Data Processing Addendum

February 2023

Introduction

This data processing agreement (“DPA”) forms an integral part of the master services agreement (the “Agreement”) between Lusha Systems, Inc. (“Lusha”) and the Customer. Lusha and the Customer shall hereafter be collectively known as the “Parties” and each individually known as a “Party”. This DPA supersedes and replaces any existing data processing terms in place between the Parties relating to the processing of personal data. To the extent that any of the terms or conditions contained in this DPA may contradict or conflict with any of the terms or conditions of the Agreement, it is expressly understood and agreed that the terms of this DPA shall take precedence. 

This DPA comprises two parts:

  • Part 1 applies when Lusha acts as a Data Processor
  • Part 2 applies when Lusha acts as a Data Controller

Lusha may amend this DPA if the change is required to comply with applicable data protection law, a court order or guidance issued by a governmental regulator or agency, provided that such change does not: (i) unlawfully expand the scope of, or remove any restrictions on, either party’s rights to use or otherwise process personal data; or (ii) have a material adverse impact on Customer, as reasonably determined by Lusha. If Lusha intends to change this DPA in terms of this section, and such change will have a material adverse impact on Customer, as reasonably determined by Lusha, then Lusha will use commercially reasonable efforts to inform Customer at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect. If Customer does not acknowledge such notification or return a signed copy to signify its acceptance to the DPA within 30 days of receiving the notice, Lusha will continue its relationship with Customer on the basis that the DPA is incorporated into its Agreement with Customer.  

Any claims brought under this DPA will be subject to the terms and conditions of Agreement, including the exclusions and limitations set forth in the Agreement.

This DPA and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and interpreted in accordance with the law selected in the choice of laws clause in the Agreement, or if no law is selected, the laws of New York State, and the Parties irrevocably agree that the state and federal courts of New York County in the State of New York and the federal district court for the Southern District of New York shall have sole exclusive jurisdiction and venue to settle any such dispute or claim, save that the provisions of the C-P SCCs and C-C SCCs (each as defined below) (together the “SCCs”), as applicable, shall be governed by and interpreted in accordance with the laws of Ireland and the Parties irrevocably agree that the courts of that jurisdiction shall have exclusive jurisdiction to settle any dispute or claim arising from or in relation to the SCCs.

Part 1

Definitions.

Capitalized terms used in this Part 1 of this DPA but not defined in this DPA or in the Agreement have the meaning ascribed to them in Regulation (EU) 2016/679 General Data Protection Regulation (“GDPR”), the UK GDPR (as defined below) and in the California Consumer Privacy Act (CCPA, Cal. Civ. Code §1798.100 et seq and 11 CCR §999.300) (“CCPA”) (as applicable). In addition, the following capitalized terms have the following meanings:

    1. C-P SCCs” means (i) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including Module 2 (Controller to Processor); and (ii) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner, in each case as amended, updated or replaced from time to time; and
    2. Third Country” means (i) in relation to Personal Data transfers subject to the GDPR, any country outside of the scope of the data protection laws of the European Economic Area, excluding countries approved as providing adequate protection for Personal Data by the European Commission from time to time; and (ii) in relation to Personal Data transfers subject to the UK GDPR, any country outside of the scope of the data protection laws of the UK, excluding countries approved as providing adequate protection for Personal Data by the relevant competent authority of the UK from time to time.

Scope.

Sections 3 to 6 of this Part 1 apply only if and to the extent that Lusha acts as a Data Processor to Process Personal Data that Lusha receives from the Customer, where the Customer is a Data Controller subject to: (a) GDPR; and/or (b) the GDPR as it forms part of the laws of the United Kingdom (“UK”) as retained EU law (as defined in the European Union (Withdrawal) Act 2018), the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 and any further UK laws addressing data transfers from the UK (collectively, “UK GDPR”) with respect to the Personal Data that Lusha Processes. Section 7 of this Part 1 applies only if and to the extent that Lusha acts as a “service provider” to Process Personal Information that Lusha receives from the Customer, where the Customer is a Business subject to the CCPA.

C-P SCCs.

To the extent that Lusha Processes Personal Data in a Third Country as a Data Processor and is acting as data importer, Lusha will comply with the data importer’s obligations set out in the C-P SCCs, which are hereby incorporated into and form part of this DPA; the Customer will comply with the data exporter’s obligations in such C-P SCCs, and:

    1. if applicable, for the purposes of Part 1 of such C-P SCCs, the relevant Addendum EU SCCs (as such term is defined in the applicable C-P SCCs) are the standard contractual clauses for the transfer of Personal Data to Third Countries set out in Commission Decision 2021/914 of 4 June 2021 (Module 2) as incorporated into this DPA by virtue of this paragraph 3;
    2. if applicable, for the purposes of (i) Clause 9(a) of the C-P SCCs, option 2 (General Written Authorization) is deemed to be selected and the notice period shall be 10 days; (ii) Clause 11(a) of such C-P SCCs, the optional wording in relation to independent dispute resolution is deemed to be omitted; (iii) Clause 13 and Annex I.C., the competent Supervisory Authority is as set out in paragraph 3.5.5 below;
    3. if applicable, for the purposes of  (i) Clause 17, Option 1 is deemed selected and the governing law shall be the EU member state in which the Customer is established, or, if the Customer is not established in any EU member state, then the law of the Republic of Ireland; and (ii) Clause 18 of the C-P SCCs, the competent court shall be the courts of the EU member state’s town in which the Customer is established, or, if the Customer is not established in any EU member state, then the courts of Dublin, Ireland;
    4. if applicable, for the purposes of Part 1 of the C-P SCCs, Lusha as the data importer may terminate the C-P SCCs pursuant to Section 9 of such C-P SCCs; 
    5. for the purposes of Annex I or Part 1 (as relevant) of such C-P SCCs the signature(s) (in any form) given in connection with the execution of this DPA by a party and the dates of such signature(s) shall apply as the dated signature required from the party, and:
      1. Start Date: the date of this DPA. 
      2. Data Exporter: Customer.
        1. Activities relevant to the data transferred under the C-P SCCs: an organization using Lusha’s services which involves Lusha Processing Personal Data received from the Customer.
        2. Role: Controller.
      3. Data Importer: Lusha.
        1. Activities relevant to the data transferred under the C-P SCCs: Developer, operator and provider of the Lusha services which involve Lusha Processing Personal Data received from the Customer.
        2. Role: Processor.
      4. Description of Transfer:
        1. Categories of Data Subjects whose Personal Data is transferred: business professionals requested by the Customer (“Contacts”).
        2. Categories of Personal Data transferred: Business contact information (e.g. Name, email, phone number, job title and job affiliation).
        3. Sensitive data transferred: None.
        4. The frequency of the transfer: on a continuous basis.
        5. Nature of the Processing: recording, storage, consultation, use, disclosure by transmission and erasure.
        6. Purpose(s) of the data transfer and further Processing: the provision of Lusha’s services.
        7. The period for which the Personal Data will be retained: the period of the Agreement. Lusha shall be entitled to maintain Personal Data following the termination of the main agreement for statistical and/or financial purposes provided that Lusha maintains such Personal Data on an aggregated basis or otherwise after having removed all personally identifiable attributes from such Personal Data.
        8. Transfers to (sub-) processors: As above.
      5. Competent Supervisory Authority: the data protection authority in the EU member state in which the Customer is established, or the Customer’s lead Supervisory Authority for GDPR purposes. If the Customer is not established in any EU member state, then the Supervisory Authority of the EU member state in which the Customer’s EU representative pursuant to Article 27 of the GDPR is located;
    6. for the purposes of Annex II or Part 1 (as relevant) of such C-P SCCs, the technical and organizational security measures set out in Schedule 1 (Technical and Organizational Security Measures) to this DPA will apply;
    7. for the purposes of Annex III of such C-P SCCs, the list of authorized sub-processors are set out here; and
    8. if Lusha’s assistance to the Customer under Clause 10 of the C-P SCCs entails material costs, expenses or resources to Lusha, then the Parties shall first discuss and agree on the fees payable to Lusha for such assistance.

Audits.

Not more than once per annum, Lusha shall allow for and contribute to audits conducted under Clause 8.9 of the C-P SCCs, including carrying out inspections on Lusha’s business premises conducted by Customer or another auditor mandated by Customer during normal business hours and subject to a prior notice to Lusha of at least 30 days as well as appropriate confidentiality undertakings by Customer covering such inspections in order to establish Lusha’s compliance with this Part 1 and the provisions of the GDPR as regards the Personal Data that Lusha Processes as a Data Processor on behalf of Customer. If such audits entail material costs or expenses to Lusha, the Parties shall first come to agreement on Customer reimbursing Lusha for such costs and expenses.

Legal Basis.

The Customer may only use the Lusha Service to Process Personal Data pursuant to a recognized and applicable lawful basis under the GDPR or UK GDPR. The Customer shall provide Lusha only with instructions that are lawful under the GDPR or UK GDPR and would not cause Lusha to breach the GDPR or UK GDPR.

Security Measures.

In this Section, “Security Measures” mean commercially reasonable security-related policies, standards, and practices commensurate with the size and complexity of Lusha’s business, the level of sensitivity of the data collected, handled and stored, and the nature of Lusha’s business activities.

    1. Lusha represents, warrants, and agrees to use Security Measures (i) to protect the availability, confidentiality, and integrity of any Personal Data collected, accessed, or Processed by Lusha in connection with this Part 1, and (ii) to protect such data from Personal Data Breach incidents, as more fully described in Schedule 1 (Technical and Organizational Security Measures).
    2. The Security Measures are subject to technical progress and development and Lusha may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the services procured by the Customer.
    3. Lusha shall take reasonable steps to ensure the reliability of its staff and any other person acting under its supervision which has access to, and Processes, Personal Data. Lusha shall ensure that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Data Breach Notice.

In the event of a data breach, the Processor shall, without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the Controller of the personal data breach. The notification shall include, at least:

  1. description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned
  2. the name and contact details of the Data Protection Officer or other contact point where more information can be obtained
  3. a description of the likely consequences of the personal data breach
  4. a description of the measures taken or proposed to be taken by the processor to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
  5. The Processor shall also assist the controller in the documentation of any personal data breaches, including for the purposes of demonstrating compliance with the GDPR.

CCPA.

1. In its capacity as a Service Provider, Lusha is prohibited from retaining, using or disclosing Customer’s Personal Information: (a) For any purpose other than those as set out in the Agreement and specifically to search the Lusha database for information about a Contact (as defined above) at the Customer’s request, or as otherwise permitted under 11 CCR §999.314(c); (b) by way of Selling or sharing  Customer’s Personal Information; and (c) by way of retaining, using or disclosing the Customer’s Personal Information outside of the direct business relationship between the Parties, except as permitted under 11 CCR §999.314(c). Lusha certifies that it understands the restriction specified in the preceding subsection and will comply with it.

2. In its capacity as a Service Provider (as provided by CPRA) Lusha shall: (a) grant Customer the right to take reasonable and appropriate steps to help ensure that Lusha uses Personal Data in a manner consistent with Customer’s obligations under the CPPA (as amended); (b) notify Customer if Lusha determines that it can no longer meet its obligations under the CPRA; and (c) grant Customer the right, upon reasonable notice, to take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Data. To the extent required by the CPRA, Lusha shall inform the Customer of any consumer requests made pursuant to the CPRA that they must comply with, and shall provide all information necessary for Supplier to comply with such request.

3. Lusha is prohibited from combining Personal Data provided by the Customer with personal data that it received from another person or entity or collects from its own interaction with the data subject. Lusha can combine such data if (i) Lusha  combines personal data to perform any business purpose defined by the Attorney General in its regulations, adopted pursuant to paragraph (10) of subdivision (a) of Cal. Civ. Code § 1798.185; excepting combining of Personal Data of opted-out individuals that Lusha received from the Customer (ii) Lusha may combine personal data if Customer or its employee (end user) has opted-in sharing data in accordance with the Lusha’s Community Program terms Lusha’s Community Terms of Use and Lusha’s Code of Conduct.

FADP.

The SCC will apply to Personal Data transfers subject to Swiss Federal Act on Data Protection (“FADP”), provided the following modifications will apply: 

  • references to GDPR shall be interpreted as references to FADP and the equivalent articles thereof;
  • references to EU, Union, Member State, EU law and Member State Law shall be interpreted as references to Switzerland and Swiss law;
  • references to competent supervisory authority and competent court shall be interpreted as references to Swiss Federal Data Protection and Information Commissioner and competent Swiss courts;
  • SSC shall be governed by the laws of Switzerland.

Part 2 

Definitions.

  1. Lusha’s Processing” means Personal Data that Lusha provides to the Customer to drive Customer’s sales, recruitment, marketing business intelligence and fraud prevention initiatives by providing Customers with relevant and up-to-date business contact information to facilitate interactions between Customer and its potential customers and prospective candidates.
  2. C-C SCCs” means (i) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including Module 1 (Controller to Controller); and (ii) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner, in each case as amended, updated or replaced from time to time.
  3. Capitalized terms used in this Part 2 of this DPA but not defined in this DPA or in the Agreement have the meaning ascribed to them in the GDPR or UK GDPR (as applicable).

Scope.

This Part 2 applies only if and to the extent that Lusha’s Processing renders Lusha a Data Controller subject to the territorial scope provisions of the GDPR or the UK GDPR- it is clarified that each party is an independent Controller liable for its own processing activities.

C-C SCCs.

To the extent that Lusha Processes Personal Data in a Third Country as a Data Controller and acts as a data exporter, Lusha will comply with the data exporter’s obligations set out in the C-C SCCs, which are hereby incorporated into and form part of this DPA, and:

    1. if applicable, for the purposes of Part 1 of such C-C SCCs, the relevant Addendum EU SCCs (as such term is defined in the applicable C-C SCCs) are the standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021 (Module 1) as incorporated into this DPA by virtue of this paragraph 3;
    2. if applicable, for the purposes of Clause 11(a) of such C-C SCCs, the optional wording in relation to independent dispute resolution is deemed to be omitted;
    3. if applicable, for the purposes of (i) Clause 17, Clause 18 and Annex I.C. of the C-C SCCs, the governing law shall be the EU member state in which the Customer is established, or, if the Customer is not established in any EU member state, then the law of the Republic of Ireland and the competent court shall be the courts of the EU member state’s town in which the Customer is established, or, if the Customer is not established in any EU member state, then the courts of Dublin, Ireland; and the competent supervisory authority shall be as set out in paragraph 3.5.1.4.8 below;
    4. if applicable, for the purposes of Part 1 of the C-C SCCs, neither party may terminate the C-C SCCs pursuant to Clause 16 of such C-C SCCs; and
    5. for the purposes of Annex I.A., Annex I.B or Part 1 (as relevant) of such C-C SCCs, the signatures(s) (in any form) given in connection with the execution of this DPA by a party and the dates of such signature(s) shall apply as the dated signature required from the party, and:
      1. Start Date: the date of this DPA.
      2. Data Importer: Customer.
        1. Activities relevant to the data transferred under the C-C SCCs: an organization seeking Personal Data to drive its sales, recruitment, and marketing initiatives with relevant and up-to-date business contact information to facilitate interactions between it and its potential customers and prospective candidates.
        2. Role: Controller.
      3. Data Exporter: Lusha.
        1. Activities relevant to the data transferred under the C-C SCCs: Developer, operator, and provider of the Lusha services which involve Lusha’s Processing.
        2. Role: Controller.
      4. Description of Transfer:
        1. Categories of Data Subjects whose Personal Data is transferred: business professionals requested by the Customer (“Contacts”).
        2. Categories of Personal Data transferred: as described in https://www.lusha.com/data-attributes/.
        3. Sensitive data transferred: None.
        4. The frequency of the transfer: on a continuous basis upon request.
        5. Nature of the Processing: disclosure by transmission.
        6. Purpose(s) of the data transfer and further Processing: driving data importer’s sales, recruitment, and marketing initiatives with relevant and up-to-date business contact information to facilitate interactions between it and its potential customers and prospective candidates.
        7. The period for which the Personal Data will be retained: so long as required for Customer’s business needs.
        8. Competent Supervisory Authority: Data Protection Commissioner of the Republic of Ireland.
    6. For the purposes of Annex II or Part 1 (as relevant) of such C-C SCCs, the security measures are as per data importer’s information security policy, as more fully described in Schedule 1 (Technical and Organizational Security Measures).

Schedule 1

Technical and Organizational Security Measures

  • Security Policies and Procedures.   Lusha maintains and implements security policies and procedures designed to ensure employees and contractors Process Personal Data in accordance with the SCCs.  
  • Intrusion Prevention.  Lusha ensures that its security infrastructure is consistent with leading industry standards for virus protection, firewalls, and intrusion prevention technologies to prevent any unauthorized access or compromise of Lusha’s network, systems, servers, and applications from unauthorized access.
  • Security Awareness Training.  Lusha implements and maintains security awareness training regarding the handling and securing of confidential information and sensitive information such as Personal Data consistent with applicable law.
  • Physical Access Controls.  Lusha has established limits on physical access to information systems and facilities using physical controls (e.g., coded badge access) that provide reasonable assurance that access to data centers and offices is limited to authorized individuals.
  • Logical Access Controls.  Lusha ensures proper user authentication for all employees and contractors with access to Personal Data, including, without limitation, by assigning each employee/contractor unique access credentials for access to any system on which Personal Data Processed by Lusha in accordance with this DPA can be accessed and prohibiting employees/contractors from sharing such access credentials.  Lusha restricts and tracks access to Personal Data Processed by Lusha in accordance with this DPA to only those employees/contractors whose access is necessary to perform the services. Lusha implements and maintains logging and monitoring technology to help detect and prevent unauthorized access attempts to networks and production systems.  Lusha conducts periodic reviews of changes affecting systems’ handling authentication, authorization, and auditing, and privileged access to production systems.  Lusha shall ensure that upon termination of any employee/contractor, the terminated employee’s access to any Personal Data Processed by Lusha in accordance with this DPA on Lusha’s systems will be immediately revoked.
  • Environmental Access Controls.  Lusha implements and maintains appropriate and reasonable environmental controls for data centers, such as air temperature and humidity controls, and appropriate protections against power failures.
  • Disaster Recovery and Back-up Controls.  Lusha maintains: (i) periodic backups of production file systems and databases according to a defined schedule; and (ii) a formal disaster recovery plan for the production data center and conduct regular testing on the effectiveness of such plan.
  • Business Continuity and Cyber Incident Response Plan.  Lusha maintains business continuity and incident response plans to manage and minimize the effects of unplanned events (cyber, physical, or natural) (“Incident Response Plans”) that include procedures to be followed in the event of an actual or potential security breach or business interruption and which have a stated goal of resumption of routine services within thirty-six (36) hours of such an event.  The Incident Response Plans shall require record keeping of root cause analysis and remediation efforts.
  • Storage and Transmission Security. Lusha secures the transmission of all Personal Data processed by Lusha in accordance with this DPA and encrypts such data as per the following: (i) In Transit: Public network traffic encrypted using SSL/TLS v1.2 or v1.3. Other low versions of TLS are disabled; and (ii) At Rest: Databases and servers encrypted at rest using AES-256 algorithm. Laptop devices are encrypted at rest using XTS-AES-256/ AES-256 algorithm. Internal service keys are stored in Vault and encryption keys used for encryption at rest are stored in AWS KMS.
  • Internal Audits.  Lusha regularly conducts internal security audits and shall contract annually for external security assessments and penetration tests of Lusha systems including, without limitation, cloud architecture, business processes and procedures, access controls and encryption measures.
  • Risk Identification and Assessment.  Lusha implements and maintains a risk assessment program to help identify foreseeable internal and external risks to its information resources and to determine if existing controls, policies, and procedures are adequate. 
  • Vendor and Services Providers.  Prior to engaging new third-party contractors, service providers or vendors who will have access to Personal Data Processed by Lusha in accordance with this DPA (collectively, “Vendors”), Lusha shall conduct a risk assessment on Vendor’s data security practices.  Lusha shall conduct periodic Vendor reviews to ensure compliance with the terms of the SCCs. 
  • Change and Configuration Management.  Lusha implements and maintains policies and procedures for managing changes to production systems, applications, and databases, including without limitation, processes for documenting testing and approval of changes into production, security patching, and authentication.
  • Certifications.  Lusha maintains the following third-party certifications: ISO 27001, ISO 27018 and ISO 27701, SOC 2 Type 2, and other certifications as appropriate. Lusha also holds the TRUSTe Certified Privacy seal.

For transfers from Data Processor to sub-processors, the specific technical and organizational measures to be taken by the sub-processor to be able to assist the Data Controller are as set out above.