The Legal Area

LutinX.com Data Processing Addendum

Last Update: 
December 28, 2022

This Data Processing Addendum (“DPA”) incorporates by reference the rules between LutinX, Inc. (“LutinX”) and Client, or other agreement between Client and LutinX governing when Personal Data is transferred between LutinX and Client.  This DPA is an agreement between Client and LutinX. Unless otherwise defined in this DPA or in the Agreement, all capitalized terms used in this DPA will have the meanings given to them in the Agreement and this DPA.  In the event of conflict of terms then this DPA shall prevail.   

1.     Definitions. 

a.     “Applicable Data Protection Laws” means all data protection, privacy and data security laws applicable to the processing of personal data, including but not limited to, GDPR; the United Kingdom Data Protection Act 2018 (“UK GDPR”); the Swiss Federal Act on Data Protection Act (“FADP”); the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100-.199 (“CCPA”); or Family Educational Rights and Privacy Act (“FERPA”).

b.     “Client Data” means the data, including Personal Data, that is uploaded to the LutinX Services by the Client. Client Data shall not include Earner Data. 

c.     “Connected Earner” means an Earner that has consented to share their Connected Earner Data with Client. 

d.     “Connected Earner Data” means the information, including but not limited to Personal Data, from a Connected Earner’s LutinX account that the Connected Earner consents to share with Client.

e.     “Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

f.      “LutinX Information Security Standards” means the security standards attached to the Agreement, or if none are attached to the Agreement, attached to this DPA as Annex II.

g.     “Earner Data” means the data of an Earner that is processed by LutinX pursuant to an agreement between LutinX and that Earner. 

h.     “EEA” means the European Economic Area.

i.      “GDPR” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

j.      “Processing” has the meaning given to it in the GDPR and “process”, “processes” and “processed” will be interpreted accordingly.

k.     “Processor” means the entity which processes Personal Data on behalf of the Controller.

l.      “Security Incident” a failure of LutinX’s adherence to Annex II security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Data.

m.   “Standard Contractual Clauses” or “SCC” means the Appendix to the European Commission Implementing Decision ((EU) 2021/914 of 4 June 2021) on Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

n.     “UK Addendum” means the ‘Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses’.

2.     Data Processing. 

a.     Scope and Roles. This DPA applies when Personal Data is transferred between LutinX and Client. 

b.     Family Educational Rights and Privacy Act (“FERPA”). To the extent FERPA is applicable, LutinX agrees to comply with all applicable federal and state laws related to the protection and privacy of student records, including, but not limited to FERPA. LutinX will implement safeguards that: (a) ensure the security and confidentiality of Client Data; (b) protect against any anticipated threats or hazards to the security or integrity of such information; and (c) protect against unauthorized access to or use of such information which could result in substantial harm or inconvenience to any students. If LutinX subcontracts with a third party for any of the services that it is required to undertake in furtherance of this Agreement, LutinX will take reasonable steps to verify that such third parties implement practices which protect Client Data.

c.     Details of Data Processing.

i.     Subject matter: The subject matter of the data processing under this DPA is personally identifiable Client Data or Earner Data.

ii.     Duration: As between LutinX and Client, the duration of the data processing under this DPA is for the Term of the Agreement.

iii.     Purpose: The purpose of the data processing under this DPA is the provision of the Services.

iv.     Nature of the processing: LutinX will provide a platform for Client to create, manage, issue and use Credentials.

v.     Categories of Personal Data: Client Data uploaded to the Services under Client accounts on LutinX or Earner Data made available to Client pursuant to consent of the applicable Earner.

vi.     Categories of data subjects: The data subjects may include Earners or Client’s customers, employees, end-users, and other individuals that are issued Credentials by Client. 

vii.     Location: LutinX shall store data in the United States and Europe.

d.     Storage in United States. Notwithstanding anything to the contrary in this Agreement, the Parties acknowledge that LutinX can stores Personal Data, including Client Data, in the United States, and the storage by LutinX of Personal Data in the United States shall not be deemed a violation of this Section or create a right of action under this Agreement. 

e.      Storage in Europe. LutinX stores Personal Data of European Citizen in Ireland, European Union. 

f.      Compliance with Applicable Data Protections Laws. The Parties represent that (a) the Connected Earner Data shall be lawfully collected and transferred in accordance with Applicable Data Protection Laws (as defined in the DPA); and (b) the Parties have, and shall maintain, the systems and processes in place to ensure compliance with the terms of the Agreement.

g.     Cooperation between the Parties. The Parties will assist each other to comply with requests or complaints of data subjects or supervisory authorities regarding compliance with Applicable Data Protection Laws with regard to Connected Earner Data. The Parties will notify each other of any requests, enquiries, monitoring activities and similar measures undertaken by supervisory authorities regarding the handling of Personal Data under this DPA.

3.     Client Instructions. The parties agree that this DPA and the Agreement constitute Client’s documented instructions regarding LutinX’s processing of Client Data (“Documented Instructions”). LutinX will process Client Data only in accordance with Documented Instructions. Client shall obtain all consents required by any Applicable Data Protection Law from Earners for LutinX to lawfully store, transfer, and process Personal Data provided by Client to LutinX pursuant to the Agreement.  Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between LutinX and Client, including agreement on any additional fees payable by Client to LutinX for carrying out such instructions. Client is entitled to terminate this DPA and the Agreement if LutinX declines to follow instructions requested by Client that are outside the scope of, or changed from, those given or agreed to be given in this DPA.

4.     Confidentiality of Client Data. LutinX will not access or use, or disclose to any third party, any Client Data, except, in each case, as necessary to maintain under the Agreement, or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order). If a governmental body sends LutinX a demand for Client Data, LutinX will attempt to redirect the governmental body to request that data directly from Client. As part of this effort, LutinX may provide Client’s basic contact information to the government body. If compelled to disclose Client Data to a government body, then LutinX will give Client reasonable notice of the demand to allow Client to seek a protective order or other appropriate remedy unless LutinX is legally prohibited from doing so.

5.     Confidentiality Obligations of LutinX Personnel. LutinX restricts its personnel from processing Client Data without authorization by LutinX. LutinX shall impose appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.

6.     Security of Data Processing. LutinX has implemented and will maintain the technical and organizational measures for the Services as described in the LutinX Information Security Standards, attached hereto as Annex II of the SCC. 

7.     Sub-processing. 

a.       Authorized Sub-processors. Client agrees that LutinX may use sub-processors to fulfill its contractual obligations under this DPA or to provide certain services on its behalf. The LutinX website lists sub-processors that are currently engaged by LutinX to carry out processing activities on Client Data on behalf of Client. At least 30 days before LutinX engages any new sub-processor to carry out processing activities on Client Data on behalf of Client, LutinX will email notice to the notice email set forth on the Order Form.  If Client reasonably objects to a new sub-processor and such objection cannot be satisfactorily resolved within a reasonable time, Client may terminate this Agreement without penalty upon 30 days’ written notice to LutinX.  

b.       Sub-processor Obligations. Where LutinX authorizes any sub-processor as described in Section 7(a):

i.     LutinX will restrict the sub-processor’s access to Client Data only to what is necessary to maintain the Services or as necessary under the Agreement. LutinX will prohibit the sub-processor from accessing Client Data for any other purpose; and

ii.    LutinX will enter into a written agreement with the sub-processor and, to the extent that the sub-processor is performing the same data processing services that are being provided by LutinX under this DPA, LutinX will impose on the sub-processor the appropriate contractual obligations that LutinX has under this DPA; and

iii.   LutinX will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the sub-processors that violate the obligations under this DPA as if caused by LutinX itself.  

8.     Data Subject Requests.  Should a data subject contact LutinX with regard to correction or deletion of Client Data, LutinX will use commercially reasonable efforts to direct such data subject to Client. 

9.     Security Breach Notification.

a.     Security Incident. LutinX will (a) notify Client of a Security Incident without undue delay after becoming aware of the Security Incident, (b) investigate the Security Incident; (c) provide Client with a summary about the Security Incident and (d) take reasonable steps to mitigate the effects resulting from the Security Incident and enact procedures to prevent a recurrence of the Security Incident.

b.     LutinX Assistance. To assist Client in relation to any personal data breach notifications Client is required to make under the Applicable Data Protection Laws, LutinX will include in the notification under section 7.1(a) such information about the Security Incident as LutinX is reasonably able to disclose to Client, taking into account the nature of the Services, the information available to LutinX, and any restrictions on disclosing the information, such as confidentiality. LutinX’s obligation to report or respond to a Security Incident under this Section 7 is not and will not be construed as an acknowledgement by LutinX of any fault or liability of LutinX with respect to the Security Incident.

c.     Client Obligations. Where a controller-to-controller relationship exists between LutinX and Client, Client shall notify LutinX without undue delay in the event a personal data breach, as defined in the GDPR, occurs that requires Client to notify the competent supervisory authority or other regulator and/or the impacted data subjects.

10.  LutinX Certifications and Audit Right.

a.     LutinX Audits. LutinX uses external auditors to verify the technical, organizational and security measures, including the security of the physical data centers from which LutinX provides the LutinX Services. This audit will result in the generation of an audit report (the “Report”), which will be LutinX’s Confidential Information.

b.     Audit Reports. At Client’s written request, LutinX will provide Client with a copy of the Report so that Client can reasonably verify LutinX’s compliance with its obligations under this DPA.

c.       Privacy Impact Assessment and Prior Consultation. Taking into account the nature of the Services and the information available to LutinX, LutinX will assist Client in complying with Client’s obligations in respect of data protection impact assessments and prior consultation pursuant to Articles 35 and 36 of the GDPR, by providing the information LutinX makes available under this Section.

11.  Limitation of Liability.  Each party’s liability taken together in the aggregate arising out of or related to this DPA (including the SCCs) shall be subject to the exclusions and limitations of liability set forth in the Agreement.  In no event shall either party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise.

12.  Application of Standard Contractual Clauses. 

a.     The Standard Contractual Clauses will apply to Client Data that is transferred outside the EEA, UK, or Switzerland (collectively, the “EEA”), either directly or via onward transfer, to any country not recognized by the European Commission, UK Information Commissioner’s Office, or the Swiss FDPIC as providing an adequate level of protection for personal data (as described in the GDPR or Swiss FADP). The Standard Contractual Clauses will not apply to Client Data that is not transferred, either directly or via onward transfer, outside the EEA. 

b.     Where the transfers contemplated under this Section 10 result in transfers of UK Personal Data to LutinX for processing by LutinX in a jurisdiction other than in the UK or UK Information Commissioner’s Office-approved countries providing ‘adequate’ data protection, then each party agrees that (a) the UK Addendum for transfers of UK Personal Data shall apply; and (b) the UK Addendum will be deemed executed by and between Client and LutinX; and (c) the SCCs between the parties shall be deemed amended as specified in the UK Addendum in respect of the transfer of such UK Personal Data. The UK Information Commissioner is the exclusive Supervisory Authority for the transfers of UK Personal Data under this Agreement.

c.     Where the transfers contemplated under this Section 10 result in transfers of Swiss Personal Data to LutinX for processing by LutinX in a jurisdiction other than in the EAA, then each party agrees that (a) references in the SCC to a “member state” or to the “EU” shall be deemed to include Switzerland; and (b) the SCC between the parties shall be deemed amended as the Swiss FDPIC is the exclusive Supervisory Authority for the transfers of Swiss Personal Data under this Agreement.

d.     In the event that the Standard Contractual Clauses are amended, replaced or repealed by the European Commission or otherwise under Data Protection Laws, the Parties shall work together in good faith to enter into any updated version or negotiate in good faith a solution to enable a transfer of Personal Data to be conducted in compliance with Data Protection Laws. Either Party may terminate the Agreement on 30 days’ written notice, if the Parties are incapable of implementing or fail to implement another appropriate safeguard to ensure an adequate level of data protection within a period of 90 days.

13.     Termination of the DPA. This DPA shall continue in force until the termination of the Agreement (the “Termination Date”).

14.     Return or Deletion of Client Data. Up to the Termination Date, Client will continue to have the ability to retrieve or delete Client Data in accordance with this Section. For 90 days following the Termination Date, Client may delete or retrieve for export or download any Client Data from the Services, subject to the terms and conditions set out in the Agreement, unless prohibited by law or the order of a governmental or regulatory body or it could subject LutinX or its Affiliates to liability. No later than the end of this 90-day period, Client will close all LutinX accounts. LutinX will delete Client Data when requested by Client. After that 90-day period, LutinX will have no obligation to maintain Customer Data, and may thereafter delete or destroy all copies of Client Data maintained by LutinX. 

15.   Duties to Inform. Where Client Data becomes subject to confiscation during bankruptcy or insolvency proceedings, or similar measures by third parties while being processed by LutinX, LutinX will inform Client without undue delay. LutinX will, without undue delay, notify all relevant parties in such action (e.g., creditors, bankruptcy trustee) that any Client Data subjected to those proceedings is Client’s property and area of responsibility and that Client Data is at Client’s sole disposition.

16.   Entire Agreement; Conflict. Except as amended by this DPA, the Agreement will remain in full force and effect. If there is a conflict between any other agreement between the parties including the Agreement and this DPA, the terms of this DPA will control. If there is a conflict between the Standard Contractual Clauses and this DPA, the terms of the Standard Contractual Clauses, as applicable, shall prevail.

APPENDIX

Standard Contractual Clauses (Controller-to-Controller) Module 1, as applicable

Standard Contractual Clauses (Controller-to-Processor) Module 2, as applicable

Where applicable pursuant to the DPA, the parties hereby enter into Module 1 or 2 of the Standard Contractual Clauses, as applicable, and where the SCCs require the parties to choose between optional clauses and to input information, the parties have done so as set out below: 

1.     The Optional Clause 7 “Docking clause” shall not be adopted. 

2.     For Clause 9 “Use of sub-processors”, the parties elect the following option:

“Option 2 General written authorisation: The data importer has the controller’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the controller in writing of any intended changes to that list through the addition or replacement of sub-processors at least 30 calendar days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the controller with the information necessary to enable the controller to exercise its right to object. The data importer shall inform the data exporter of the engagement of the sub-processor(s).”

3.     For Clause 11 (a) “Redress”, the parties do not adopt the Option. 

4.     For Clause 17 “Governing law”, the parties elect the following option:

“Option 1.  These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.” 

5.     For Clause 18 (b) “Choice of Forum and Jurisdiction”:

“The Parties agree that those shall be the courts of Ireland”.

ANNEX I (applicable to Module 2 only)

1.     LIST OF PARTIES

a)     Data exporter: The data exporter is the entity identified as “Client” in the DPA

b)    Data importer: The data importer is LutinX, Inc., a provider of web services.

2.     DESCRIPTION OF TRANSFER

a)     Data subjects: Data subjects are defined in Section 2.4(f) of the DPA.

b)    Categories of data: The personal data is defined in Section 2.4(e) of the DPA.

c)     Processing operations:The processing operations are defined in Section 2.4(d)of the DPA.

d)    Frequency: Continuous

C. COMPETENT SUPERVISORY AUTHORITY

Data Protection Commission (of Ireland)

ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA  – click here