability: All employees of processor are trained and must acknowledge processors' cybersecurity policies. Compliance with policy is monitored and refresher training provided annually. Our privacy representative may be contacted by emailing privacy@lexer.io 

Data portability / ensuring erasure: Please see the applicable section of processors application agreement.

Technical and organisational measures of the sub-processor (if any)

ANNEX III

LIST OF SUB-PROCESSORS
The controller has authorised the use of the following sub-processors:
Name

Amazon Web Services (AWS)

Address
L37 2-26 Park St Sydney, NEW SOUTH WALES, 2000 Australia
Contact person’s name, position and contact details
Data Privacy Officer or AWS Legal
The Data Protection Officer can be contacted at aws-EU-privacy@amazon.com 
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised)
Data input by user is processed in the application(s) according to the user requested functionality as described in Annex I with the same or greater data protection obligations as those binding the data importer under these Clauses. 

Refer to Annex 1 (Security Standards) of the AWS Data Processing Agreement for further information.

ANNEX IV: UK INTERNATIONAL DATA TRANSFER AGREEMENT (IDTA) ADDENDUM

VERSION B1.0, in force 21 March 2022
This Addendum (Annex IV) has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Part 1: Tables
Table 1
Start date
See “Commencement Date” under Main Agreement between the Data Exporter and Data Importer
The Parties
Exporter (who sends the Restricted Transfer)
Importer (who receives the Restricted Transfer)
Parties’ details
See Data Exporter details in Annex I
See Data Importer details in Annex I
Key Contact
See Data Exporter details in Annex I
See Data Importer details in Annex I
Signatures
Each of the parties agree that execution of the Main Agreement shall constitute execution of these SCCs, unless expressly stated otherwise that a different set of data processing terms should apply. Any Agreement by the Data Exporter to a version of the Data Importer’s standard Data Processing Agreement prior to 12 September 2022 is deemed to be updated to this version by no later than 27 December 2022.
Table 2
Addendum EU SCCs
The version of  the Approved EU SCCs which this Annex IV is appended to, detailed below, including the Appendix Information
Table 3
Appendix Information
The Appendix Information as above means the information which must be provided for the selected modules as set out in (Annex I, II and III) the Appendix of the Approved EU SCCs (other than the Parties), and which for this Annex IV is set out in:
Annex I.A.
List of Parties: See Annex I
Annex I.B.
Description of Transfer: See Annex I
Annex II
Technical and organisational measures including technical and organisational measures to ensure the security of the data: See Annex II
Annex III
List of sub-processors: See Annex III
Table 4
Ending this Annex IV when the Approved Addendum changes

Which Parties may end this Addendum as set out in Section ‎19: 

  • Importer; and 
  • Exporter
Part 2: Mandatory Clauses
Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of those Mandatory Clauses.