EU/Swiss Data Processing Addendum
Revision Date: 11/1/2019
This EU/Swiss Data Processing Addendum (“EU/SW-DPA”), has an effective date of the Revision Date above (“Effective Date”), and forms part of the master services agreement between Customer and Lexbe (the “Agreement”), located at https://www.lexbe.com/master-services-agreement/, and may also be part of an Incorporating Agreement, and reflects the parties’ agreement regarding EU/Swiss Processing of EU/Swiss Personal Data and EU/Swiss-U.S. Data Transfers, as applicable. This EU/SW-DPA is intended to apply to instances in which Customer or Customer End-Clients utilize the Lexbe eDiscovery Platform or other Lexbe Software and Services in connection with EU/Swiss Personal Data. References to the Agreement will be construed as including without limitation this EU/SW-DPA. Any capitalized terms not defined in this EU/SW-DPA shall have the respective meanings given to them in the Agreement.
1. Definitions. The following terms shall have the respective meanings given to them in the EU/SW-DPA:
“Customer End-Clients” means organizations or individuals who are clients of Customer, including employees and agents for organizational clients of Customer, in connection with legal representation of such organizations or individuals by Customer in a Legal Matter, or for other authorized use of Lexbe Software and Services by Customer.
“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, EU/Swiss Personal Data.
“EEA” means the European Economic Area and including, for purposes herein, the United Kingdom and Switzerland.
“EU/Swiss Controller” means the entity which determines the purposes and means of the EU/Swiss Processing of EU/Swiss Personal Data.
“EU/Swiss-U.S. Data Transfer(s)” means the transfer(s) of EU/Swiss Personal Data outside of the EEA to the United States in Lexbe’s care and control, in connection with the provision and use of the Lexbe eDiscovery Platform, and other use by Customer or Customer End-Clients of Lexbe Software and Services under the Agreement.
“EU/Swiss Data Protection Laws and Regulations” means all laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the EU/Swiss Processing of EU/Swiss Personal Data under the Agreement, including the GDPR.
“EU/Swiss Data Subject(s)” means an individual(s) who is or are the subject of EU/Swiss Personal Data.
“EU/Swiss Data Subject Request” means a request from an EU/Swiss Data Subject for access to, correction, amendment or deletion of such EU/Swiss Data Subject’s EU/Swiss Personal Data.
“EU/Swiss Personal Data” means any data in connection with a Legal Matter involving Customer or Customer’s End-User relating to an identified or identifiable individual that is within the scope of protection as “personal data” under the EU/Swiss Data Protection Laws and Regulations, and that is EU/Swiss Processed by Lexbe in connection with the provision of the Lexbe Software and Services.
“EU/Swiss Process”, “EU/Swiss Processed”, or “EU/Swiss Processing” means any operation or set of operations performed upon EU/Swiss Personal Data or sets of EU/Swiss Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
“EU/Swiss Processor” means the entity which processes EU/Swiss Personal Data on behalf of an EU/Swiss Controller.
“EU/Swiss Sub-Processors” means any EU/Swiss Processor engaged by Lexbe under Section 3 of this EU/SW-DPA.
“GDPR” means the General Data Protection Regulation (Regulation (EU/Swiss) 2016/679).
“Incorporating Agreement” means any written agreement between Lexbe (which is signed by an executive officer of Lexbe) and the Customer or any related person that incorporates by reference this EU/SW-DPA.
“Legal Matter” means an actual or anticipated lawsuit, arbitration, mediation, or administrative proceeding in a court of law or before an administrative body or arbitration or mediation organization, in which a legal remedy or outcome is sought, or related investigation.
“Lexbe” means Lexbe Inc., a Texas Corporation, and may also be referred to as “we” or “us”.
“Lexbe eDiscovery Platform” means Lexbe’s web-based eDiscovery hosted review application available as SaaS, developed, operated, and maintained by Lexbe, accessible via www.Lexbe.com and www.eDiscoveryPlatform.com, and as further defined in the Agreement. The Lexbe eDiscovery Platform is a DIY eDiscovery tool intended to assist in the prosecution and defense of Legal Matters. Authorized users in a Customer account in the Lexbe eDiscovery Platform can create and delete cases within an account, and upload electronically stored information to an account, including as applicable EU/Swiss Personal Data.
“Lexbe Software and Services” means Lexbe’s provision of software and services as defined in the Agreement, including without limitation Customer access to and use of the Lexbe eDiscovery Platform, hosted from the United States.
“Notice of EU/Swiss Personal Data” means a notice that Customer provides to Lexbe of the specific Legal Matter in the Lexbe eDiscovery Platform that Customer believes include or may include EU/Swiss Personal Data, and to which the provisions of the EU/SW-DPA do or may apply. This notice should include the Customer’s account name and the case or cases within the Lexbe eDiscovery Platform that include or may include EU/Swiss Personal Data, as well as notice when any case or cases in the Customer’s account that Customer believes include or may include EU/Swiss Personal Data are deleted or closed by Customer or any authorized user of Customer. If Customer sends Lexbe Customer Data that includes or may include EU/Swiss Personal Data, including by hard disc drive, flash drive, FTP, DropBox, hard copy, or any other means of transfer, Customer will specifically advise Lexbe with the same procedures above.
2. EU/Swiss Processing of EU/Swiss Personal Data.
a. Roles of the Parties. The parties agree that Customer is the EU/Swiss Controller solely responsible for determining the purposes and means of the EU/Swiss Processing of EU/Swiss Personal Data, and Lexbe is Customer’s EU/Swiss Processor responsible for EU/Swiss Processing EU/Swiss Personal Data on behalf of the EU/Swiss Controller. Lexbe may engage EU/Swiss Sub-Processors to Process EU/Swiss Personal Data pursuant to the requirements set forth in Section 3 “EU/Swiss Sub-Processors” below.
b. Notice of EU/Swiss Personal Data. Prior to or contemporaneous with uploading EU/Swiss Personal Data into the Lexbe eDiscovery Platform, or sending or granting access to EU/Swiss Personal Data to Lexbe personnel for the purpose of uploading into the Lexbe eDiscovery Platform, or otherwise requesting Lexbe Software and Services, Customer shall provide Lexbe with Notice of EU/Swiss Personal Data, to assist Lexbe in identifying specific data to apply procedures and safeguards as provided in this EU/SW-DPA.
c. Customer’s EU/Swiss Processing of EU/Swiss Personal Data. Customer shall, in its use of Lexbe Software and Services, Process EU/Swiss Personal Data in accordance with, and in compliance with, all applicable laws, including the EU/Swiss Data Protection Laws and Regulations. Customer’s instructions provided to Lexbe with respect to the EU/Swiss Processing of EU/Swiss Personal Data shall at all times comply with EU/Swiss Data Protection Laws and Regulations. Customer shall have sole responsibility for the accuracy, quality, quantity, and legality of EU/Swiss Personal Data and the means by which Customer acquired EU/Swiss Personal Data, including, without limitation, receiving the consent of each EU/Swiss Data Subject to the extent it may be required under applicable law. Customer or its agents shall maintain as required any EU/Swiss Processing registers or overview as required by the EU/Swiss Data Protection Laws and Regulations or other applicable law.
d. Instructions. Lexbe shall only Process EU/Swiss Personal Data in accordance with Customer’s instructions unless Lexbe is otherwise required to process the EU/Swiss Personal Data for other reasons under the EU/Swiss Data Protection Laws and Regulations. Customer’s initial instructions for the EU/Swiss Processing of EU/Swiss Personal Data, if applicable, are defined by the Agreement, and any other applicable order form or statement of work regarding the Lexbe Software and Services, including those specified in an Incorporating Agreement. With the mutual agreement of the parties and subject to this EU/SW-DPA and the Agreement, Customer may issue additional written instructions concerning the type, extent, and procedure of EU/Swiss Processing.
e. Details of EU/Swiss Processing. The initial nature and purpose of the EU/Swiss Processing, duration of EU/Swiss Processing, categories of EU/Swiss Data Subjects, and types of EU/Swiss Personal Data are as follows:
(1) Nature and Purpose. Provision of the Lexbe Software and Services for Customer and Customer’s Customer End-Clients, in connection with Legal Matters of Customer.
(2) Duration. Lexbe will process EU/Swiss Personal Data for the duration of the Agreement, or individual Legal Matter(s) involving EU/Swiss Personal Data if shorter, unless otherwise agreed in writing by the parties. Lexbe will retain EU/Swiss Personal Data as set forth in the Agreement and this EU/SW-DPA.
(3) Categories of EU/Swiss Data Subjects. Customer may submit EU/Swiss Personal Data to and utilize the Lexbe Software and Services, as determined and controlled by Customer in its sole discretion. This includes EU/Swiss Personal Data relating to the following categories of EU/Swiss Data Subjects: Employees of Customer, End-clients of Customer, Consultants or expert witnesses retained by Customer or Customer’s Customer End-Clients, Customer’s authorized users of the Lexbe Software and Services, other data related to Customer Legal Matters.
(4) Types of EU/Swiss Personal Data. Customer may submit in Customer’s discretion EU/Swiss Personal Data in connection with Customer Legal Matters, including the following categories of EU/Swiss Personal Data: Application usage data (e.g. log-files), User identification data (which may include title, name, address, telephone number, fax number, company address, email address), Cookies and session information, Internet protocol (IP) address and other computer identifiers, Contact details (e.g. telephone, email), Billing and payment data, User-provided content, EU/Swiss Personal Data contained in data received from Customer’s Customer End-Clients. Customer may specify further types of EU/Swiss Personal Data or categories of EU/Swiss Data Subjects in the Agreement, or notify Lexbe of any additional types or categories from time to time.
(5) Impact Assessments and Consultations. Upon Customer’s reasonable request, Lexbe shall provide reasonable assistance at Customer’s expense, including by providing any relevant information, as Customer reasonably requires in order for Customer to prepare any data protection impact assessments or undertake any necessary data protection consultation required by the EU/Swiss Data Protection Laws and Regulations.
(6) Return or Deletion of Customer EU/Swiss Personal Data. With respect to EU/Swiss Personal Data submitted through Lexbe Software and Services, Lexbe will, as required by and in compliance with EU/Swiss Data Protection Laws and Regulations, return EU/Swiss Personal Data to Customer and/or, to the extent permitted, may delete such EU/Swiss Personal Data in accordance with the procedures and timeframes set forth in the Agreement. To the extent any EU/Swiss Personal Data is retained by Lexbe longer than the timeframes set forth in Lexbe’s retention and deletion policy, such EU/Swiss Personal Data will be rendered anonymous in such a manner that the EU/Swiss Data Subject is no longer identifiable.
3. EU/Swiss Sub-Processors. Customer agrees that Lexbe may engage EU/Swiss Sub-Processors to Process EU/Swiss Personal Data in accordance with this EU/SW-DPA. A list of EU/Swiss Sub-Processors including their addresses current as of the Effective Date is available to Customer on request, after providing Lexbe with a Notice of EU/Swiss Personal Data in a pending Legal Matter. When engaging EU/Swiss Sub-Processors, Lexbe shall enter into agreements with the EU/Swiss Sub-Processors to bind them to obligations that are substantially similar to those set out in this EU/SW-DPA. Lexbe may sign such agreements directly with the EU/Swiss Sub-Processors. Lexbe shall remain fully liable for the acts or omissions of EU/Swiss Sub-Processors that impact EU/Swiss Personal Data under this EU/SW-DPA. Lexbe will notify Customer in advance of any changes to EU/Swiss Sub-Processors using regular communication means such as email, websites, and communications portals. If Customer reasonably objects to the addition of a new EU/Swiss Sub-Processor (e.g., such change causes Customer to be non-compliant with applicable EU/Swiss Data Protection Laws and Regulations) with respect to a pending Legal Matter with EU/Swiss Personal Data, Customer shall notify Lexbe in writing of its specific objections within ten (10) days of receiving such notification. If such Customer does not object within such period, the addition of the new Sub-EU/Swiss Processor and, if applicable, the accession to this EU/SW-DPA shall be considered accepted. If such Customer does object to the addition of a new Sub-EU/Swiss Processor and Customer is using the Lexbe Software and Services for a current Legal Matter involving EU/Swiss Personal Data, and Lexbe cannot reasonably accommodate such Customer’s objection, such Customer may terminate the Lexbe Software and Services with respect to cases in which Lexbe has previously received Notice(s) of EU/Swiss Personal Data from Customer, with such notice of termination to be provided in writing within sixty (60) days of receiving Lexbe’s notification that Lexbe cannot reasonably accommodate Customer’s objection.
4. Customer Agreements. Customer agrees on behalf of Customer and the Customer End-Clients that:
a. The EU/Swiss Personal Data has been collected and transferred to Lexbe for use in Lexbe Software and Services in accordance with the EU/Swiss Data Protection Laws and Regulations.
b. Prior to its transfer to Lexbe, the EU/Swiss Personal Data has been maintained, retained, secured and protected in accordance with the EU/Swiss Data Protection Laws and Regulations.
c. Customer will respond to inquiries from EU/Swiss Data Subjects and from applicable regulatory authorities concerning the EU/Swiss Processing of the EU/Swiss Personal Data, and will alert Lexbe of any inquiries from EU/Swiss Data Subjects or from applicable regulatory authorities that relate to Lexbe’s EU/Swiss Processing of the EU/Swiss Personal Data.
d. Customer has a valid, lawful basis for the EU/Swiss Processing of EU/Swiss Personal Data under this EU/SW-DPA.
e. Customer will utilize the Lexbe eDiscovery Platform and other Lexbe Software and Services for EU/Swiss Personal Data only in connection with the establishment, exercise or defense of legal claims, on behalf of Customer or Customer’s Customer End-Clients, only for the minimum necessary data for adequate prosecution or defense of legal claims.
f. Customer will make available a copy of this Agreement to any EU/Swiss Data Subject or regulatory authorities as required by the EU/Swiss Data Protection Laws and Regulations or upon the reasonable request of an EU/Swiss Data Subject or a regulatory authority.
g. Customer will provide Lexbe with applicable Notice(s) of EU/Swiss Personal Data on a timely basis, as required by Section 2(b) of this EU/SW-DPA.
5. Rights of EU/Swiss Data Subjects. Lexbe will promptly notify Customer if it receives an EU/Swiss Data Subject Request, so long as legally permitted by applicable legal authorities and applicable laws. Taking into account the nature of the EU/Swiss Processing, Lexbe will assist Customer by appropriate technical and organizational measures, for the fulfillment of Customer’s obligation to respond to an EU/Swiss Data Subject Request under EU/Swiss Data Protection Laws and Regulations, as legally required and commercially reasonable. In addition, to the extent Customer, in its use of Lexbe Software and Services, does not have the ability to address a EU/Swiss Data Subject Request, Lexbe shall, upon Customer’s request, use commercially reasonable efforts to assist Customer in responding to such EU/Swiss Data Subject Request, to the extent Lexbe is legally permitted to do so and the response to such EU/Swiss Data Subject Request is required under EU/Swiss Data Protection Laws and Regulations. Customer shall be responsible for any costs arising from Lexbe’s provision of such assistance.
6. Lexbe Personnel. Lexbe will ensure that its personnel engaged in EU/Swiss Processing are informed of the confidential nature of any EU/Swiss Personal Data, and have executed written confidentiality agreements. Lexbe will ensure that such confidentiality obligations survive the termination of the personnel engagement. Lexbe will use commercially reasonable efforts to take the necessary steps to ensure the reliability of any Lexbe personnel engaged in the EU/Swiss Processing of EU/Swiss Personal Data. Lexbe will use commercially reasonable efforts to ensure that Lexbe’s access to EU/Swiss Personal Data is limited to those Lexbe personnel performing Lexbe Software and Services to Customer pursuant to this Agreement, or otherwise supporting the Lexbe Software and Services. Lexbe has appointed a data protection officer who may be reached at privacy@Lexbe.com.
7. Security. Lexbe warrants that it maintains appropriate technical and organizational measures for the protection of the security, including protection against Data Breaches. Lexbe regularly monitors compliance with these measures. Lexbe maintains an industry-standard security incident management policy and shall notify Customer without undue delay after becoming aware of any Data Breach. Lexbe shall use reasonable commercial efforts to identify the cause of any such Data Breach and take reasonable steps necessary to remediate the cause of such Data Breach, to the extent remediation is within Lexbe’s reasonable control. The obligations set forth herein shall not apply to any Data Breach or incident or breach caused by Customer or Customer’s users.
8. Recordkeeping and Audit. Lexbe will maintain such records with respect to EU/Swiss Processing and EU/Swiss Personal Data in connection with Lexbe Software and Services as necessary to comply with its obligations under GDPR. Upon Customer’s written request, and subject to the confidentiality obligations set forth in this Agreement, Lexbe will certify this with respect to any specific EU/Swiss Personal Data provided to Lexbe by Customer, as provided in applicable Notices of EU/Swiss Personal Data. To the extent it is not possible to otherwise satisfy an audit obligation mandated by applicable EU/Swiss Data Protection Laws and Regulations, only the legally mandated entity (such as a governmental regulatory agency having oversight of Customer’s operations) may conduct an onsite visit of the facilities used to provide the Lexbe Software and Services. Unless expressly and specifically mandated by EU/Swiss Data Protection Laws and Regulations, no audits are allowed within a data center for security and compliance reasons.
9. EU/Swiss-U.S. Data Transfers. Customer authorizes Lexbe to engage in EU/Swiss-U.S. Data Transfers, provided that Lexbe shall implement appropriate safeguards for any such Data Transfer, as required by the EU/Swiss Data Protection Laws and Regulations. Customer agrees to provide Lexbe with a prior or contemporaneous Notice of EU/Swiss Personal Data, as provided in Section 2(b) of the EU/SW-DPA. Customer acknowledges that Lexbe has applied for self-certification with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, as administered by the US Department of Commerce, but has not yet been approved. Also once approved, Lexbe may at any time cease to maintain such self-certifications, or the self-certifications may be terminated or suspended, and in such circumstances Lexbe may instead implement alternative appropriate safeguards for any EU/Swiss-U.S. Data Transfer.
10. Lexbe Notice Requirements. With respect to a Customer that has provided Lexbe with a Notice of EU/Swiss Personal Data in a pending Legal Matter, Lexbe agrees that it will notify Customer if it determines that it cannot or will no longer meet the obligations set forth in this EU/SW-DPA or the GDPR with respect to performing Lexbe Software and Services for such Customer; and upon such notice, Lexbe will take reasonable and necessary steps, without undue delay, to stop EU/Swiss Processing such EU/Swiss Personal Data. All such notices shall be sent to the email address associated with a Customer’s Lexbe Account. In notices required to be delivered by Customer to Lexbe shall be sent to privacy@Lexbe.com.