DATA PROCESSING ADDENDUM
Customer (“Controller”) has entered into an agreement with Chronicle Bidco, Inc. d/b/a Lexitas, (“Lexitas”) (each a “Party” and collectively the “Parties”) under which Lexitas has agreed to provide the Services in accordance with such agreement (the “Agreement”). This Data Processing Agreement (the “DPA”) is incorporated into and forms an integral part of the Agreement and shall be effective on the effective date of the Agreement. This DPA supplements and (in case of contradictions) supersedes the Agreement with respect to any Processing of Covered Data.To the extent that Lexitas processes any Covered Data (as defined below) on behalf of Controller in connection with the provision of the Services, the Parties have agreed that it shall do so on the terms of this DPA.
1. DEFINITIONS
1.1 Capitalized terms used but not defined within this DPA will have the meaning set forth in the Agreement. The following capitalized terms used in this DPA will be defined as follows:
“Covered Data” means Personal Data that is: (a) provided by or on behalf of Controller to Lexitas in connection with the Services; or (b) obtained, developed, produced or otherwise Processed by Lexitas, or its agents or subcontractors, for purposes of providing the Services to Controller.
“Data Subject” means a natural person whose Personal Data is Processed.
“Deidentified Data” means data created using Covered Data that cannot reasonably be linked to such Covered Data, directly or indirectly.
“Personal Data” means any data or information that: (a) is linked or reasonably linkable to an identified or identifiable natural person; or (b) is otherwise “personal data,” “personal information,” “personally identifiable information,” or similarly defined data or information under US Data Protection Laws.
"Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means. “Process”, “Processes” and “Processed” will be interpreted accordingly.
"Security Incident" means an actual or suspected breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to (including unauthorized internal access to), Covered Data.
"Services" means the services to be provided by Lexitas pursuant to the Agreement.
"Sub-processor" means an entity appointed by Lexitas to Process Covered Data on its behalf.
“US Data Protection Laws” means, to the extent applicable, federal and state laws relating to data protection, the Processing of Personal Data, privacy and/or data protection in force from time to time in the United States.
2. INTERACTION WITH THE AGREEMENT
Any Processing operation as described in clause 4 (Details of Data Processing) and Schedule 1 to this DPA will be subject to this DPA.
3. ROLE OF THE PARTIES
The Parties acknowledge and agree that for the purposes of the US Data Protection Laws, Lexitas will act as a "service provider" or “processor” (as defined in US Data Protection Laws), as applicable, in its performance of its obligations pursuant to the Agreement and this DPA.
4. DETAILS OF DATA PROCESSING
4.1 The details of the Processing of Personal Data under the Agreement and this DPA (such as subject matter, nature and purpose of the Processing, categories of Personal Data and Data Subjects) are described in the Agreement and in Schedule 1 to this DPA.
4.2 Covered Data will only be Processed on behalf of and under the instructions of Controller and in accordance with US Data Protection Laws. The Agreement and this DPA will generally constitute instructions for the Processing of Covered Data. Controller may issue further written instructions in accordance with this DPA. Without limiting the foregoing, Lexitas is prohibited from:
(a) selling Covered Data or otherwise making Covered Data available to any third party for monetary or other valuable consideration;
(b) sharing Covered Data with any third party for cross-context behavioral advertising;
(c) retaining, using, or disclosing Covered Data for any purpose other than for the business purposes specified in the Agreement or as otherwise permitted by US Data Protection Laws;
(d) retaining, using, or disclosing Covered Data outside of the direct business relationship between the Parties; and
(e) except as otherwise permitted by US Data Protection Laws, combining Covered Data with Personal Data that Lexitas receives from or on behalf of another person or persons, or collects from its own interaction with the Data Subject.
4.3 Lexitas will limit access to Covered Data to personnel who have a business need to have access to such Covered Data and will ensure that such personnel are subject to obligations at least as protective of the Covered Data as the terms of this DPA and the Agreement.
4.4 Lexitas may Process Covered Data anywhere that Lexitas or its Sub-processors maintain facilities, subject to clause 5 of this DPA.
4.5 Lexitas will provide Controller with information to enable Controller to conduct and document any data protection assessments required under US Data Protection Laws. In addition, Lexitas will notify Controller promptly if Lexitas determines that it can no longer meet its obligations under US Data Protection Laws.
4.6 Controller will have the right to take reasonable and appropriate steps to ensure that Lexitas uses Covered Data in a manner consistent with Controller’ obligations under US Data Protection Laws.
5. SUB-PROCESSORS
5.1 Controller grants Lexitas the general authorisation to engage Sub-processors, subject to clause 5.2.
5.2 Lexitas will (i) enter into a written agreement with each Sub-processor imposing data protection obligations that, in substance, are no less protective of Covered Data than Lexitas’ obligations under this DPA; and (ii) remain liable for each Sub-processor’s compliance with the obligations under this DPA.
5.3 Lexitas will provide Controller with at least fifteen (15) days’ notice of any proposed changes to the Sub-processors it uses to Process Covered Data. Controller may object to Lexitas’ use of a new Sub-processor by providing Lexitas with written notice of the objection within fifteen (15) days after Lexitas has provided notice to Controller of such proposed change (an "Objection"). If Controller does not object to the engagement within the Objection period, consent regarding the engagement will be assumed. In the event Controller objects to Lexitas’s use of a new Sub-processor, Controller and Lexitas will work together in good faith to find a mutually acceptable resolution to address such Objection. If the Parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Controller may terminate the portion of the Agreement relating to the Services affected by such change by providing written notice to the other Party. During any such Objection period, Lexitas may suspend the affected portion of the Services.
6. DATA SUBJECT RIGHTS REQUESTS
6.1 As between the Parties, Controller will have sole discretion and responsibility in responding to the rights asserted by any individual in relation to Covered Data under US Data Protection Laws (each, a "Data Subject Request").
6.2 Lexitas will promptly forward to Controller without undue delay any Data Subject Request received by Lexitas or any Sub-processor and may advise the individual to submit their request directly to Controller.
6.3 Lexitas will provide Controller with reasonable assistance as necessary for Controller to fulfil its obligation under US Data Protection Laws to respond to Data Subject Requests, including if applicable, Controller’ obligation to respond to requests for exercising the rights set out in US Data Protection Laws.
7. SECURITY AND AUDITS
7.1 Lexitas will implement and maintain appropriate technical and organizational data protection and security measures designed to ensure security of Covered Data, including, without limitation, protection against unauthorized or unlawful Processing and against accidental loss, destruction, or damage of or to it. When assessing the appropriate level of security, account will be taken in particular of the nature, scope, context and purpose of the Processing as well as the risks that are presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Covered Data.
7.2 Lexitas will implement and maintain as a minimum standard the measures set out in Schedule 2.
7.3 Controller will have the right to audit Lexitas’ compliance with this DPA. The Parties agree that all such audits will be conducted:
(i) upon reasonable written notice to Lexitas;
(ii) only once per year, or more frequently if any audit indicates that Lexitas is in non-compliance with this DPA; and
(iii) only during Lexitas’ normal business hours.
7.4 To conduct such audits, Controller may engage a third-party auditor subject to such auditor complying with the requirements under clause 7.3 and provided that such auditor is suitably qualified and independent.
7.5 Controller will promptly notify Lexitas of any non-compliance discovered during an audit.
7.6 Upon request, Lexitas will provide to Controller documentation reasonably evidencing the implementation of the technical and organizational data security measures in accordance with industry standards. Lexitas may, in its discretion, provide data protection compliance certifications issued by a commonly accepted certification issuer which has been audited by a data security expert, or by a publicly certified auditing company. If the requested audit scope is addressed in such a certification produced by a qualified third-party auditor within twelve (12) months of Controller’ audit request and Lexitas confirms there are no known material changes in the controls audited, Controller agrees to accept those findings in lieu of requesting an audit of the controls covered by the report.
7.7 Lexitas will audit its Sub-processors on a regular basis and will, upon Controller’ request, confirm their compliance with US Data Protection Laws and the Sub-processors’ contractual obligations.
8. SECURITY INCIDENTS
Lexitas will notify Controller in writing without undue delay after becoming aware of any Security Incident. Lexitas will take reasonable steps to contain, investigate, and mitigate any Security Incident, and will send Controller timely information about the Security Incident and any obligation of Controller under US Data Protection Laws to make any notifications to individuals, governmental or other regulatory authority, or the public in respect of such Security Incident. Lexitas shall take reasonable steps to contain, investigate, and mitigate any Security Incident, and shall, without undue delay, send Controller timely information about the Security Incident, including, but not limited to, the nature of the Security Incident, the measures taken to mitigate or contain the Security Incident, and the status of the investigation. Lexitas’ notification of or response to a Security Incident under this clause 8 will not be construed as an acknowledgement by Lexitas of any fault or liability with respect to the Security Incident.
9. DELETION AND RETURN
Lexitas shall (a) if requested to do so by Controller by the date of termination or expiry of the Agreement, return a copy of all Covered Data or provide self-service functionality allowing Controller to do the same; and (b) within 90 days of the termination or expiry of the Agreement, delete and use all reasonable efforts to procure the deletion of all other copies of Covered Data processed by Lexitas or any Sub-processors. Notwithstanding the foregoing, Controller understand and agrees that Lexitas may retained Covered Data past the expiration of the Agreement if required by applicable law or a legal obligation.
10. CONTRACT PERIOD
This DPA will commence on the Effective Date and, notwithstanding any termination of the Agreement, will remain in effect until, and automatically expire upon, Lexitas’s deletion of all Covered Data as described in this DPA.
11. DEIDENTIFIED DATA
If Lexitas receives Deidentified Data from or on behalf of Controller, then Lexitas will:
(a) take reasonable measures to ensure the information cannot be associated with a Data Subject.
(b) publicly commit to Process the Deidentified Data solely in deidentified form and not to attempt to reidentify the information.
(c) contractually obligate any recipients of the Deidentified Data to comply with the foregoing requirements and US Data Protection Laws.
12. GENERAL
12.1 The Parties hereby certify that they understand the requirements in this DPA and will comply with them.
12.2 The Parties agree to negotiate in good faith any amendments to this DPA as may be required in connection with changes in US Data Protection Laws.
12.3 If any court or competent authority decides that any term of this DPA is held to be invalid, unlawful, or unenforceable to any extent, such term will, to that extent only, be severed from the remaining terms, which will continue to be valid to the fullest extent permitted by law.
12.4 Controller’ failure to enforce any provision of this DPA will not constitute a waiver of that or any other provision and will not relieve Lexitas from the obligation to comply with such provision.
12.5 This DPA and the Agreement set forth the entire understanding and agreement between the Parties with respect to the subject matter hereof.
─────────────────
SCHEDULE 1
DETAILS OF PROCESSING
1. Categories of Data SubjectsThe categories of Data Subjects whose Personal Data are Processed:
Lexitas customers and their employees and clients (e.g., plaintiffs, defendants, etc.)
2. Categories of Personal Data
The Processed categories of Personal Data are: business contact information such as name, email address, employer, address; party name, phone number,
3. Special categories of Personal Data (if applicable)
The Processed Personal Data includes the following special categories of data: No sensitive data is processed other than medical records with your authorization and consent.
The applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures are: See Schedule 2.
4. Frequency of the Processing
The Processing is performed from time to time as Controller requests Lexitas’ services.
5. Subject matter and nature of the Processing
The subject matter of the Processing is to provide services as described in the Agreement, including local and national court reporting, medical record retrieval, process service, registered agent services and legal talent outsourcing.
6. Purpose(s) of the Processing
The purpose of the Processing is: to provide services as described in the Agreement, including local and national court reporting, medical record retrieval, process service, registered agent services and legal talent outsourcing.
7. Duration
The period during which the Personal Data will be Processed, or, if that is not possible, the criteria used to determine that period: if Personal Data is not deleted upon request by Lexitas during the term of the Agreement, the duration of Processing will be as long as this DPA remains in effect or as may be required by law.
8. Sub-processor (if applicable)
For Processing by sub-processors, specify subject matter, nature, and duration of the Processing: Same as defined in sections 5, 6, and 7 of this Schedule 1.
SCHEDULE 2
TECHNICAL AND ORGANIZATIONAL MEASURES
Lexitas has implemented the following technical and organizational measures (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, as well as the risks for the rights and freedoms of natural persons:1) Organizational management and dedicated staff responsible for the development, implementation, and maintenance of Lexitas’ information security program.
2) Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Lexitas’ organization, monitoring and maintaining compliance with Lexitas’ policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
3) Utilization of commercially available and industry standard encryption technologies for Covered Data that is:
a) being transmitted by Lexitas over public networks (i.e., the Internet) or when transmitted wirelessly; or
b) at rest or stored on portable or removable media (i.e., laptop computers, CD/DVD, USB drives, back-up tapes).
4) Data security controls which include at a minimum, but may not be limited to, logical segregation of data, logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g., granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review, and revoking/changing access promptly when employment terminates or changes in job functions occur).
5) Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that Lexitas’ passwords that are assigned to its employees: (i) be at least eight (8) characters in length, (ii) not be stored in readable format on Lexitas’ computer systems; (iii) must have defined complexity; (iv) must have a history threshold to prevent reuse of recent passwords; and (v) newly issued passwords must be changed after first use.
6) System audit or event logging and related monitoring procedures to proactively record user access and system activity for routine review.
7) Physical and environmental security of data center, server room facilities and other areas containing Personal Data designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor, and log movement of persons into and out of Lexitas facilities, and (iii) guard against environmental hazards such as heat, fire, and water damage.
8) Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems according to prescribed internal and adopted industry standards, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Lexitas’ possession.
9) Change management procedures and tracking mechanisms designed to test, approve, and monitor all changes to Lexitas’ technology and information assets.
10) Incident / problem management procedures design to allow Lexitas to investigate, respond to, mitigate, and notify of events related to Lexitas’ technology and information assets.
11) Network security controls that provide for the use of firewall systems, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
12) Vulnerability assessment, patch management and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate, and protect against identified security threats, viruses, and other malicious code.
13) Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.