Data Processing Addendum
This Data Processing Addendum ("DPA") forms part of the agreement between Luna Launches, Inc. (“Luna”) ("Processor") and the customer ("Controller") for the provision of Luna's B2B SaaS productivity tool services (the "Services").
1. Definitions
1.1 "Applicable Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including but not limited to the GDPR and the California Consumer Privacy Act (CCPA).
1.2 "GDPR" means the General Data Protection Regulation (EU) 2016/679.
1.3 "Personal Data" means any information relating to an identified or identifiable natural person as defined in Applicable Data Protection Laws.
1.4 "Processing" means any operation performed on Personal Data, whether or not by automated means.
2. Data Processing
2.1 The Controller retains control of the Personal Data and remains responsible for its compliance obligations under Applicable Data Protection Laws, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to the Processor.
2.2 The Processor shall only process Personal Data on behalf of the Controller in accordance with the Controller's documented instructions and in compliance with Applicable Data Protection Laws.
3. Purpose and Scope of Processing
3.1 The purpose of the processing is to provide the Services as described in the main agreement.
3.2 The types of Personal Data processed may include, but are not limited to:
- Identifiers (e.g., names, email addresses)
- Professional information (e.g., job titles, roles)
- User account information
- Profile photo and other information you choose to include to describe yourself, only collected if you do choose to provide it
- Any other information you choose to provide while using Luna that identifies or can be reasonably associated with you
4. Security Measures
4.1 The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems
- Measures to restore the availability and access to personal data in a timely manner in the event of an incident
- Regular testing and evaluation of the effectiveness of security measures
The following list describes additional information about Luna’s technical and organizational security measures:
5. Subprocessors
5.1 The Controller authorizes the Processor to engage sub-processors to assist in the provision of the Services, provided that:
- The Processor maintains an up-to-date list of sub-processors and makes it available to the Controller
- The Processor imposes data protection obligations on sub-processors that are no less protective than those in this DPA
Authorized sub-processors list:
6. Data Subject Rights
6.1 The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under Applicable Data Protection Laws.
7. Data Breach Notification
7.1 The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach and shall assist the Controller in meeting its obligations under Applicable Data Protection Laws.
8. International Data Transfers
8.1 The Processor may transfer Personal Data outside the European Economic Area (EEA), including to the United States, as necessary to provide the Services.
8.2 For any such transfers, the Processor shall ensure appropriate safeguards are in place in accordance with Applicable Data Protection Laws. These safeguards may include, but are not limited to:
a) Adherence to the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework, if applicable;
b) Implementation of Standard Contractual Clauses approved by the European Commission;
c) Any other legally recognized transfer mechanism or derogation under Applicable Data Protection Laws.
8.3 The Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision (EU) 2021/914 of 4 June 2021) are hereby incorporated in their entirety into this DPA and shall apply to transfers of Personal Data outside the EEA.
8.4 For the purposes of the SCCs: a) Luna shall be considered as the 'data exporter' and the relevant subprocessor shall be the 'data importer'; b) Annexes I, II, and III of the SCCs shall be deemed completed with the relevant information from this DPA and the Privacy Policy.
8.5 The Processor shall make available to the Controller information about the safeguards used for international transfers upon request.
8.6 The Controller acknowledges and agrees that by using the Services, it is instructing the Processor to perform such international transfers as necessary to provide the Services.
8.7 The Processor shall promptly inform the Controller of any inability to comply with this clause due to changes in applicable laws or regulations.
9. Audit Rights
9.1 The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller.
10. Return or Deletion of Data
10.1 Upon termination of the Services, the Processor shall, at the choice of the Controller, delete or return all Personal Data to the Controller and delete existing copies unless required by law to retain such data.
11. Liability
11.1 Each party's liability arising out of or related to this DPA is subject to the limitations of liability set forth in the main agreement between the parties.
12. Governing Law
12.1 This DPA shall be governed by the laws specified in the main agreement.
Annexes to Standard Contractual Clauses:
Annex I: List of Parties
Data exporter(s):
- Name: Customer, as stated and defined in the applicable Order
- Address: Customer’s registered business address and any address provided to Luna at the time that Customer uses the Services
- Contact person’s name, position and contact details: Customer’s contact for the purposes of the SCC’s will be the contact of the person that properly accepts and binds Customer to this agreement unless another contact person’s information is specifically provided to Luna in writing
Data importer(s):
- Name: Luna Launches Inc.
- Address: 171 Sussex Gardens, W2 2RH, London, UK
Annex II: Description of Transfer
- Categories of data subjects: refer to agreement
- Categories of personal data transferred: refer to agreement
- Frequency of the transfer: continuous as necessary for the provision of the Services
- Nature of the processing: as described in the main agreement and this DPA
- Purpose(s) of the data transfer and further processing: to provide the Services as described in the main agreement
- Period for which the personal data will be retained: as specified in the main agreement or this DPA
Annex III: Technical and Organizational Measures
Specified in section 4. of this agreement.