Master Spectra Subscription Agreement
This Master Subscription Agreement for provision of Lighthouse’s Spectra SaaS Services (this “Agreement”) is entered into as of the effective date listed on the order form (the “Effective Date”) and is between Lighthouse Document Technologies Inc. and its affiliates with a place of business at 51 University Street Suite 400, Seattle, Washington 98101 (“we”, “our”, and “Lighthouse”), and Client as identified on the order form (“you”, “your”, and “Client”). This Agreement includes and incorporates the Spectra Support and Service Level Addendum in Exhibit A, the Spectra Information Security & Data Protection Addendum in Exhibit B, the Spectra Data Processing Addendum in Exhibit C, and any applicable order forms executed by Client.
1. Spectra SaaS Services. Spectra is a self-service SaaS e-discovery solution offering optional access to legal technology expertise and project managers to support cases, as needed (“Services”). The Services also allow you to utilize a single solution for all matters, providing self-service autonomy with the ability to leverage a comprehensive collection of other services offered by us for matters requiring complex processing and analytics assistance.
2. Access and Use.
(a) Provision of Access. We grant you a non-exclusive, non-transferable right to access and use the Services during the Term, solely for use by your employees, consultants, contractors, agents, or affiliates who are authorized by you to access and use the Services under the rights granted to you pursuant to this Agreement (“Authorized Users”) in accordance with the terms and conditions herein. Such use is limited to your own internal business purposes. We will provide you the necessary access and link to allow you to access the Services within three business days following the Effective Date.
(b) Documentation License. We grant you a non-exclusive, non-sublicensable, non-transferable license to use our user manuals, handbooks, videos, and guides relating to the Services provided by us to you through Spectra (“Documentation”) during the Term solely for your own internal business purposes in connection with your use of the Services.
(c) Use Restrictions. You will not use the Services for any purposes beyond the scope of the access granted in this Agreement. You will not at any time, directly or indirectly, and will not permit any Authorized Users to: (i) copy, modify, or create derivative works of the Services or Documentation, in whole or in part; (ii) rent, lease, lend, sell, license, sublicense, assign, distribute, publish, transfer, or otherwise make available the Services or Documentation; (iii) reverse engineer, disassemble, decompile, decode, adapt, or otherwise attempt to derive or gain access to any software component of the Services, in whole or in part; or (iv) remove any proprietary notices from the Services or Documentation.
3. Service Levels and Support. We will make the Services available in accordance with the service levels set out in Exhibit A. The access rights granted hereunder entitles you to the support services described on Exhibit A during your use of the Services
4. Information Security and Data Privacy. Throughout the Term, we will maintain an Information Security Program, as outlined in Exhibit B. We will comply with all data processing requirements set out in Exhibit C.
5. Fees, Payment, and Taxes. You will pay us the fees ("Fees") set forth in the order form. We will invoice you for all Fees in accordance with the invoicing schedule and requirements set forth in the order form. Unless otherwise set forth on the order form, you will pay our fees within 30 days of the date of invoice in the currency stated on your order form. If you are a non-government subscriber and you fail to pay your invoiced charges, you are responsible for collection costs including legal fees. You must also pay applicable taxes and duties, other than taxes on our income, in addition to the price quoted unless you provide valid proof that you are exempt. Invoice disputes must be notified within 15 days of receipt of invoice. If you use an ebilling platform, we will use generic time keeper codes (e.g., E118 code) when uploading invoices, as we are a vendor and are only using the ebilling platform for invoice submissions in order to receive payments. We reserve the right to invoice back charges from ebilling platforms that are required for us to submit invoices. We will notify you in writing in the event that an applicable matter or projects are not set up in an ebilling platform. If the applicable matter or projects are not set up in an ebilling platform within 15 days from such notification, then we reserve the right to email or mail you the invoice to the address located in the order form and you agree to pay the invoice within 30 days of receipt of the emailed or mailed invoice.
6. Confidential Information
(a) Definition. From time to time during the Term, either of us may disclose (the “Discloser”) or make available to the other (“Recipient”) information about its business affairs, products, confidential intellectual property, trade secrets, third-party confidential information, and other sensitive or proprietary information, whether orally orin written, electronic, or other form or media, whether or not marked, designated, or otherwise identified as "confidential" (collectively, "Confidential Information"). Confidential Information does not include information that, at the time of disclosure is: (a) in the public domain; (b) known to the Recipient at the time of disclosure; (c) rightfully obtained by the Recipient on a non-confidential basis from a third party; or (d) independently developed by the Recipient.
(b) Protection of Confidential Information. The Recipient will not disclose the Discloser’s Confidential Information to any person or entity, except to the Recipient's employees, consultants, contractors, or agents who have a need to know the Confidential Information for the receiving Party to exercise its rights or perform its obligations hereunder and are bound by a duty of non-disclosure at least as restrictive as the one in this Agreement. Notwithstanding the foregoing, each of us may disclose Confidential Information to the limited extent required to comply with the order of a court or other governmental body, or as otherwise necessary to comply with applicable law, provided that each of us will first give written notice to the other so that the Discloser may obtain a protective order. On the expiration or termination of the Agreement, the Recipient will promptly, but no longer than 60 days, destroy and certify in writing to the Discloser that such Confidential Information has been destroyed, or, at Discloser’s request, return the Confidential Information. Each of our obligations of non-disclosure with regard to Confidential Information are effective as of the Effective Date and will expire five years from the date first disclosed to the receiving Party. However, such obligations of non-disclosure will survive the termination or expiration of this Agreement (i) with respect to any Confidential Information that constitutes a trade secret (as determined under applicable law), as long as such Confidential Information remains subject to trade secret protection under applicable law; and (ii) with respect to any Confidential Information that is subject to attorney-client privilege, for as long as it remains so privileged.
(c) Injunctive Relief. Recipient acknowledges and agrees that a breach or threatened breach of this Section 6, Confidential Information, would cause irreparable harm to the Discloser for which monetary damages would not bean adequate remedy and agrees that, in the event of such breach or threatened breach, the Discloser will be entitled to equitable relief, including a restraining order, an injunction, specific performance, and any other relief that may be available from any court, without any requirement to post a bond or other security, or to prove actual damages or that monetary damages are not an adequate remedy. Such remedies are not exclusive and are in addition to all other remedies that may be available at law, in equity, or otherwise.
(d) Privilege. Any information, data, and other content, in any form or medium, that is submitted, posted, or other wise transmitted by or on behalf of you or an Authorized User through the Services (“Client Data”) that are within the scope of communications protected by state statute or common law attorney-client privilege and/or work product will remain subject to such protection and will have equivalent designations under the privilege rules of applicable jurisdictions (“Attorney Client Privilege Data”). Neither of us intend for Attorney Client Privilege Data or other Client Data that would otherwise be entitled to the protection of privilege to lose that status as a result of being uploaded using the Services. Therefore, we both agree that the receipt of Client Data under this Agreement by us is at the behest of and on behalf of you for the purpose of assisting you and your current and future counsel if you are a company or your current and future clients if you are a firm, in anticipated and/or potential litigation and/or other legal disputes. Any Services rendered by Lighthouse on behalf of you are intended to be in furtherance of such representation.
(e) Analytics. We, our subcontractors, agents and third-party service providers shall be permitted to access, collect, analyze, and use data and information related to your use of the Services, provided that such data and information is used in an aggregate and anonymized manner, including to compile statistical and performance information related to the provision and operation of the Services (“Analytical Data”). We will use Analytical Data to improve and enhance the Services and for other development, diagnostic, and corrective purposes, and may disclose Analytical Data in aggregate or in other de-identified form in connection with our business.
7. Intellectual Property Ownership.
(a) Lighthouse IP. You acknowledge that, as between you and Lighthouse, Lighthouse owns all rights, titles, and interest, including all intellectual property rights, in and to the Services, the Documentation, and any and all intellectual property provided to you or any Authorized User in connection with the Services (“Lighthouse IP”). For the avoidance of doubt, Lighthouse IP does not include Client Data.
(b) Client Data. We acknowledge that, as between Lighthouse and you, you own all rights, titles, and interest, including all intellectual property rights, in and to the Client Data. You hereby grant to Lighthouse a non-exclusive, royalty-free, worldwide license to reproduce, distribute, and use and display the Client Data solely to the extent necessary for Lighthouse to provide the Services to you.
8. Warranties and Warranty Disclaimer.
(a) We warrant that during the Term of this Agreement the Services (i) will conform in all material respects to the specifications set forth in the Documentation during the Term of this Agreement; (ii) will be provided in compliance with all applicable laws; and (iii) will not infringe upon any third-party’s rights. If the Services fail to meet this warranty, we will, at our option and as your exclusive remedy, either return to you the amount you paid for the non-conforming Services, or we will repair or replace the Services. This limited warranty does not cover problems caused by accident, your misuse of the Services, abuse or use of the Services in a manner inconsistent with this Agreement or our Documentation or guidance, or resulting from events beyond our reasonable control.
(b) You warrant that during the Term of this Agreement (i) the Client Data will be provided in compliance with all applicable laws; and (ii) you have scanned Client Data to ensure it contains no harmful code using an application that meets the current information security standards in the industry.
(c) EXCEPT FOR THE WARRANTIES SET FORTH IN SECTION 8(a), THE SERVICES AND DOCUMENTATION ARE PROVIDED "AS IS" AND WE HEREBY DISCLAIM ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE. WE SPECIFICALLY DISCLAIM ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR INTENT, TITLE, AND NON-INFRINGEMENT, OPERATE ERROR FREE, AND ALL WARRANTIES ARISING FROM COURSE OF DEALING, USAGE, OR TRADE PRACTICE. FURTHERMORE, WE DO NOT PRACTICE LAW NORARE WE PROVIDING YOU WITH LEGAL ADVICE.
(a) We will indemnify, defend, and hold harmless you from and against any and all losses, damages, liabilities, and costs (including reasonable attorneys' fees) ("Losses") incurred by you resulting from any third-party claim, suit, action, or proceeding ("Third-Party Claim") that the Lighthouse IP, or any use of the Services in accordance with this Agreement, infringes or misappropriates such third party's intellectual property rights, provided that you promptly notify us in writing of the claim, reasonably cooperate with us, and allow us sole authority to control the defense and settlement of such claim, provided that we may not settle any infringement claim without your reasonable consent unless the settlement unconditionally releases you of all liability.
(b) If such a claim is made or appears possible, you agree to permit us, at our sole expense, to (A) modify or replace the Lighthouse IP, or component or part thereof, to make it non-infringing, or (B) obtain the right for you to continue use. If neither of these alternatives are commercially reasonable, we may terminate this Agreement, in its entirety or with respect to the affected component or part, effective immediately on written notice to you, provided that we will refund or credit to you all amounts you paid in respect of the Lighthouse IP that you cannot reasonably use as intended under this Agreement.
10. Limitations of Liability. IN NO EVENT WILL EITHER PARTY BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, OR ANY LOSS OF BUSINESS OR PROSPECTIVE BUSINESS OPPORTUNITIES, PROFITS, REVENUE OR ANTICIPATED SAVINGS, DATA, INFORMATION, OR OTHER COMMERCIAL OR ECONOMIC LOSS OF THE OTHER PARTY, IN RELATION TO THIS AGREEMENT, WHETHER OR NOT THE RELEVANT LOSS WAS FORESEEABLE, EVEN IF THE OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Our entire liability for any claims which may arise hereunder, for any cause whatsoever, and regardless of the form of action, shall be limited to money damages in an amount equal to the total fees actually paid by you to us during the previous 12 months related to the Services at issue. The exclusions and limitations in this Section 10 do not apply to claims arising from (i) fraud, fraudulent misrepresentation, willful misconduct, gross negligence, or conduct that demonstrates reckless disregard for the rights of others; (ii) negligence causing death or personal injury; or (iii) the infringement of intellectual property rights.
11. Term and Termination.
(a) Term. The initial term of this Agreement begins on the Effective Date and will run through the term date listed in the order form (the "Initial Term"). After the Initial Term, this Agreement then will automatically renew on an annual basis until one of us gives written notice of non-renewal at least 30 days prior to the expiration of the then-current term or as outlined below (each a"Renewal Term" and together with the Initial Term, the "Term"). After the Initial Term, we reserve the right to increase rates on an annual basis with at least 90 days’ prior notice.
(b) Termination. In addition to any other termination right set forth in this Agreement:
(i) after the Initial Term, either of us may terminate this Agreement for convenience upon 30 days' prior written notice;
(ii) either of us may terminate this Agreement, effective on written notice to the other, if the other materially breaches this Agreement, including your failure to pay Fees, and such breach: (A) is incapable of cure; or (B) being capable of cure, remains uncured by one of us for 30 days after the other had provided written notice of the such breach; or
(iii) either of us may terminate this Agreement, effective immediately upon written notice to the other, if one of us: (A) becomes insolvent or is generally unable to pay, or fails to pay, its debts as they become due; (B) files or has filed against it, a petition for voluntary or involuntary bankruptcy or otherwise becomes subject, voluntarily or involuntarily, to any proceeding under any domestic or foreign bankruptcy or insolvency law; (C) makes or seeks to make a general assignment for the benefit of its creditors; or (D) applies for or has appointed a receiver, trustee, custodian, or similar agent appointed by order of any court of competent jurisdiction to take charge of or sell any material portion of its property or business.
(c) Effect of Expiration or Termination and Survival. Upon expiration or earlier termination of this Agreement, you will immediately discontinue use of the Lighthouse IP and, without limiting your obligations under Section 6, you will delete, destroy, or return all copies of the Lighthouse IP within 60 days. Upon expiration or earlier termination of this Agreement, we will immediately discontinue use of Client Data and, without limiting our obligations under Section 6, after 60 days from the date of termination, will delete, destroy, or return all copies of the Client Data.
(a) Trials and Feedback. All trials of our Services are subject to the terms of the Agreement, unless we notify you otherwise. You grant Lighthouse a perpetual, irrevocable, transferable, non-exclusive right to use any comments, suggestions, ideas or recommendations you provide related to the Services in any manner and for any purpose.
(b) Matter Conflict Checks. By default, we do not perform any matter conflicts checks as part of your use of the Services, however there is an option within the Services to request a matter conflict check. In the event that you request us to access your Spectra workspace for support, at that time we may elect, at our sole discretion, to perform a matter conflict check. In such an event, you will work with us to provide as many details as reasonably needed to perform a matter conflict check. If you refuse to allow us to perform a matter conflict check, at that time we may decline to provide with you any additional support that is specific to that matter.
(c) Disclaimer of Legal Services. You understand and acknowledge that we are not a law firm; we are not engaged in the practice of law in any jurisdiction; and we are not bound by the professional responsibilities or duties of a legal practitioner, notwithstanding any performance of services by lawyers who are authorized to practice law in any jurisdiction. The Services or deliverables are being performed at the request of you, who is a law firm or has in-house attorneys employed by you, and Services are being delivered directly to, and under the supervision and direction of, you or your counsel in support of the legal services that are being performed. Nothing in the delivery or receipt of any Services or deliverables shall be construed or relied on an as advertising or soliciting to provide any legal services, creating any attorney-client relationship, or providing any legal representation, advice or opinion whatsoever on behalf of us or our personnel.
(d) Amendment and Modification; Waiver. No amendment to or modification of this Agreement is effective unless it is in writing and signed by an authorized representative of Client or Lighthouse. Except as otherwise set forth in this Agreement, (i) no failure to exercise, or delay in exercising, any rights, remedy, power, or privilege arising from this Agreement will operate or be construed as a waiver thereof, and (ii) no single or partial exercise of any right, remedy, power, or privilege hereunder will preclude any other or further exercise thereof or the exercise of any other right, remedy, power, or privilege.
(e) Force Majeure. We are not liable for any damages or failure to perform our obligations under the Agreement because of circumstances beyond our reasonable control. If those circumstances cause material deficiencies in the products or services and continue for more than 30 days, either of us may terminate any affected product or service on notice to the other.
(f) Severability. If any provision of this Agreement is invalid, illegal, or unenforceable in any jurisdiction, such invalidity, illegality, or unenforceability will not affect any other term or provision of this Agreement or invalidate or render unenforceable such term or provision in any other jurisdiction. Upon such determination that any term or other provision is invalid, illegal, or unenforceable, both of us will negotiate in good faith to modify this Agreement so as to effect their original intent as closely as possible in a mutually acceptable manner in order that the transactions contemplated hereby be consummated as originally contemplated to the greatest extent possible.
(e) Governing Law; Submission to Jurisdiction. This Agreement is governed by and construed in accordance with the internal laws of the State of Washington without giving effect to any choice or conflict of law provision or rule that would require or permit the application of the laws of any jurisdiction other than those of the State of Washington. Any legal suit, action, or proceed in garising out of or related to this Agreement will be instituted in the federal courts of the United States or the courts of the State of Washington in each case located in the city of Seattle and County of King, and each of us irrevocably submits to the exclusive jurisdiction of such courts in any such suit, action, or proceeding.
(f) Notices and Assignment. Notices must be in writing and will be treated as delivered on the date received at the address, date shown on the return receipt, email transmission date, or the date on the courier or fax confirmation of delivery. Notices to us must be sent to the addresses listed in the order form. Except in the event of a merger, acquisition or other change of control, neither Client nor Lighthouse may transfer or assign this Agreement without the other’s permission, and any attempted assignment in contravention of this Section shall be void.
(g) Entire Agreement. This Agreement, together with any other documents incorporated herein by reference and all related Exhibits, constitutes the sole and entire agreement with respect to the Spectra Services and supersedes all prior and contemporaneous understandings, agreements, and representations and warranties, both written and oral, with respect to Spectra Services. In the event of any inconsistency between the statements made in the body of this Agreement, the related Exhibits, and any other documents incorporated herein by reference, the following order of precedence governs: (i) first, this Agreement, excluding its Exhibits; (ii) second, the Exhibits to this Agreement as of the Effective Date; and (iii) third, any other documents incorporated herein by reference. In the event that we enter into a services agreement with you for other professional services, that services agreement shall only apply to those professional services and this Agreement shall only apply to Spectra Services, notwithstanding any priority clause to the contrary in that services agreement.
Exhibit A: Spectra Support and Service Level Addendum
This Support and Service Level Addendum (this “Exhibit A”) provides the support and service level terms and conditions for the Spectra Services and related Documentation. Exhibit A is an integral part of the Master Spectra Subscription Agreement (the“Agreement”), and is incorporated by reference and made part of the Agreement. All capitalized terms not defined shall have the meaning set forth in the Agreement.
1. Support. Lighthouse shall provide, at no additional cost to Client, technical support by email to Client and/or its Authorized Users to address and respond to any inquiry or problem associated with the access and availability of the Services (“Support”). Lighthouse will respond to, correct, and rectify any failure, malfunction or nonconformity in the Services to the Documentation, in each case, in a prompt and qualified manner, and will provide the technical support services to Client in accordance with the service level standards set forth in this Exhibit A. Requests may be submitted on a 24x7 basis via email to firstname.lastname@example.org.
Available to all Spectra users at no cost to resolve basic user accessibility and Spectra technical issues.
9:00am to 9:00pm ET, Monday – Friday
Except US Federal Holidays
This is a paid service for escalated user support, issues related to matter-specific workflows, and consultative guidance on using the platform. Please refer to Pricing section for pricing details.
9:00am to 9:00pm ET, Monday – Friday
Except US Federal Holidays
“ET” means Eastern Standard Time or Eastern Daylight Time, whichever is currently in effect for the Eastern Time Zone.
2. Availability Commitment. Lighthouse commits to Services Availability as defined below:
Service Level for Each Calendar Month
Services Availability: All Services are required to be operating normally for service to be defined as “available.”
“Actual Availability Percentage” means (((Maximum Available Time – (Downtime - Allowable Downtime)) /Maximum Available Time)*100).
“Maximum Available Time” means hours in each calendar month less Allowable Downtime for such calendar month or, for each calendar month, ((number of days * 24 hours) – Allowable Downtime).
“Downtime” means the hours in each calendar month for which the Services are not available.
“Allowable Downtime” refers to normal maintenance activities that may or may not disrupt the Services, and may be performed: (A) on the third Saturday of each month from 2:00 am – 6:00 am ET; (B) on the fourth Saturday of each month from 2:00 am – 6:00 am ET; or (C) during any additional window of time that is reasonably necessary, provided Lighthouse provides at least 72 hours' advance notice.
Actual Availability Percentage of 99.95%
Any failure, malfunction, or nonconformity in connection with the availability of the Services as reported by Client hereunder (each, an “Issue”) arising out of the provision of Services shall be designated a Severity Level by Lighthouse as follows:
Table 2: Severity Level Descriptions
Critical Impact / System Down:
Service outage or a major application problem making it impossible to use the service.
Service is not available due to system outage. Critical functions inoperative that renders the entire application inoperative; application does not save critical data correctly.
Significant Impact / Severe downgrade of services:
Critical loss of application functionality, resulting in a majority of users unable to perform their normal functions.
Feature not working system-wide.
Large number of users not able to login.
Minor Impact /Most of the services are functioning properly:
Impact on a small number of user base or impact on a large number of users, but only impacts limited functionality and/or a workaround exists.
System is accessible but some functional limitations that are not critical for daily operations.
Slow application response time.
Low Impact / Informational:
No critical impact on users.
Minor spelling errors; minor usability errors; non-critical, minor loss of functionality.
Any other Issues arising out of the Services may be designated a Severity Level by Lighthouse upon reporting in accordance with the descriptions in Table 2.
2.1. Response and Action Levels. When submitting an Issue, Client must (i) provide Lighthouse with all information necessary for Lighthouse to address the Issue, and (ii) respond promptly with any information reasonably requested by Lighthouse to clarify the Issue. On receipt of the Issue, Lighthouse shall respond to the Severity Level of the Issue, as outlined in Table 3 below. All time periods in Table 3 shall be counted commencing from the time an Issue is reported by Client and, with respect to status updates, from the time of the last status update.
Table 3: Response and Action Levels
Within 30 minutes (if reported during support hours).
Issues reported outside support hours will be within 30 minutes of next support window.
No less than every 2 hours (24x7) until resolution.
Dedicated engineering resources assigned until resolution is achieved.
Within 30 minutes (if reported during support hours). Issues reported outside support hours, will be within 30 minutes of next support window.
No less than every 4 hours (24x7) until resolution.
Dedicated engineering resources assigned until resolution is achieved.
Within 1 business day.
No less than every business day.
Dedicated engineering resources assigned until resolution is achieved.
Within 1 business day.
Initial Response: The response time for Lighthouse to respond to Client to acknowledge the issue and assign a Severity Level.
Status Updates: The frequency in which Lighthouse shall provide Client information regarding the current status of any open Issue not yet resolved.
3. Client Responsibility. Client is responsible for ensuring that its hardware and software used to access the Services meet the minimum requirements specified by Lighthouse. Minimum requirements include use of a currently supported browser, a high-speed Internet connection, and integration with a compatible email service. Professional Services are not included in this Exhibit A. Lighthouse must be able to reproduce an error in order to resolve it. Clients agree to cooperate and work closely with Lighthouse to reproduce errors, including conducting diagnostic or troubleshooting activities as reasonably requested and as appropriate.
4. Client Remedies. If Lighthouse fails to meet the Actual Availability or fails to meet its Response and Action Level for three (3) consecutive calendar months, then within thirty (30) days following the conclusion of the third consecutive calendar month, Client may terminate the order and Agreement by giving Lighthouse thirty (30) days' prior written notice of termination, without liability for any cancellation fees, penalties or other damages associated with termination, and Client shall be entitled to a refund of unearned, prepaid fees, if any, pro-rated from the effective date of such termination through the end of the applicable prepaid period. Not withstanding any other term or provision in the Agreement, the remedies stated in this Section 5 are Client’s sole and exclusive remedies for Lighthouse’s failure to meet the Actual Availability or Response and Action Level specified herein.
Exhibit B: Spectra Information Security & Data Protection Addendum
This Spectra Information Security & Data Protection Addendum (this “Exhibit B”) is an integral part of the Master Spectra Subscription Agreement (the “Agreement”), and is incorporated by reference and made part of the Agreement. All capitalized terms not defined shall have the meaning set forth in the Agreement.
1. Information Security Program. Lighthouse agrees to maintain a written information security program of policies, procedures, and controls governing the processing, storage, transmission, and security of Client Data (the “Information Security Program”). The Information Security Program includes industry standard practices designed to protect Client Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Lighthouse may periodically review and update the Information Security Program to address new and evolving security threats, changes to regulations and industry standard practices, and changing security technologies, provided that any such update does not materially reduce the commitments, protections, or overall level of service provided to the Client.
2. Certifications and Attestations. Lighthouse has established and maintains sufficient controls to meet the objectives stated in ISO/IEC 27001, The HIPAA Security Rule, and SSAE 16/SOC 2 Type 2 (collectively, the “Standards”) for the Information Security Program. At least once per calendar year, Lighthouse performs an assessment against such standards (“Assessment”). Upon Client’s written request, and no more than once per calendar year, Lighthouse will provide a summary of the Assessment(s) to Client. Assessments are considered Confidential Information under this Agreement.
3. Physical,Technical and Administrative Security Measures. The Information Security Program includes the following physical, technical, and administrative measures designed to protect Client Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access:
3.1. Physical Security Measures.
3.1.1. Data Center Facilities: (i) Physical access restrictions and monitoring that may include a combination of any of the following: multi-zone security, man-traps, appropriate perimeter deterrents (for example, fencing, berms, guarded gates), on-site guards, biometric controls, CCTV, and secure cages; and (ii) fire detection and fire suppression systems both localized and throughout the data center floor.
3.1.2. Systems, Machines, and Devices: (i) Physical protection mechanisms; and (ii) entry controls to limit physical access.
3.1.3. Media: (i) Industry-standard destruction of sensitive materials before disposition of media; (ii) secure storage of damaged hard disks prior to physical destruction; and (iii) physical destruction of all decommissioned hard disks storing Client Data.
3.2. Technical Security Measures.
3.2.1. Access Administration: Access to the Services by Lighthouse employees and contractors is protected by authentication and authorization mechanisms. User authentication is required to gain access to production and sub-production systems. Access privileges are based on job requirements and are revoked upon termination of employment, consulting relationship, or change in role. Production infrastructure includes appropriate user account and password controls (for example, the required use of virtual private network connections, complex passwords with expiration dates, and two-factor authentication when required) and is accessible for administration.
3.2.2. Logging and Monitoring: The production infrastructure log activities are centrally collected, are secured to prevent tampering, and are monitored for anomalies by a trained security team.
3.2.3. Firewall System: Industry-standard firewalls are installed and managed to protect Lighthouse systems by inspecting all ingress and egress connections to and from Lighthouse’s network.
3.2.4. Vulnerability Management: Lighthouse conducts periodic internal and external vulnerability scans as well as independent security risk evaluations to assess threats to critical information assets, identify potential vulnerabilities, and determine remediation. When software vulnerabilities are revealed and addressed by a vendor patch, Lighthouse will obtain the patch from the applicable vendor and apply it within an appropriate timeframe in accordance with Lighthouse’s vulnerability management and security patch management standard operating procedure, and only after such patch is tested and determined to be safe for installation on all production systems.
3.2.5. Antivirus: Lighthouse updates anti-virus, anti-malware, and anti-spyware definitions at least daily, and centrally logs events for effectiveness of such software.
3.2.6. Change Control: Lighthouse ensures that changes to platform, applications, and production infrastructure are evaluated to minimize risk, and are implemented following Lighthouse’s change management process.
3.3. Administrative Security Measures.
3.3.1. Data Center Security Reviews: Lighthouse performs routine reviews of each data center to ensure that they continue to maintain the security controls necessary to comply with the Information Security Program.
3.3.2. Personnel Security: Background screenings are performed on all employees and contractors who have access to Client Data, subject to applicable law.
3.3.3. Security Awareness and Training: Lighthouse conducts a security awareness and privacy program for all personnel. Training is conducted at time of hire and annually thereafter throughout employment.
3.3.4. Vendor Risk Management: Lighthouse maintains a vendor risk management program that assesses all vendors that access, store, process, or transmit Client Data for appropriate security controls and business disciplines.
4. Data Centerand Service Continuity. Lighthouse hosts Client Data in primary and secondary SOC 2 Type 2 or ISO 27001 certified (or equivalent) data centers. Each data center includes full redundancy (N+1) and fault tolerant infrastructure for electrical, cooling, and network systems. The deployed servers are enterprise-scale servers with redundant power to ensure maximum uptime and service availability. The system is supported by a network configuration with multiple connections to the Internet. The production database servers are replicated in near real time to a mirrored data center in a different geographic region. Lighthouse backs up all Client Data in accordance with Lighthouse’s standard operating procedure.
5. Security Incident Management. Lighthouse monitors, analyzes, and responds to Security Incidents in a timely manner in accordance with its standard operating procedure. Depending on the nature of the incident, Lighthouse’s security group will escalate and engage response teams necessary to address an incident, including breach notification pursuant to this Agreement.
5.1. Security Incident Procedure. Lighthouse will deploy and follow policies and procedures to detect, respond to, and otherwise address Security Incidents including procedures to (i) identify and respond to suspected or known Security Incidents, mitigate harmful effects of Security Incidents, document Security Incidents and their outcomes, and (ii) restore the availability or access to Client Personal Data in a timely manner.
5.2. Notice. Lighthouse will notify Client within 48 hours after becoming aware of Security Incident. Such notice will include (i) a description of the nature of the Security Incident; (ii) a description of the likely consequences of the Security Incident; (iii) a description of any measures Lighthouse has taken or proposes to take to address and/or mitigate the Security Incident; and (iv) specify a point of contact at Lighthouse whom Client can contact about the Security Incident. Lighthouse will ensure that descriptions in the notice are detailed enough to allow Client to understand the impact of the Security Incident. If it is not possible for Lighthouse to provide all of the information required at the time of the notice, Lighthouse will provide such additional information to Client as the information becomes available thereafter. Lighthouse will take reasonable steps to mitigate and minimize any damage resulting from the Security Incident.
6. Penetration Tests
6.1. By a Third Party. Lighthouse contracts with independent third-party vendors to perform an annual penetration test on Lighthouse’s service platform to identify risks and remediation to help increase security.
6.2. By Client. No more than once a year Client may request to perform, at its own expense, an application penetration test of its instances of the provided Services. Client shall notify Lighthouse in advance of any test by submitting a request to Lighthouse and completing a penetration testing agreement. Lighthouse and Client must agree upon a mutually acceptable time for the test, and Client shall not perform a penetration test without Lighthouse’s express written authorization. The test must be of reasonable duration and must not interfere with Lighthouse’s day-to-day operations. Promptly upon completion of the penetration test, Client shall provide Lighthouse with the test results including any detected vulnerability. Upon such notice, Lighthouse will, consistent with industry standard practices, use all commercially reasonable efforts to promptly make any necessary changes to improve the security of the services provided. Client shall treat the test results as Confidential Information under this Agreement.
7. Sharing the Security Responsibility.
7.1. Product Capabilities. The Services Lighthouse provides have the capabilities to: (i) authenticate users before access; (ii) encrypt passwords; (iii) allow Authorized Users to manage passwords; and (iv) prevent access by Authorized Users with an inactive account. Client manages each Authorized User’s access to and use of the services by assigning to each Authorized User an account and role that controls the level of access to the Services.
7.2. Client Responsibilities. Lighthouse provides the online environment that permits Client to use and process Client Data. Lighthouse protects all Client Data in Lighthouse’s infrastructure equally in accordance with this Exhibit B. Client shall be responsible for:
7.2.1. Protecting the confidentiality of each Authorized User’s login and password and managing each Authorized User’s access to the Services, and prohibiting the sharing of accounts and/or passwords.
7.2.2. Employing best practices used in Lighthouse’s industry to prevent the upload of any data containing malicious code (e.g., viruses, Trojans, ransomware, etc.) into Lighthouse’s systems. If at any time Client knows or has reason to believe it has uploaded any malicious code into Lighthouse’s systems, Client agrees to immediately notify Lighthouse and cooperate to identify and remove the malicious code from Lighthouse’s systems.
7.3. Limitations. Not withstanding anything to the contrary in the Agreement or this Exhibit B, Lighthouse’s obligations extend only to those systems, networks, network devices, facilities, and components over which Lighthouse exercises control. This Exhibit B does not apply to: (i) information shared with Lighthouse that is not data stored in its systems using the provided Services; (ii) data in Client’s local network, virtual private network (VPN), or a third-party network; or (iii) any data processed by the Client or its Authorized Users in violation of the Agreement or this Exhibit B.
8. Audits. Upon written request and at no additional charge, Lighthouse will provide to Client reasonable assistance and all information required by Client from time to time to assess Lighthouse’s compliance with this Exhibit B. Upon reasonable advance written request, Lighthouse will allow for and contribute to reasonable audits and inspections conducted by Client (or Client’s independent third-party auditor), including onsite inspections of Lighthouse’s business premises or facilities used for the provision of the Services. Lighthouse and Client shall each be responsible for their own costs in relation to any audits undertaken. The process of such audits will be mutually determined by Client in consultation with Lighthouse (covering such matters as scope, timing, costs, and confidentiality). Audits will occur no more than annually, unless requested to comply with a request from a regulatory authority or following a Security Incident.
Exhibit C: Spectra Data Processing Addendum
This Spectra Data Processing Addendum (this “Exhibit C”) governs the manner in which Lighthouse shall process Client Personal Data and only applies to the extent Lighthouse Processes such Client Personal Data. Exhibit C is an integral part of the Master Spectra Subscription Agreement (the“Agreement”) and is incorporated by reference and made part of the Agreement. In the event of a conflict between this Exhibit C and any other portion of the Agreement, the provision imposing the stricter data processing requirements of any conflicting provision shall control. All capitalized terms not defined shall have the meaning set forth in the Agreement.
1. Role of the Parties. The parties agree that Client acts as the Data Controller of the Client Personal Data processed by Lighthouse in its provision of the Services and Lighthouse acts as a Data Processor of the Client Personal Data.
2. Data Processing.
(a) Client will be solely responsible for determining the purposes for which and the manner in which Client Personal Data are, or are to be, processed. Lighthouse will Process Client Personal Data solely as set forth in Section 2 of this Exhibit C (the “Business Purpose”), and will not retain, use, or disclose the Client Personal Data for any purpose other than the Business Purpose. Nothing in the Agreement or this Exhibit C relieves the Data Controller of its own direct responsibilities or obligations under the applicable Data Protection Laws.
(b) Lighthouse will not Sell (as defined in the applicable Data Protection Laws) any Client Personal Data.
(c) The parties acknowledge and agree that valuable consideration, monetary or otherwise, is being provided for the services being rendered and not for providing Client Personal Data and Lighthouse does not receive any Client Personal Data from Client for Lighthouse’s provisions of the Services.
(d) Lighthouse agrees that all rights, title, and interest in the Client Personal Data will vest solely in Client and that Lighthouse will have no rights, title, or interest in the Client Personal Data.
(e) Lighthouse will comply with the requirements of the Data Protection Laws in respect of the provision of the Services and otherwise in connection with this Exhibit C, and will not knowingly do anything or permit anything to be done which would lead to a breach by Client of the Data Protection Laws.
(f) Where Lighthouse processes Client Personal Data on behalf of Client, Lighthouse will, in respect of such Client Personal Data:
i. act only on written instructions and directions from Client and will comply promptly with all such instructions and directions received from Client from time to time; provided that Lighthouse will immediately inform Client if, in its opinion, an instruction infringes Data Protection Laws;
ii. not process Client Personal Data for any purpose other than for the provision of Services to Client and only to the extent reasonably necessary for the performance of this Exhibit C;
iii. not disclose Client Personal Data to any government, authority, or any other third party except as necessary for the performance of the Services, to comply with Data Protection Laws, or with the Client's prior written consent. To the extent permitted by law, Lighthouse will immediately notify Client if Lighthouse receives a request to disclose Client Personal Data. Where possible, the notice will (1) attach a copy of the request, and (2) to the extent not covered by (1), specify the identity of the requester, the scope and purpose of the request, the date of the request and any deadline for response;
iv. implement and maintain appropriate technical and organizational measures (1) to protect the security and confidentiality of Client Personal Data processed by it in providing the Services, and (2) to protect Client Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, and (3) as required under Data Protection Laws. Such technical and organizational measures will include the Spectra Information Security & Data Protection Addendum in Exhibit B;
v. promptly notify Client of any request made by a Data Subject under applicable Data Protection Laws in relation to or in connection with personal data processed by Lighthouse on behalf of Client; comply with all reasonable instructions from Client related to such request; and assist Client in answering or complying with any such request; and
vi. process the Client Personal Data in accordance with the specified duration, purpose, type and categories of data subjects asset out in Schedule 1 of this Exhibit C or the applicable Client order form.
3. Cooperation and Audit Rights. Upon written request and at no additional charge, Lighthouse will provide to Client reasonable assistance and all information required by Client from time to time to assess Lighthouse’s compliance with this Exhibit C and any Data Protection Laws, and, to the extent possible, provide all necessary assistance and all information necessary for Client to comply with its obligations under applicable Data Protection Laws. Upon reasonable advance written request, Lighthouse will allow for and contribute to reasonable audits and inspections conducted by Client (or Client’s independent third-party auditor), including onsite inspections of Lighthouse’s business premises or Processing facilities for the Processing of Client Personal Data. Lighthouse and Client shall each be responsible for their own costs in relation to any audits undertaken. The process of such audits will be mutually determined by Client in consultation with Lighthouse (covering such matters as scope, timing, costs, and confidentiality). Audits will occur no more than annually unless requested to comply with a request from a regulatory authority or following a Security Incident.
4. Lighthouse Affiliates and Sub-Processors.
(a) Client acknowledges and agrees that (i) Lighthouse may retain its affiliates to process Client Personal Data on its behalf ("Sub-Processor"), and (ii) Lighthouse and Lighthouse’s affiliates respectively may engage third-party Sub-Processors in connection with the provision of the Services. Lighthouse has entered into a written agreement with each Sub-Processor containing data protection obligations not less protective than those in this Exhibit C with respect to the protection of Client Personal Data.
(b) The list of Lighthouse’s Sub-Processors as of the effective date of this Exhibit C is set forth on Schedule 2.
(c) Lighthouse will notify Client in writing of a new Sub-Processor (and the respective location where the Client Personal Data is or could be Processed) to Process Client Personal Data in connection with the applicable Services. Client may object, in its reasonable discretion, to such Sub-processor within 30 days after receipt of such notice by notifying Lighthouse in writing. If Client objects to the addition of a new Sub-Processor, the parties will negotiate a mutually agreeable alternative, and if no such alternative is agreed within four months of the objection, Client will have the right to terminate, without penalty, any Service for which Client Personal Data would be processed by the new Sub-Processor.
(d) Lighthouse will remain fully liable to Client for any acts and omissions of its Sub-Processors to the same extent Lighthouse would be liable if performing the services of each Sub-Processor directly under the terms of this Exhibit C.
5. Incident Management and Notification. Lighthouse maintains security incident management policies and procedures specified in Section 2, and will notify Client within 48 hours after becoming aware of Security Incident or such shorter timeframe required by the applicable authority for Security Incident reporting. Such notice will (1) include the nature of Processing and the information available to Lighthouse and (2) take into account that under applicable Data Protection Laws, Client may need to notify regulators or individuals of the following:
(a) A description of the nature of the Security Incident including, where possible, the categories and approximate number of individuals concerned, and the categories and approximate number of Personal Data records concerned;
(b) A description of the likely consequences of the Security Incident; and
(c) A description of any measures Lighthouse has taken or proposes to take to address and/or mitigate the Security Incident; and specify a point of contact at Lighthouse whom Client can contact about the Security Incident;
Lighthouse will ensure that descriptions in the notice are detailed enough to allow Client to understand the impact of the Security Incident. If it is not possible for Lighthouse to provide all of the information required by this Section 5 at the time of the notice, Lighthouse will provide such additional information to Client as the information becomes available thereafter. Lighthouse will take reasonable steps to mitigate and minimize any damage resulting from the Security Incident.
6. Documentation. Lighthouse will maintain an accurate, up-to-date written record of all Processing of Client Personal Data performed on Client's behalf. Lighthouse will provide Client a copy or a summary of such record upon Client's request, and in any event, upon termination of the Agreement.
7. Lighthouse Personnel.
(a) Lighthouse warrants to provide training as necessary from time to time to personnel with respect to Lighthouse's obligations in this Exhibit C and/or under Data Protection Laws, to ensure that the personnel are aware of and comply with such obligations.
(b) Lighthouse will limit access to Client Personal Data to those personnel performing Services in accordance with the Agreement and ensure that any personnel with access to Client Personal Data is bound by confidentiality obligations in respect of access or Processing of such Client Personal Data.
(c) Lighthouse will comply fully with its obligations with respect to the employment of a data protection officer as required under Data Protection Laws.
8. Data Impact Assessment. Upon Client’s request, Lighthouse will provide Client with reasonable cooperation and assistance needed to fulfill Client’s obligation to carry out data protection impact assessments to Client’s use of the Services to the extent such information is available to Lighthouse. Lighthouse will provide reasonable assistance to Client in the cooperation or prior consultation with the applicable supervisory authority in the performance of its tasks relating to Section 8 of this Exhibit C, to the extent required under applicable Data Protection Laws.
9. Return and Deletion of Client Personal Data. Upon termination of the provision of the Services, Lighthouse shall within sixty (60) days, or any other applicable destruction period set forth in the Agreement, whichever is longer, destroy, or, at Client’s request, return the Client Personal Data. Lighthouse may retain Client Personal Data to the extent that it is required or authorized to do sounder applicable law and/or regulation or to the extent Client Personal Data is archived on Lighthouse’s back-up systems, in which case Lighthouse will securely isolate and protect such data from any further processing, except to the extent required by applicable law and/or regulation.
10. Survival. The provisions contained in this Exhibit C will survive the termination or expiry of the Agreement to the extent that Lighthouse continues to process Client Personal Data on behalf of Client.
11. Transfer Mechanism(s) for Personal Data Transfers. As of the Effective Date of this Exhibit C, with regard to any transfers of Personal Data from the European Union, Switzerland, the European Economic Area and/or their member states, and/or the United Kingdom to Lighthouse (including any onward transfers from Lighthouse to any Sub-Processors) in a country which does not ensure an adequate level of data protection within the meaning of Data Protection Laws, to the extent such transfers are subject to such Data Protection Laws, such transfer will be made pursuant to the relevant Standard Contractual Clauses (“SCC”) in accordance with the below terms and so long as such transfer mechanism is approved by the applicable supervisory authority:
(a) The parties agree that:
i. Client’s signing of an order form will be deemed to be signature and acceptance of the SCC (as applicable) and their appendices by Client as the data exporter and in the role of controller;
ii. Lighthouse provision of the Services under an order form will be treated as signing of the SCC and their appendices by Lighthouse, as the data importer and in the role of processor;
iii. Details required under the SCC’s Appendix 1 are available in Schedule 2 to this Exhibit C and under the SCC’s Appendix 2 are outlined in Section 2 of this Exhibit C. In the event of any conflict or inconsistency between this Exhibit C and the SCC, the SCC will prevail.
(b) With regards the UK Clauses, the parties agree that:
i. Section 4 of this Exhibit C represents Client’s express consent regarding existing and new Sub-Processors under Clause 5(h) of the UK Clauses. If Lighthouse transfers Client Personal Data to a Sub-Processor who is located outside of the United Kingdom, Lighthouse shall ensure it enters into a data transfer mechanism approved by the applicable supervisory authority that ensures an adequate level of data protection. Evidence of such data transfer mechanism shall be provided by Lighthouse to Client upon Client’s request. Copies of the Sub-Processor agreements that must be provided by Lighthouse to Client pursuant to Clause 5(j) of the UK Clauses may have all commercial information, or clauses unrelated to the UK Clauses or their equivalent, removed by Lighthouse beforehand; and such copies will be provided by Lighthouse to Client upon request by Client.
ii. Audits pursuant to Clause 5(f) and Clause 12(2) of the UK Clauses will be carried out in accordance with Section 3 of this Exhibit C.
iii. The Parties agree that the certification of deletion of Personal Data that is described in Clause 12(1) of the UK Clauses will be provided by Lighthouse to Client upon Client’s request.
iv. The phrase “the law of the Member State in which the data exporter is established,” or similar phrase, in the UK Clauses shall be construed as references to the laws of the United Kingdom and the governing law of the UK Clauses shall be the United Kingdom.
v. Without prejudice to the other rights of a data subject under the UK Clauses, a data subject shall be granted the right to refer disputes under the UK Clauses to the courts of the United Kingdom.
(c) With regards the EU Clauses, the parties agree that:
i. Client and Lighthouse shall be subject to the Module 2 provisions of the EU Clauses;
ii. Clause 7 (Docking clause) is incorporated;
iii. Section 4 of this Exhibit C represents Client’s express consent regarding existing and new Sub-Processors under Clause 9(a) (Option 2) of the EU Clauses and, in accordance with Clause 9(a), a period of two weeks' advance notice must be given for any intended changes to the list of Sub-Processors;
iv. option 2 of Clause 17 (Governing law) shall apply and the laws of the Member State where the data was exported from shall govern the EU Clauses;
v. in accordance with Clause 18 (Choice of forum and jurisdiction), the courts of the Member State where the data was exported from will resolve any dispute arising out of the EU Clauses.
12. Updates to Exhibit C’s terms. Lighthouse may update and amend the terms and conditions of this Exhibit C from time to time as may be required to ensure compliance with Data Protection Laws and will provide notice of such update to Customer.
13. Definitions. The following additional definitions apply to this Exhibit C.
“Affiliate” has the meaning defined in the Agreement.
"Data Controller" (or simply "Controller") and "Data Processor" (or simply "Processor") or terms addressing similar data protection and privacy roles, have, in respect to each relevant jurisdiction, the meanings given to those terms under the applicable Data Protection Laws for that jurisdiction.
“Data Protection Laws” means any applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”); the California Consumer PrivacyAct 2018, Cal. Civ. Code § 1798.100 et seq (“CCPA”), and its implementing regulations; and the United Kingdom General Data Protection Act 2018 (“UK GDPR”) as the same may be amended from time to time and any associated regulations or instruments and any other data protection laws, regulations, regulatory requirements, or codes of practice applicable to Processor’s Processing of Client’s Personal Data.
“Data Subject” or"Individual" has the meaning given to it in the Data Protection Laws.
“EEA” shall mean the European Economic Area (European Union countries, Iceland, Lichtenstein, and Norway).
“Personal Data”shall, in each relevant jurisdiction, have the same meaning as the term“Personal Data,” “personal identifiable information (PII),” “Personal Information,” or the equivalent under the applicable Data Protection Laws for that jurisdiction.
“Processing” has, in each relevant jurisdiction, the meaning given to (or in the nearest equivalent term) in the applicable Data Protection Laws for that jurisdiction, and "process," "processes," and "processed" will be interpreted accordingly.
“Security Incident”means any incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access of Client Personal Data.
“Special Categories of Data” has, in each relevant jurisdiction, the meaning given to it (or to the nearest equivalent term) in the applicable Data Protection Laws for that jurisdiction.
“Standard Contractual Clauses” means (i) the standard contractual clauses for the transfer of personal data to processors established in third countries outside the European Economic Area, which are based on the Commission Decision of 4 June 20212021/914 (EU), as may be amended or replaced from time to time by the European Commission, any applicable data protection authority, or other body with competent authority and jurisdiction, in each case, in relation there to and (ii) standard data protection clauses specified in regulations made by the Secretary of State under section 17C(b) of the United Kingdom General Data Protection Act 2018, as may be amended or replaced from time to time by the United Kingdom and at the time being in force in the United Kingdom (the “UK Clauses”).
“Special Categories of Data” has, in each relevant jurisdiction, the meaning given to it (or to the nearest equivalent term) in the applicable the Data Protection Laws for that jurisdiction.
Schedule 1 to Data Processing Addendum
Details of the Processing
Nature and Purpose of Processing
Lighthouse will Process Personal Data as necessary to perform the Services pursuant to the Agreement and as further instructed by Client in its use of the Services.
Duration of Processing
Subject to Section 10 of Exhibit C, Lighthouse will Process Personal Data for the duration of the Services.
Categories of Data Subjects
Client may submit Personal Data to the Services, the extent of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited to, Personal Data relating to the following categories of Data Subjects:
Employee data (current and former employees, contractors); Client, competitor, and supplier data that may be relevant to the matter or project at hand.
Type of Personal Data
Client may submit Personal Data to the Services, the extent of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
Various categories, including internal, external, historical, social, criminal convictions, financial and/or tracking, that may be relevant to the matter or project at hand. Various special categories (e.g., data revealing health, racial, or ethnic origin; political opinions; religious or philosophical beliefs; union membership, etc.) that may be relevant to the matter or project at hand.
Details relevant for the Appendix to Standard Contractual Clauses
Annex 1.A. List of Parties
Name and address: Client’s name and address as listed on the applicable order form.
Contact person’s name, position, and contact details: Client’s contact person as listed on the applicable order form.
Activities relevant to the data transferred under the Standard Contractual Clauses: The services provided under the order form that is relevant to the data processing.
Signature and date: Please see Clause 11 of this Exhibit C.
Role (controller/processor): Controller
Name and address: Lighthouse Document Technologies Inc., 51 University Street Suite 400, Seattle, Washington 98101
Contact person’s name, position, and contact details: Michael Miller, Senior Vice President Business Development and Sales, email@example.com
Activities relevant to the data transferred under the Standard Contractual Clauses: The services provided under the order form that is relevant to the data processing
Signature and date: please see Clause 11 of this Exhibit C.
Role (controller/processor): Processor
Annex 1.B. Description of Transfer
Data Subjects Whose Personal Data Is Transferred
The Personal Data transferred concern the following categories of Data Subjects: Employee data (current and former employees, contractors); Client, competitor, and supplier data that may be relevant to the matter or project at hand.
Categories of Personal Data Transferred
The Personal Data transferred concern the following categories of data: Various categories, including internal, external, historical, social, financial, and/or tracking, that may be relevant to the matter or project at hand.
Sensitive Data Transferred (if appropriate) and applied Restrictions or Safeguards
The Personal Data transferred concern the following special categories of data: Various categories (e.g., data revealing health, racial or ethnic origin; political opinions; religious or philosophical beliefs; union membership, criminal convictions, etc.) that may be relevant to the matter or project at hand. Applied restrictions and safeguards are defined in Section 2 of Exhibit C.
Frequency of the Transfer (e.g., whether the data is transferred on a one-off or continuous basis):
Transfer of data will occur on a matter-by-matter basis, as determined by the Controller.
Nature of the Processing
Lighthouse, acting as a Processor, will, depending on the scope of its engagement, Process the Personal Data to perform the Services, to comply with its statutory and regulatory obligations, to maintain accounts and records, and to conduct analysis in order to improve its products and services. This will involve, among other things, the collection, storage, analysis and disclosure of Personal Data that Supplier receives from the Controller in accordance with the Agreement.
Purpose(s) of the Data Transfer and Further Processing
The purpose of the processing is the provision of Services pursuant to the Agreement.
Period for which the Personal Data will be Retained, or, if that is not Possible, the Criteria Used to Determine that Period
Personal data will be retained for the duration of the provision of Services pursuant to the Agreement. Upon termination of the Agreement, Personal Data will be deleted in accordance with Controller’s instructions.
For transfers to (Sub-) Processors, also specify Subject Matter, Nature, and Duration of the Processing: As set forth below in Schedule 2.
Annex 1.C. Supervisory Authority
Member State where the data was exported from.
Annex II. Technical and Organizational Measures to Ensure the Security of the Data
Please see the Data Security Standards attached to the Agreement. Lighthouse shall ensure that any Sub-Processors are subject to, and comply with, standards no less onerous than the Data Security Standards attached to this Agreement.
Annex III. List of Sub-Processors
Please see Schedule 2 of this Exhibit C.
Schedule 2 to Data Processing Addendum
List for each Sub-Processor: Name, address, contact person’s name, position, location of where the personal data is being processed, and Description of Processing of Sub-Processor including Subject Matter, Nature, and Duration of Processing.
Name: Lighthouse eDiscovery Europe, Ltd.
Address: 1 King William Street, London EC4N 7AF United Kingdom
Contact person’s name, position and contact details: Martin Carey, Managing Director, Europe, firstname.lastname@example.org
Description of processing: Assist Lighthouse in the provision of the Services as may be requested to perform the same functions as Lighthouse or as may be provided to assist with EU or UK data.
Name: Iota Analytics Pvt. Ltd.
Address: C-138, Phase VIII, Industrial Area, Mohali, Punjab-160059, India
Contact person’s name, position and contact details: Ishika Aggarwal, Director, email@example.com
Description of processing: Third-shift back-end support. Provide general staff augmentation, 24x7 basic, labor-intensive tasks (e.g.: processing and conversion of native documents to tiff format). At no time does Iota Analytics remove data from Lighthouse’s U.S. datacenter or provide any substantive review/input.