Data Processing Addendum

Effective Date:

Last Updated:

This DPA is an agreement between you and the entity you represent ("Customer") and Levamo, LLC ("we," "us," "our," "Rapyd Cloud," or "Levamo"). This DPA applies automatically to all Customers globally that require Rapyd Cloud to comply with Applicable Data Protection Law.

This DPA supplements our Terms of Service, as updated from time to time. Unless otherwise defined in this DPA, all capitalized terms used in this DPA will have the meanings given to them in the Terms of Service.

  1. DATA PROCESSING.

    1. Scope and Roles. This DPA applies when Customer Data is processed by Rapyd Cloud. In this context, Rapyd Cloud will act as processor to Customer.
    2. Customer Controls. Customer can use the Service Controls to assist it with its obligations under Applicable Data Protection Law, including its obligations to respond to requests from data subjects. Taking into account the nature of the processing, Customer agrees that it is unlikely that Rapyd Cloud would become aware that Customer Data transferred under the Standard Contractual Clauses is inaccurate or outdated. Nonetheless, if Rapyd Cloud becomes aware that Customer Data transferred under the Standard Contractual Clauses is inaccurate or outdated, it will inform Customer without undue delay. Rapyd Cloud will cooperate with Customer to erase or rectify inaccurate or outdated Customer Data transferred under the Standard Contractual Clauses by providing the Service Controls that Customer can use to erase or rectify Customer Data.
    3. Details of Data Processing.
      1. Subject Matter. The subject matter of the data processing under this DPA is Customer Data.
      2. Duration. As between Rapyd Cloud and Customer, the duration of the data processing under this DPA is determined by Customer.
      3. Purpose. The purpose of the data processing under this DPA is the provision of the Services initiated by Customer from time to time.
      4. Nature of the Processing. Compute, storage, and such other Services as described in the Documentation and initiated by Customer from time to time.
      5. Type of Customer Data. Customer Data uploaded to the Services under Customer's Rapyd Cloud Accounts.
      6. Categories of Data Subjects. The data subjects could include Customer's customers, employees, suppliers, and End Users.
    4. Compliance with Laws. Each party will comply with all laws, rules, and regulations applicable to it and binding on it in the performance of this DPA, including Applicable Data Protection Law.

  2. CUSTOMER INSTRUCTIONS

    1. The parties agree that this DPA (including Customer providing instructions in Rapyd Cloud Services) constitute Customer's documented instructions regarding Rapyd Cloud's processing of Customer Data ("Documented Instructions"). Rapyd Cloud will process Customer Data only in accordance with Documented Instructions (which if Customer is acting as a processor, could be based on the instructions of its controllers). Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between Rapyd Cloud and Customer, including agreement on any additional fees payable by Customer to Rapyd Cloud for carrying out such instructions. Customer is entitled to terminate this DPA if Rapyd Cloud declines to follow instructions requested by Customer that are outside the scope of, or changed from, those given or agreed to be given in this DPA. Taking into account the nature of the processing, Customer agrees that it is unlikely Rapyd Cloud can form an opinion on whether Documented Instructions infringe Applicable Data Protection Law. If Rapyd Cloud forms such an opinion, it will immediately inform Customer, in which case, Customer is entitled to withdraw or modify its Documented Instructions.

  3. CONFIDENTIALITY OF CUSTOMER DATA

    1. Rapyd Cloud will not access or use, or disclose to any third party, any Customer Data, except, in each case, as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order). If a governmental body sends Rapyd Cloud a demand for Customer Data, Rapyd Cloud will attempt to redirect the governmental body to request that data directly from Customer. As part of this effort, Rapyd Cloud may provide Customer's basic contact information to the governmental body. If compelled to disclose Customer Data to a governmental body, then Rapyd Cloud will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Rapyd Cloud is legally prohibited from doing so.

  4. CONFIDENTIALITY OBLIGATIONS OF RAPYD CLOUD PERSONNEL

    1. Rapyd Cloud restricts its personnel from processing Customer Data without authorization by Rapyd Cloud as described in the Security Standards. Rapyd Cloud imposes appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.

  5. SECURITY OF DATA PROCESSING

    1. Rapyd Cloud has implemented and will maintain the technical and organizational measures for the Rapyd Cloud Network as described in the Security Standards and this Section. In particular, Rapyd Cloud has implemented and will maintain the following technical and organizational measures:
      1. security of the Rapyd Cloud Network as set out in Section 1.1 of the Security Standards;
      2. physical security of the facilities as set out in Section 1.2 of the Security Standards;
      3. measures to control access rights for authorized personnel to the Rapyd Cloud Network as set out in Section 1.3 of the Security Standards; and
      4. processes for regularly testing, assessing, and evaluating the effectiveness of the technical and organizational measures implemented by Rapyd Cloud as described in Section 2 of the Security Standards.
    2. Customer can elect to implement technical and organizational measures to protect Customer Data. Such technical and organizational measures include the following which can be obtained by Customer from Rapyd Cloud as described in the Documentation, or directly from a third-party supplier:
      1. pseudonymization and encryption to ensure an appropriate level of security;
      2. measures to ensure the ongoing confidentiality, integrity, availability and resilience of the processing systems and services that are operated by Customer;
      3. measures to allow Customer to backup and archive appropriately in order to restore availability and access to Customer Data in a timely manner in the event of a physical or technical incident; and
      4. processes for regularly testing, assessing and evaluating the effectiveness of the technical and organizational measures implemented by Customer.

  6. SUB-PROCESSING

    1. Authorized Sub-processors. Customer provides general authorization to Rapyd Cloud's use of sub-processors to provide processing activities on Customer Data on behalf of Customer ("Sub-processors") in accordance with this Section. The Rapyd Cloud Website (/legal/subprocessors/) lists Sub-processors that are currently engaged by Rapyd Cloud. At least 30 days before Rapyd Cloud engages a Sub-processor, Rapyd Cloud will update the applicable website and provide Customer with a mechanism to obtain notice of that update. To object to a Sub-processor, Customer can: (i) use the Service for which Rapyd Cloud has engaged the Sub-processor; or (ii) move the relevant Customer Data to another Region where Rapyd Cloud has not engaged the Sub-processor.
    2. Sub-processor Obligations. Where Rapyd Cloud authorizes a Sub-processor as described in Section 6.1:
      1. Rapyd Cloud will restrict the Sub-processor's access to Customer Data only to what is necessary to provide or maintain the Services in accordance with the Documentation, and Rapyd Cloud will prohibit the Sub-processor from accessing Customer Data for any other purpose;
      2. Rapyd Cloud will enter into a written agreement with the Sub-processor and, to the extent that the Sub-processor performs the same data processing services provided by Rapyd Cloud under this DPA, Rapyd Cloud will impose on the Sub-processor the same contractual obligations that Rapyd Cloud has under this DPA; and
      3. Rapyd Cloud will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Rapyd Cloud to breach any of Rapyd Cloud's obligations under this DPA.

  7. RAPYD CLOUD ASSISTANCE WITH DATA SUBJECT REQUESTS

    1. Taking into account the nature of the processing, the Service Controls are the technical and organizational measures by which Rapyd Cloud will assist Customer in fulfilling Customer's obligations to respond to data subjects' requests under Applicable Data Protection Law. If a data subject makes a request to Rapyd Cloud, Rapyd Cloud will promptly forward such request to Customer once Rapyd Cloud has identified that the request is from a data subject for whom Customer is responsible. Customer authorizes on its behalf, and on behalf of its controllers when Customer is acting as a processor, Rapyd Cloud to respond to any data subject who makes a request to Rapyd Cloud, to confirm that Rapyd Cloud has forwarded the request to Customer. The parties agree that Customer's use of the Service Controls and Rapyd Cloud forwarding data subjects' requests to Customer in accordance with this Section, represent the scope and extent of Customer's required assistance.

  8. OPTIONAL SECURITY FEATURES

    1. Rapyd Cloud makes available many Service Controls that Customer can elect to use. Customer is responsible for (a) implementing the measures described in Section 5.2, as appropriate, (b) properly configuring the Services, (c) using the Service Controls to allow Customer to restore the availability and access to Customer Data in a timely manner in the event of a physical or technical incident (for example backups and routine archiving of Customer Data), and (d) taking such steps as Customer considers adequate to maintain appropriate security, protection, and deletion of Customer Data, which includes use of encryption technology to protect Customer Data from unauthorized access and measures to control access rights to Customer Data.

  9. SECURITY INCIDENT NOTIFICATION

    1. Security Incident.
      1. Rapyd Cloud will (a) notify Customer of a Security Incident without undue delay after becoming aware of the Security Incident, and (b) take appropriate measures to address the Security Incident, including measures to mitigate any adverse effects resulting from the Security Incident.
      2. The notice shall include the following to the extent then known:
        1. the dates and times of the Security Incident,
        2. the basic facts that underlie the discovery of the Security Incident, or the decision to begin an investigation into a suspected Security Incident, as applicable,
        3. a description of the Customer Personal Data involved in the Security Incident, either specifically, or by reference to the data categories, and
        4. the measures planned or underway to remedy or mitigate the vulnerability giving rise to the Security Incident.
    2. Rapyd Cloud Assistance. To enable Customer to notify a Security Incident to supervisory authorities or data subjects (as applicable), Rapyd Cloud will cooperate with and assist Customer by including in the notification under Section 9.1(a) such information about the Security Incident as Rapyd Cloud is able to disclose to Customer, taking into account the nature of the processing, the information available to Rapyd Cloud, and any restrictions on disclosing the information, such as confidentiality. Taking into account the nature of the processing, Customer agrees that it is best able to determine the likely consequences of a Security Incident.
    3. Unsuccessful Security Incidents. Customer agrees that:
      1. an unsuccessful Security Incident will not be subject to this Section 9. An unsuccessful Security Incident is one that results in no unauthorized access to Customer Data or to any of Rapyd Cloud's equipment or facilities storing Customer Data, and could include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents; and
      2. Rapyd Cloud's obligation to report or respond to a Security Incident under this Section 9 is not and will not be construed as an acknowledgement by Rapyd Cloud of any fault or liability of Rapyd Cloud with respect to the Security Incident.
    4. Communication. Notification(s) of Security Incidents, if any, will be delivered to one or more of Customer's administrators by any means Rapyd Cloud selects, including via email. It is Customer's sole responsibility to ensure Customer's administrators maintain accurate contact information on the Rapyd Cloud Services and secure transmission at all times.

  10. RAPYD CLOUD CERTIFICATIONS AND AUDITS

    1. Audit Reports. At Customer's written request, and provided that the parties have an applicable non-disclosure agreement in place, Rapyd Cloud will provide Customer with a copy of the Report so that Customer can reasonably verify Rapyd Cloud's compliance with its obligations under this DPA.
    2. Privacy Impact Assessment and Prior Consultation. Taking into account the nature of the processing and the information available to Rapyd Cloud, Rapyd Cloud will assist Customer in complying with Customer's obligations in respect of data protection impact assessments and prior consultation, by providing the information Rapyd Cloud makes available under this Section 10.

  11. CUSTOMER AUDITS

    1. Customer chooses to conduct any audit, including any inspection, it has the right to request or mandate on its own behalf, and on behalf of its controllers when Customer is acting as a processor, under Applicable Data Protection Law or the Standard Contractual Clauses, by instructing Rapyd Cloud to carry out the audit described in Section 10. If Customer wishes to change this instruction regarding the audit, then Customer has the right to request a change to this instruction by sending Rapyd Cloud written notice. If Rapyd Cloud declines to follow any instruction requested by Customer regarding audits, including inspections, Customer is entitled to terminate this DPA in accordance with its terms.

  12. TRANSFERS OF PERSONAL DATA

    1. Regions. Customer can specify the location(s) where Customer Data will be processed within the Rapyd Cloud Network (each a "Region"), including Regions in the EEA. Once Customer has made its choice, Rapyd Cloud will not transfer Customer Data from Customer's selected Region(s) except as necessary to provide the Services initiated by Customer, or as necessary to comply with the law or valid and binding order of a governmental body.
    2. Application of Standard Contractual Clauses. Subject to Section 12.3, the Standard Contractual Clauses will only apply to Customer Data subject to the GDPR that is transferred, either directly or via onward transfer, to any Third Country (each a "Data Transfer").
      1. When Customer is acting as a controller, the Controller-to-Processor Clauses will apply to a Data Transfer.
      2. When Customer is acting as a processor, the Processor-to-Processor Clauses will apply to a Data Transfer. Taking into account the nature of the processing, Customer agrees that it is unlikely that Rapyd Cloud will know the identity of Customer's controllers because Rapyd Cloud has no direct relationship with Customer's controllers and therefore, Customer will fulfill Rapyd Cloud's obligations to Customer's controllers under the Processor-to-Processor Clauses.
    3. Alternative Transfer Mechanism. The Standard Contractual Clauses will not apply to a Data Transfer if Rapyd Cloud has adopted Binding Corporate Rules for Processors or an alternative recognized compliance standard for lawful Data Transfers.

  13. TERMINATION OF THE DPA

    1. This DPA will continue in force until the date that it is terminated in accordance with this DPA (the "Termination Date").

  14. RETURN OR DELETION OF CUSTOMER DATA

    1. At any time up to the Termination Date, and for 90 days following the Termination Date, subject to the terms and conditions of the Rapyd Cloud Terms of Service ("Terms of Service"), Rapyd Cloud will return or delete Customer Data when Customer uses the Service Controls to request such return or deletion. No later than the end of this 90-day period, Customer will close all Rapyd Cloud Accounts containing Customer Data.

  15. DUTIES TO INFORM

    1. Where Customer Data becomes subject to confiscation during bankruptcy or insolvency proceedings, or similar measures by third parties while being processed by Rapyd Cloud, Rapyd Cloud will inform Customer without undue delay. Rapyd Cloud will, without undue delay, notify all relevant parties in such action (for example, creditors, bankruptcy trustee) that any Customer Data subjected to those proceedings is Customer's property and area of responsibility and that Customer Data is at Customer's sole disposition.

  16. ENTIRE AGREEMENT; CONFLICT

    1. This DPA incorporates the Standard Contractual Clauses by reference. Except as amended by this DPA, the Terms of Service will remain in full force and effect. If there is a conflict between the Terms of Service and this DPA, the terms of this DPA will control, except that the Service Terms will control over this DPA. Nothing in this document varies or modifies the Standard Contractual Clauses.

  17. DEFINITIONS

    1. Unless otherwise defined in the Rapyd Cloud Terms of Service, all capitalized terms used in this DPA will have the meanings given to them below:
      1. "API" means an application program interface.
      2. "Applicable Data Protection Law" means all laws and regulations applicable to and binding on the processing of Customer Data by a party, including, as applicable, the GDPR or the PDPL.
      3. "Rapyd Cloud Network" means the servers, networking equipment, and host software systems (for example, virtual firewalls) that are within Rapyd Cloud's control and are used to provide the Services.
      4. "Binding Corporate Rules" has the meaning given to it in the GDPR.
      5. "controller" has the meaning given to it in the GDPR.
      6. "Controller-to-Processor Clauses" means the standard contractual clauses between controllers and processors for Data Transfers, as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, and currently located at /legal/controller-to-processor-transfers/.
      7. "Customer Data" means the Personal Data that is uploaded to the Services under Customer's Rapyd Cloud Accounts.
      8. "Documentation" means the then-current documentation for the Services located at [email protected] (and any successor locations designated by Rapyd Cloud).
      9. "EEA" means the European Economic Area.
      10. "GDPR" means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
      11. "PDPL" means the United Arab Emirates ("UAE") Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data Protection.
      12. "Personal Data" means personal data, personal information, personally identifiable information, or other equivalent term (each as defined in Applicable Data Protection Law).
      13. "processing" has the meaning given to it in the GDPR and "process", "processes" and "processed" will be interpreted accordingly.
      14. "processor" has the meaning given to it in the GDPR.
      15. "Processor-to-Processor Clauses" means the standard contractual clauses between processors for Data Transfers, as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, and currently located at /legal/processor-to-processor-transfers/.
      16. "Region" has the meaning given to it in Section 12.1 of this DPA.
      17. "Security Incident" means a breach of Rapyd Cloud's security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data.
      18. "Security Standards" means the security standards attached to this DPA as Annex 1.
      19. "Service Controls" means the controls, including security features and functionalities, that the Services provide, as described in the Documentation.
      20. "Standard Contractual Clauses" means (i) the Controller-to-Processor Clauses, or (ii) the Processor- to-Processor Clauses, as applicable in accordance with Sections 12.2.1 and 12.2.2.
      21. "Third Country" means a country outside the EEA not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the GDPR).

ANNEX 1 - SECURITY STANDARDS

Capitalized terms not otherwise defined in this document have the meanings assigned to them in the Terms of Service.

  1. INFORMATION SECURITY PROGRAM

    1. Rapyd Cloud will maintain an information security program designed to (a) enable Customer to secure Customer Data against accidental or unlawful loss, access, or disclosure, (b) identify reasonably foreseeable risks to the security and availability of the Rapyd Cloud Network, and (c) minimize physical and logical security risks to the Rapyd Cloud Network, including through regular risk assessment and testing. Rapyd Cloud will designate one or more employees to coordinate and be accountable for the information security program.
    2. Rapyd Cloud's information security program will include the measures in Paragraphs 2, 3, 4, and 5 below.

  2. LOGICAL SECURITY

    1. Access Controls. Rapyd Cloud will make the Rapyd Cloud Network accessible only to authorized personnel, and only as necessary to maintain and provide the Services. Rapyd Cloud will maintain access controls and policies to manage authorizations for access to the Rapyd Cloud Network from each network connection and user, including through the use of firewalls or functionally equivalent technology and authentication controls. Rapyd Cloud will maintain access controls designed to (i) restrict unauthorized access to data, and (ii) segregate each customer's data from other customers' data.
    2. Restricted User Access. Rapyd Cloud will (i) provision and restrict user access to the Rapyd Cloud Network in accordance with least privilege principles based on personnel job functions, (ii) require review and approval prior to provisioning access to the Rapyd Cloud Network above least privileged principles, including administrator Accounts; (iii) require at least quarterly review of Rapyd Cloud Network access privileges and, where necessary, revoke Rapyd Cloud Network access privileges in a timely manner, and (iv) require two- factor authentication for access to the Rapyd Cloud Network from remote locations.
    3. Vulnerability Assessments. Rapyd Cloud will perform regular external vulnerability assessments and penetration testing of the Rapyd Cloud Network, and will investigate identified issues and track them to resolution in a timely manner.
    4. Application Security. Before publicly launching new Services or significant new features of Services, Rapyd Cloud will perform application security reviews designed to identify, mitigate, and remediate security risks.
    5. Change Management. Rapyd Cloud will maintain controls designed to log, authorize, test, approve and document changes to existing Rapyd Cloud Network resources, and will document change details within its change management or deployment tools. Rapyd Cloud will test changes according to its change management standards prior to migration to production. Rapyd Cloud will maintain processes designed to detect unauthorized changes to the Rapyd Cloud Network and track identified issues to a resolution.
    6. Data Integrity. Rapyd Cloud will maintain controls designed to provide data integrity during transmission, storage, and processing within the Rapyd Cloud Network. Rapyd Cloud will provide Customer the ability to delete Customer Data from the Rapyd Cloud Network.
    7. Business Continuity and Disaster Recovery. Rapyd Cloud will maintain a formal risk management program designed to support the continuity of its critical business functions ("Business Continuity Program"). The Business Continuity Program includes processes and procedures for identification of, response to, and recovery from, events that could prevent or materially impair Rapyd Cloud's provision of the Services (a "BCP Event"). The Business Continuity Program includes a three-phased approach that Rapyd Cloud will follow to manage BCP Events:
      1. Incident Management. Rapyd Cloud will maintain corrective action plans and incident response plans to respond to potential security threats to the Rapyd Cloud Network. Rapyd Cloud incident response plans will have defined processes to detect, mitigate, investigate, and report security incidents. The Rapyd Cloud incident response plans include incident verification, attack analysis, containment, data collection, and problem remediation.

  3. PHYSICAL SECURITY

    1. Access Controls. Rapyd Cloud will (i) implement and maintain physical safeguards designed to prevent unauthorized physical access, damage, or interference to the Rapyd Cloud Network, (ii) use appropriate control devices to restrict physical access to the Rapyd Cloud Network to only authorized personnel who have a legitimate business need for such access, (iii) monitor physical access to the Rapyd Cloud Network using intrusion detection systems designed to monitor, detect, and alert appropriate personnel of security incidents, (iv) log and regularly audit physical access to the Rapyd Cloud Network, and (v) perform periodic reviews to validate adherence with these standards.
    2. Availability. Rapyd Cloud will (i) implement redundant systems for the Rapyd Cloud Network designed to minimize the effect of a malfunction on the Rapyd Cloud Network, (ii) design the Rapyd Cloud Network to anticipate and tolerate hardware failures, and (iii) implement automated processes designed to move customer data traffic away from the affected area in the case of hardware failure.

  4. RAPYD CLOUD EMPLOYEES

    1. Employee Security Training. Rapyd Cloud will implement and maintain employee security training programs regarding Rapyd Cloud information security requirements. The security awareness training programs will be reviewed and updated at least annually.
    2. Background Checks. Where permitted by law, and to the extent available from applicable governmental authorities, Rapyd Cloud will require that each employee undergo a background investigation that is reasonable and appropriate for that employee's position and level of access to the Rapyd Cloud Network.
    3. Activation & Notification Phase. As Rapyd Cloud identifies issues likely to result in a BCP Event, Rapyd Cloud will escalate, validate, and investigate those issues. During this phase, Rapyd Cloud will analyze the root cause of the BCP Event.
    4. Recovery Phase. Rapyd Cloud assigns responsibility to the appropriate teams to take steps to restore normal system functionality or stabilize the affected Services.
    5. Reconstitution Phase. Rapyd Cloud leadership reviews actions taken and confirms that the recovery effort is complete, and the affected portions of the Services and Rapyd Cloud Network have been restored. Following such confirmation, Rapyd Cloud conducts a post-mortem analysis of the BCP Event.

  5. CONTINUED EVALUATION

    1. Rapyd Cloud will conduct periodic reviews of the information security program for the Rapyd Cloud Network. Rapyd Cloud will update or alter its information security program as necessary to respond to new security risks and to take advantage of new technologies.