Data Processing Agreement
Updated: April 3, 2023
This Data Processing Agreement (this “DPA”), effective as of the Effective Date, is hereby made a part of and incorporated into the DPA and is entered between your company and its Affiliates (“Customer” or “Controller”) and LYNCH, INCORPORATED, on behalf of itself and its Affiliates (“L2”). This DPA forms part of any Statement of Work, Pricing Agreement, Terms of Service, Privacy Agreement, Hosting Agreement, and all other agreements between the Parties (the "Principal Agreements").
We periodically update this DPA. If you have an active L2 account, we will inform you of any modification by email or similar means.
This DPA shall be effective for the Term of any Principal Agreement to which data processing laws, as set forth herein, apply.
WHEREAS Customer subscribes to L2’s Services and the Services of Contracted Processors, as outlined herein and in the Principal Agreements.
WHEREAS Customer's interaction with L2 and subscription to Services implies processing Personal Data by L2 and Contracted Processors, acting as a Data Processor(s).
WHEREAS Customer acts as a Data Controller for Customer’s Users, itself and for any other Personal Data added by Customer to the Services.
WHEREAS the Parties seek to implement a data processing agreement that complies with the current data processing and other requirements of the Applicable Privacy Laws.
DEFINITIONS:1. Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:
- “Affiliates” means, concerning the identified party, any entity directly or indirectly controlled by, controlling, or under common control with such party.
- “Applicable Privacy Laws” means data protection and privacy laws and regulations applicable to the Processing of Personal Data under the DPA, including but not limited to, where applicable, the GDPR, the UK GDPR, the CCPA, the LGPD, and the Australian Privacy Act.
- "Company Personal Data" means any Personal Data Processed by a Contracted Processor on Customer's behalf, on behalf of Customer’s Users, under or in connection with the Principal Agreements;
- “Customer’s Users” shall mean the users of the Services as marketed, offered, sold, added to the Services, allowed to use the Services, or offered a subscription by the Customer.
- "GDPR" means EU General Data Protection Regulation 2016/679;
- "Data Transfer" means:
- A transfer of Company Personal Data from Customer to a Contracted Processor; or
- An onward transfer of Company Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor,
- "Services" or “Service” means any Service provided by L2 to Customer or Customer’s Users under any Principal Agreement.
- "Sub Processor" means any person appointed by or on behalf of Processor to process Personal Data on Customer's behalf in connection with the DPA.
- The terms "Controller," "Data Subject," "Member State," "Personal Data," "Personal Data Breach," and "Processing" shall have the same meaning as in the GDPR.
- Customer acknowledges that it shall, and is responsible, to provide instructions to Processor or its Contracted Processor, as appropriate, to process Company’s Personal Data and related technical support.
- All Personal Data Processed under the terms of this DPA shall remain the property of Customer. Customer will be solely responsible for the accuracy, quality, integrity, legality, reliability, and appropriateness of all Personal Data. Under no circumstances will any member of L2 act, or be deemed to act, as a “Controller” (or equivalent concept) of the Personal Data Processed within the Services under any Applicable Privacy Laws.
- Processor shall comply with all applicable Applicable Privacy Laws in Processing Company Personal Data.
- Neither Processor nor Contracted Processor shall process Company Personal Data other than Customer's documented instructions.
- Customer acknowledges that in offering certain Services to Customer, L2 may not process any Personal Data itself and that such Personal Data could be processed by a Contracted Processor.
- L2 will not: (i) collect, retain, use, or disclose Personal Data for any purpose other than as necessary for the specific purpose of performing the Services as described in the Agreement, including use of the Personal Data for a commercial purpose other than providing the Services; and (ii) sell the Personal Data.
- L2 may collect and process usage and other similar data which, except to the extent such Usage Data contains Personal Data Processed on behalf of Customer and/or Customer’s Users, is and shall remain the property of L2.
- Processor shall take reasonable steps to ensure the reliability of any employee, agent, or contractor of any Contracted Processor who may have access to Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Company Personal Data, as strictly necessary for the Principal Agreements, and to comply with Applicable Laws in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
- Processor shall implement, and require its Contracted Processors to implement, appropriate technical and organizational measures to ensure a reasonable and appropriate level of security of Personal Data, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
- In assessing the appropriate level of security, Processor shall consider and require its Contracted Processors to consider the risks presented by Processing the specific Personal Data.
- Customer agrees and provides general authorization for L2 and its Contracted Processors to appoint other Contracted Processors to assist it in providing the Services, provided that such Contracted Processors agree to protect Personal Data to a standard consistent with the requirements of this DPA.
- Where stated explicitly by Applicable Privacy Law, L2 remains fully liable for any breach of this DPA or the Principal Agreements caused by an act, error, or omission of such Contracted Processor.
- Customer agrees that they will not interfere with L2’s obligations to Contracted Processors and, as relevant, will comply with the DPAs by Contracted Processors utilized to provide services to Customer.
- The list of Contracted Processors used in providing Services who may have access to or process Personal Data, as well as their DPAs, Contracted Processors and Sub-Processors, and other relevant information, is available at https://www.donate2.com/sub-processors (or on web pages linked from this page or other linked pages, or such successor URL as determined by L2 in its sole discretion) (the “Contracted Processor Webpage”) and may be updated from time to time. Before adding or replacing any Contracted Processors, L2 shall take responsible steps to provide notice to the Customer, including updating the Contracted Processor Webpage. It is the Customer’s responsibility to check this website for changes.
- Customer represents and acknowledges that it has reviewed and is contractually bound to the Data Processing Agreements of Contracted Processors as identified in Paragraph 5.4.
- To the extent the Data Processing Agreement of Contracted Processor conflicts with this DPA, Customer, and L2 agree that the Contracted Processor’s DPA shall control.
- Customer acknowledges that any third-party services that may be linked to, integrated into, or used within the L2 Services (Third-Party Services) are governed solely by the terms and conditions and privacy policies of such third-party Services, including Contracted Processors.
- Customer acknowledges L2 does not endorse, is not responsible or liable for, and makes no representations of any aspect of such Third-Party Services or Contracted Processors. L2 is not liable for any damage or loss caused or alleged to be caused by or in connection with the Customer’s enablement, access, or use of any such Third-Party Services or with a Contracted Processor.
- If Customer objects to the processing of its Personal Data by any newly appointed Sub-processor, it shall inform L2 in writing within fourteen days after notice has been provided by L2. If Customer objects on reasonable grounds relating to the protection of Personal Data, L2 will either, at L2’s option, (a) work with Customer to address Customer’s reasonable objections and thereafter proceed to use the Sub Processor to perform such Processing; (b) instruct the Sub Processor to cease any further Processing of Customer Personal Data, which may result in new Services features enabled by the Sub-processor not being available to Customer; or (c) allow Customer to immediately terminate the Agreement in respect of those Services that cannot be provided without the Sub-processor.
- Taking into account the nature of the Processing, Processor shall provide appropriate technical and organizational measures, insofar as possible, for fulfilling Customer obligations to respond to requests to exercise Data Subject rights under the Applicable Privacy Laws.
- Processor shall:
- Promptly notify Customer if it receives a request from a Data Subject or Contracted Processor under any Data Protection Law in respect of Personal Data; and
- Ensure that it does not respond to that request except on the documented instructions of Customer or as required by Applicable Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform Customer of that legal requirement before the Contracted Processor responds to the request.
- To the extent L2 is required under Applicable Privacy Laws, L2 will assist Customer in conducting a data protection impact assessment and, where legally required, consult with applicable data protection authorities in respect of any proposed Processing activity that presents a high risk to Data Subjects. Customer shall be responsible for any costs arising from L2’s or any Contracted Processor’s provision of such assistance.
- Personal Data Breach
- Processor shall notify Customer without undue delay upon Processor becoming aware of a Personal Data Breach affecting Company Personal Data, providing Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Applicable Privacy Laws.
- Processor shall at Customer’s Cost:
- Cooperate with Customer and take reasonable commercial steps as directed by Customer to assist in the investigation, mitigation, and remediation of each such Personal Data breach.
- Provide timely information and cooperation as Customer may reasonably require to fulfill Customer’s Personal Data breach notification obligations under Applicable Privacy Laws;
- Take such measures and actions as are appropriate to remedy or mitigate the effects of the Data Breach.
- Keep Customer up-to-date about developments in connection with the Data Breach.
- Processor shall provide reasonable assistance to Customer with any data protection impact assessments and prior consultations with competent data privacy authorities, which Customer reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely concerning Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.
- Upon Customer’s request or upon termination or expiry of the DPA, L2 shall destroy all Personal Data in its possession or control. This requirement shall not apply to the extent that L2 is required by any applicable law to retain some or all of the Personal Data, in which event L2 shall isolate and protect the Personal Data from any further Processing except to the extent required by such law.
- To the extent L2 is required under Applicable Privacy Laws, at Customer’s reasonable request and with advance written notice, L2 will make available to Customer such records and information as is necessary to demonstrate its compliance with this DPA and allow Customer or a mutually agreed upon, independent third party to conduct an onsite audit to verify such compliance. Any such audit will be conducted (a) on reasonable advance written notice to L2; (b) no more than once per year; (c) during L2’s standard business hours; and (d) in such a manner to minimize disruption to L2’s operations. Any information provided by L2 in connection with such audit or generated as a result of such audit must be protected as L2’s Confidential Information subject to a separate nondisclosure agreement entered into between L2 and the recipient of such information before such audit. To request an audit, Customer must submit a detailed audit plan at least 90 days in advance of the proposed audit date describing the scope, duration, and start date of the audit, subject to mutual agreement between the parties. Customer will bear the costs of such an audit.
- Customer understands that Contracted Processors for the Services may have Audit obligations, policies, and terms and that L2’s role will be to facilitate audits of Contracted Processors on behalf of the Customer. Customer will bear the costs of such an audit as required by the Contracted Processors
- The Parties shall make the results of any audits available to the competent supervisory authority on request.
- Processor may not transfer or authorize the transfer of Data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of Customer. If personal data processed under this DPA is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU-approved standard contractual clauses to transfer Personal Data.
- L2 MAKES NO REPRESENTATION OR WARRANTY THAT THIS DPA IS LEGALLY SUFFICIENT TO MEET CUSTOMER’S NEEDS UNDER APPLICABLE PRIVACY LAW. L2 EXPRESSLY DISCLAIMS ALL REPRESENTATIONS OR WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, THROUGH A COURSE OF DEALING, OR OTHERWISE, THAT THIS DPA WILL COMPLY WITH OR SATISFY ANY OF CUSTOMER’S OBLIGATIONS UNDER APPLICABLE PRIVACY LAW. CUSTOMER FULLY UNDERSTANDS THAT IT IS SOLELY RESPONSIBLE FOR COMPLYING WITH ALL OF ITS OBLIGATIONS IMPOSED BY APPLICABLE PRIVACY LAW. THE PARTIES AGREE THAT THERE WILL BE NO PRESUMPTION THAT ANY AMBIGUITIES IN THIS DPA WILL BE CONSTRUED OR INTERPRETED AGAINST THE DRAFTER.
- The DPA supersedes and replaces all other agreements governing Data Privacy under Applicable Privacy Laws, including all prior DPAs.
- The parties acknowledge that the requirements of Applicable Privacy Laws differ between jurisdictions and, as such, certain of L2’s obligations and responsibilities under this DPA will only apply where such obligations exist under Applicable Privacy Laws.
- Each Party must keep any information it receives about the other Party and its business in connection with this DPA ("Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
- Disclosure is required by law;
- The relevant information is already in the public domain.
- All notices and communications given under this DPA must be in writing and will be sent by email. Customer shall be notified by email sent to the address related to its use of the Service under the Principal Agreements. Processor shall be notified by email sent to the address: firstname.lastname@example.org
- This DPA may not be modified except by a subsequent written instrument signed by both parties.
- If any part of this DPA is held unenforceable, the validity of all remaining parts will not be affected.
- Governing Law and Jurisdiction
- This DPA is governed by United States law or other privacy laws directly applicable to: a specific Data Subject(s); or Data Privacy compliance matter.
- Any dispute arising in connection with this DPA, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of Illinois.