Data Processing Addendum

The Data Processing Addendum is a boring document but we strongly recommend you to read it thoroughly. Thanks.
Data Processing Addendum

Data Processing Addendum

This Data Processing Addendum ("Addendum") is incorporated into the License Agreement or Terms of Service (collectively, the "Agreement") entered into by and between Lucid Dreams Financial Inc. ("Licensor") and the customer ("Licensee"). Licensor and Licensee will be referred to herein as the "Parties".

WHEREAS, Licensee has engaged Licensor to provide the Licensor's software ("Software") to Licensee for Licensee's own business needs, as well as, where Licensor provides it written approval, also those of Licensee's business customers (Licensee's "Clients");

WHEREAS, the use of the Software involves processing certain personal data (whether it concerns the Licensee or Clients), and the Parties wish to regulate Licensor's processing of such personal data, through this Addendum, which is an integral part of the Agreement.

THEREFORE, the parties have agreed to this Addendum, consisting of these parts:

Part Is applicable and in force? Determination of applicability
Part One -- General provisions Always applies and in force
Part Two -- U.S. Privacy State Laws Only if the response to the question on the right is YES, then Part Two applies and is in force. Is Licensee an entity covered by a U.S. privacy State law?

Choose an item.
Part Three -- Israeli Privacy Protection Regulations (Information Security) Only if the response to the question on the right is YES, then Part Three applies and is in force. Is Licensee subject to Israeli law regarding the personal data that Licensor processes for it?

Choose an item.

Part 1 (General Provisions)

  1. Definitions. Any capitalized terms not defined herein shall have the meaning ascribed to them in the Agreement.
  2. Scope. This Addendum and any of its Parts apply where Licensor is processing any Licensee Data that is personally identifiable to Licensee personnel, Clients or any other individual ("Licensee Personal Data"), where Licensor process Licensee Personal Data on behalf of Licensee and under Licensee's instructions.
  3. Order of Precedence. In the event of any conflicting provisions between this Addendum and the Agreement or any other agreement in place between the parties, the provisions of this Addendum prevail. In the event of any conflicting provisions between this Part 1 and Part 2 or Part 3, the provisions of Part 2 or Part 3 prevail.
  4. Data security. Considering the state of the art, the costs of implementation and the nature, scope, context and purposes of Licensor's processing of Licensee Personal Data, Licensor will implement and maintain reasonable security procedures and practices appropriate to the nature of the Licensee Personal Data, in order to protect the Licensee Personal Data from unauthorized access, destruction, use, modification, or disclosure (including data breaches).

Licensee agrees that, without limitation of Licensor's obligations set out herein, Licensee is responsible for its use of the Software, including (a) making appropriate use of the Software to ensure a level of security appropriate to the risk in respect of the Licensee Personal Data; and (b) securing the account authentication credentials, systems and devices Licensee uses to access the Software.

  1. Sub-processors. Licensee authorizes Licensor to use third party sub-processors and service providers for processing Licensee Personal Data within the scope of the Agreement and this Addendum. Licensor will bind sub-processors to agreement that requires the sub-processors process the Licensee Personal Data in a manner consistent with Licensor's obligations under this Addendum and any applicable laws, by way of engaging in a written contract providing sufficient guarantees thereof. Licensor shall be liable to Licensee for the sub-processors' compliance with their obligations.
  2. Data subject requests. Licensor will follow Licensee's instructions to accommodate data subjects' requests to exercise their rights in relation to their information within the Licensee Personal Data, including accessing their data, correcting it or deleting it. Licensor will pass on to Licensee requests that it receives (if any) from data subjects regarding their information processors by Licensor. Licensor shall notify Licensee of the receipt of such request without undue delay, together with the relevant details.
  3. Return or deletion of information. Upon Licensee's written request where no subsequent further processing is required, Licensor shall, at the instruction of Licensee, either delete or destroy, some or all (however instructed) of the of the Licensee Personal Data that it and its third party suppliers process for Licensor. Upon Licensee's request, Licensor will furnish written confirmation that the Licensee Personal Data has been deleted pursuant to this section. The foregoing deletion is without prejudice to Licensor's right to continue using de-identified data derived from Licensee Personal Data for the purposes specified in Section ‎11 below, during and after the Term of the Agreement.
  4. Disclosure. Unless legally prohibited, Licensor will provide Licensee prompt notice of any request it receives from authorities to produce or disclose Licensee Personal Data it has processed on Licensee's behalf, so that Licensee (or its Clients) may contest or attempt to limit the scope of production or disclosure request.
  5. Data Breaches. Licensor shall without undue delay notify Licensee of any actual or reasonably suspected accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Licensee Personal Data, that it becomes aware of. Licensor will investigate the breach, and take all reasonable measures to mitigate the breach and prevent its reoccurrence. Licensor will cooperate in good-faith with Licensee on issuing any statements or notices regarding such breaches, to authorities and data subjects.
  6. Disputes. Any dispute that the parties are unable to amicably resolve under this Addendum, shall be subject to the sole and exclusive jurisdiction and venue specified in the Agreement.
  7. Aggregate and Statistical data. Licensee acknowledges that Licensor will generate and process de-identified, aggregate and/or statistical analytics information based on the Licensee Personal Data, as well as any de-identified insights generated based on the Licensee Personal Data, for the purpose of: (A) product development, improvement, and enhancement (including to develop new features, products and services, for any purpose Licensor determines), (B) the training of the Service's AI models, (C) marketing, profiling, benchmarking, or product demonstrations to third parties, and (D) provision of services to other clients, and (A)-(D) above (collectively referred to as "Licensor's Business Purposes") are not subject to any consent from Licensee. The processing of such data for Licensor's Business Purposes is not subject to this Addendum.

Part 2 (U.S. State Privacy Laws)

  1. Definitions. In this Part, the following terms shall be interpreted as follows:
    1. "Applicable Data Protection Laws" means, as applicable to the relevant Personal Data and its Processing thereof under the Agreement, any United States State privacy laws, including the CPRA and other laws in the United States, such as (but not limited to): Virginia Consumer Data Protection Act, Connecticut Act Concerning Personal Data Privacy and Online Monitoring, Utah Consumer Privacy Act, and the Colorado Privacy Act.
    2. "CPRA" means the California Privacy Rights Act (Cal. Civ. Code §1798.100 et seq., Cal. Civ. Code §1798.140 or the regulations at 11 C.C.R. §7000 et seq).
    3. "Collect" (and its cognate terms) means buying, renting, gathering, obtaining, receiving, or accessing any Personal Information pertaining to a Consumer by any means. This includes obtaining information from the Consumer, either actively or passively, or by observing the Consumer's behavior or interaction.
    4. "Consumer" means a natural person, including a natural person in their professional or work capacity.
    5. "Personal Data" or "Personal Information" means 'personal data' or 'personal information' (as these terms are defined in Applicable Data Protection Laws) that Licensor Processes on behalf of the Licensee within the scope of the performance of the Agreement (whether that Personal Data concerns the Licensee or its Clients).
    6. "Process" (and its cognate terms) means any operation or set of operations that are performed on Personal Information or on sets of Personal Information, whether by automated means or otherwise.
    7. "Sell" (and its cognate terms) means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Consumer's Personal Information for monetary or other valuable consideration.
    8. "Share" (and its cognate terms) means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Consumer's Personal Information for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions for cross-context behavioral advertising in which no money is exchanged.
    9. "Subprocessors" means third parties authorized under this Addendum to Process Personal Data as part of the Products and Services.
  2. Subprocessors. Licensee may subscribe to email updates from Licensor concerning new or replaced Suprocessors, by sending an email request to support@getlucid.financial, to subscribe to the Licensor's mailing list on this topic. If Licensee subscribed to the foregoing mailing list, then before Licensor engages any new Subprocessor, Licensor will notify Licensee of the engagement by email to Licensee. If Licensee objects to such engagement in a written notice to Licensor within fifteen (15) days of being informed thereof, on reasonable grounds relating to the protection of Personal Data, Licensee and Licensor will cooperate in good faith to find a mutually acceptable resolution to address such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe using reasonable and good faith efforts, Licensee may, as its sole and exclusive remedy, terminate the Agreement by providing written notice to Licensor.
  3. Data Subject Rights. If Licensor receives any requests from data subjects (that is, any individual whom the Personal Data is about) in relation to that data subject's Personal Data, Licensor will advise the data subject to submit the request to Licensee and Licensee will be responsible for responding to any such request. Taking into account the nature of Licensor's Processing of Personal Data, Licensor will provide Licensee with reasonable assistance as necessary for Licensee to perform its obligations under Applicable Data Protection Laws to fulfill requests filed by data subjects.
  4. Proof of Compliance.
    1. Upon reasonable request by Licensee, Licensor shall make available to Licensee all information in its possession necessary to demonstrate Licensor's compliance with its obligations under Applicable Data Protection Laws.
    2. Licensor shall allow, and cooperate with, reasonable assessments by Licensee or Licensee's designated assessor, of Licensor's policies and technical and organizational measures in support of the obligations under Applicable Data Protection Laws, using an appropriate and accepted control standard or framework and assessment procedure for such assessments.
    3. Licensor must promptly notify Licensee if it determines that it can no longer meet its obligations under this Addendum or Applicable Data Protection Laws.
  5. Licensee Responsibilities. Licensee represents and warrants to Licensor that (a) Licensee has established or ensured that another party has established a legal basis for Licensor's Processing of Personal Data contemplated by this Addendum; (b) all notices have been given to, and consents and rights have been obtained from, the relevant data subjects and any other party as may be required by Applicable Data Protection Laws and any other laws for such Processing; and (c) Personal Data does not and will not contain any protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA), or any biometric information.
  6. CPRA Obligations.
    1. Licensor must not Sell or Share any Personal Information it Processes.
    2. Licensor is prohibited from retaining, using, or disclosing the Personal Information that it Processes for any commercial purpose other than the foregoing business purposes and Licensor's Business Purposes permissible under the CPRA, unless Licensor is otherwise required under applicable law. Additionally, Licensor is prohibited from retaining, using, or disclosing the Personal Information that it Collects pursuant to the Agreement outside the direct business relationship between Licensor and Licensee and Licensor's Business Purposes permissible under the CPRA, unless Licensor is otherwise required under applicable law.
      3. Data Processing Addendum - Part 3

      Part 3 (Israeli law)

      1. Definitions. In this Part, the following terms shall be interpreted as follows:
        1. "Applicable Law" means the Israeli Protection of Privacy Law, 5741-1981 (hereinafter -- the "Privacy Law") and the regulations promulgated thereunder (and in particular the Protection of Privacy Regulations (Information Security), 5777 - 2017), the guidelines of the Registrar of Databases, and in particular Guidelines No. 2/2011 regarding the use of outsourcing for processing of personal data, as well as any legislative or administrative provision or directive that will apply to Licensor in connection with Processing Personal Data.
        2. "Database" means a collection of Personal Data held by physical, digital, magnetic or optical means.
        3. "Personal Data" means information, data and data sets that relates to an individual, which information is Processed by Licensor on behalf of the Licensee, but excluding data that Licensor's Processes to operate the Software, to market or promote its products, to develop, improve and enhance the Software and its products, or to administer the business or contractual relationship between the Parties.
        4. "Processing" (and its derivatives) mean the collection, access, retention, modification, use, disclosure and transfer of Personal Data.
      2. General Provisions
        1. Licensor shall grant its employees access to the Database, subject to conducting training activities regarding privacy protection and information security obligations under Applicable Law and this Addendum.
        2. Licensor shall not grant access to the Personal Data to its employees, before reviewing and confirming, within the boundaries of Applicable Law, that their background, integrity, and reliability are suitable for a position granting them access to Personal Data.
        3. Licensor undertakes to manage access rights to Personal Data, including by way of providing its employees with 'Least Privileges' based on their 'Need to Know', for the purpose of carrying out their tasks, and shall take measures in order prevent access by unauthorized individuals to Personal Data. In addition, Licensor will maintain an up-to-date listing of all individuals authorized to access or use the Database and will prevent access to any individual who does not have a need to be exposed to the Personal Data.
        4. Licensor shall develop, implement, and enforce an information security policy that covers at least the following topics ("Information Security Policy"):
          1. Guidelines regarding the physical protection of the Database systems and the sites in which they are located;
          2. Guidelines regarding the management and monitoring of access authorizations and actions taken in the Database;
          3. Mapping of all the of the security measures taken by Licensor regarding the Database;
          4. Guidelines for individuals authorized to access Personal Data and Database;
          5. A review of the risks to which the Personal Data is exposed to as part of Licensor's ongoing activities including instructions regarding the means of recording, monitoring, and identifying threats to which the Database systems are exposed;
          6. Instructions and procedures regarding the mitigation and management of a Personal Data breach;
          7. Instructions and procedures regarding the use of removable devices.
        5. Licensor shall map the operational environment of the Database. In this regard, Licensor shall prepare an inventory list that includes all the systems, software, interfaces, infrastructures of hardware components and communications components that Licensor operates in the Database environment for the ongoing operation of the Database (the "Database Systems"). Licensor shall update the list of inventories specified in this section from time to time and shall only disclose the document to those individuals who require access to it for the performance of their job functions. However, Licensor shall update the foregoing list in any case in which substantial changes to the operating environment are implemented in the Database or in the manner in which Personal Data is Processed.
        6. In the event of a Personal Data breach, Licensor will provide a notification to Licensee within a reasonable time after becoming aware of any Personal Data breach.
        7. If required by Applicable Law, Licensor shall provide Licensee, at least every 12 month or upon Licensee's request, a written approval according to which it performs and fulfills its obligations pursuant to this Addendum and the provisions of Applicable Law. Licensor shall fully cooperate with Licensee in providing all information and assistance reasonably requested by Licensee in connection with data security issues and practices and supplementary documents, so as to allow Licensee to properly address information security, privacy and regulatory matters relating to the Database.
      3. To the extent that Licensee's Database is considered a Database at a medium data security level under Applicable Law, this Database will be subject to additional requirements as set forth in Schedule A of this Part.
      4. To the extent that Licensee's Database is considered a Database at a high data security level under Applicable Law, this Database will be subject to additional requirements as set forth in Schedule B of this Part.

      Schedule A -- Additional requirements for Databases at medium data security level

      1. Without derogating from section 2.4 of Part 3, Licensor shall also include in the Information Security Policy the following:
        1. The means of identification and verification of access the Database Systems;
        2. Instructions regarding the manner in which access to the Database is managed, the means of controlling access to Personal Data and the actions taken regarding the Personal Data.
        3. Instructions regarding periodic audit reports.
        4. Instructions and procedures regarding periodic backup and restoration of the Documentation Mechanism (defined below);
        5. Instruction regarding the manner in which development activities in the Database are performed and documented;
      2. In addition to the requirements set in section 2.5 of Part 3, Licensor will ensure that the systems and devices located in its premises or assigned to its employees, consultants, and anyone on its behalf, on which Personal Data is Processed or accessed (for example: servers, workstations, communication components, etc.) will be stored in a protected location, which prevents unauthorized intrusion and physical entry. Without derogating from the above, Licensor will take measures to control and document the entry to and exit from its own sites, only if and where the physical Database Systems are located, and will audit all inbound and outbound equipment to and from the Database Systems (for example: laptops, laptops, cameras, etc.).
      3. Without derogating from section 2.1 of Part 3, Licensor shall grant its employees with access to the Database, subject to conducting training activities regarding privacy protection and information security obligations applicable. Such training shall take place at least once every two years and as soon as possible after recruiting.
      4. Licensor shall grant its own authorized users with access to the Database subject to authentication measures based on physical means, such as two-factor authentication through the smartphone of the authorized user. In this regard, Licensor shall determine the means of identification, instructions related to passwords management, and provisions concerning handling faults related to identity authentication.
      5. Licensor undertakes to automatically document all activities carried out in the Database Systems, including (but not limited to) documenting attempts to access the database systems, deleting and/or changing Personal Data, database development operations and change in access permissions to the database systems ("Documentation Mechanism"). The Documentation Mechanism will collect at least the following data: the user's identity, the date and time of the operation, the source of the operation (web address or computer name), the system component in which the operation was performed, the type of operation, whether the operation was successful or failed. The audit data generated by the Documentation Mechanism shall be maintained for 24 months.
      6. Without derogating from section 2.6 of Part 3, Licensor will discuss occurrences of Personal Data breaches at least once every 12 months, and will examine the need to update its Information Security Policy as a result therefrom. The findings of those discussions will be sent to Licensee.
      7. Licensor undertakes to conduct, at least once in 24 months, an internal or external audit by an entity or a person with appropriate certification for auditing information security (who is not the Licensor's CISO), in order to ascertain the Licensor's compliance with these provisions and the provisions of Applicable Law.
      8. Licensor undertakes to establish guidelines regarding how to recover and backup the Personal Data periodically including instructions regarding data recovery during Personal Data breach.

      Schedule B -- Additional requirements for Databases at high data security level

      1. In addition to the requirements specified in section 3 of Schedule A above, Licensor shall conduct data security risk assessments, in relation to its Processing of Personal Data in accordance with the Agreement and this Addendum. Such data protection risk assessment will take place at least every eighteen (18) months.
      2. In addition to the requirements specified in section 3 of Schedule A above, Licensor shall conduct penetration tests on the Database Systems to examine their resilience to internal and external risks. Such tests shall take place at least once every eighteen (18) months; Licensor will then discuss the results of the penetration tests and will correct the deficiencies discovered (in any). The findings will be shared with Licensee.
      3. Notwithstanding anything to the contrary in the Addendum, Licensor will conduct discussions regarding occurrence of Personal Data breaches at least every three (3) months and will examine the need to update its Information Security Policy. The findings will be shared with Licensee.
      4. Without derogating from section 8 of Schedule A, Licensor will maintain a copy of the backup data in a manner that assures the accuracy and reliability of that data.