Data Processing Agreement

Lucio's Data Processing Agreement

This Data Processing Agreement (“DPA”) is incorporated into and forms a part of your Lucio Platform Agreement, Lucio Terms of Service, or other applicable service or subscription agreement between you and Zenlegal Technology Private Limited (“Lucio”) with respect to your use of the Lucio Platform (“Lucio Agreement”). This DPA sets out data protection requirements with respect to the processing of Customer Personal Data (as defined below) that is collected, stored, or otherwise processed by Lucio. This DPA is effective on the effective date of the Lucio Agreement, unless this DPA is separately executed in which case it is effective on the date of the last signature.

1. Definitions

The following terms have the following meanings when used in this DPA. Any capitalized terms that are not defined in this DPA have the meaning provided in your Lucio Agreement.

“Customer,” “you” and “your” means the organization that agrees to an Order Form, or uses the Cloud Services subject to the relevant Lucio Agreement.
“Customer Personal Data” means any personal data that Customer uploads into the Cloud Services that is processed by Lucio.
“Data Protection Law” means, to the extent applicable, (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“EU GDPR”); (ii) the Data Protection Act 2018 and EU GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (“UK GDPR”); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); (iv) Digital Personal Data Protection Act, 2023 (DPDP Act) and its rules as applicable in India; (v) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (Cal. Civ. Code §§ 1798.100 to 1798.199.100), together with the CCPA Regulations (Cal. Code Regs. tit. 11, §§ 7000 to 7102) which may be amended from time to time (“CCPA”); (vi) the Swiss Federal Act on Data Protection (“FADP”); and (vii) any other data protection legislation applicable to the respective party in its role in the processing of Customer Personal Data under the Lucio Agreement.
“Data Subject Request” has the meaning given to it in Section 5.1
“EEA” means the European Economic Area
“Platform” means the artificial intelligence platform Lucio as hosted on dashboard.lucioai.com, or any other url as identified in the relevant Order Form
“Services” means any services that Lucio provides to the Customer, as made available on the Platform, on the date of this Agreement, or as identified in the relevant Order Form, including support services.
"Subprocessor" means any third-party data processor engaged by Lucio to process Customer Personal Data.
“Technical and Organizational Security Measures” has the meaning given to it in Section 3.2.
The terms “controller,” “data subject,” “personal data,” “personal data breach,” “processor,” “processing” and “supervisory authority” have the meanings set forth in the EU GDPR

2. Data Processing

2.1. Scope and Roles

This DPA applies when Lucio processes Customer Personal Data regulated under Data Protection Law in the course of providing the Cloud Services. In this context, Lucio is a “processor” to Customer, who may act as either a “controller” or “processor” with respect to Customer Personal Data.

2.2. Details of the Processing

Subject Matter - The subject matter of the data processing under this DPA is Customer Personal Data.

Duration - The duration of the data processing under this DPA is until the expiration or termination of the Lucio Agreement in accordance with its terms.

Nature and Purpose - The purpose of the data processing under this DPA is the provision of the Platform and Services to Customer in accordance with the Lucio Agreement.

Types of Customer Personal Data - The types of Customer Personal Data processed under this DPA include any Customer Personal Data uploaded to the Platform by Customer.

Categories of Data Subjects - The data subjects may include Customer’s customers, employees, suppliers, and end users or any other individual whose personal data Customer uploads to the Cloud Services.

2.3. Compliance with Laws

Each party will comply with all applicable Data Protection Law, including the EU GDPR, in relation to the processing of Customer Personal Data.

2.4. Lucio’s Processing

Lucio will process Customer Personal Data only for the purposes of:

Provisioning its Platform and services

Processing initiated by Customer in its use of the Platform, and
Processing in accordance with your Lucio Agreement, this DPA, and your other reasonable documented instructions that are consistent with the terms of your Lucio Agreement. Any other processing will require prior written agreement between the parties.

2.5. Customer Obligations

Customer acknowledges that it controls the nature and contents of the Customer Personal Data. Customer will ensure that it has obtained all necessary and appropriate consents from and provided notices to data subjects where required by Data Protection Law to enable the lawful transfer of any Customer Personal Data to Lucio for the duration and purposes of this DPA and the Lucio Agreement.

3. Security

3.1. Confidentiality of Personnel

Lucio will ensure that any of our personnel and any subcontractors who have access to Customer Personal Data are under an appropriate obligation of confidentiality.

3.2. Security Measures

We will implement appropriate technical and organizational security measures to ensure a level of security appropriate to the risks that are presented by the processing of Customer Personal Data.

3.3. Breach Notification

We will notify you without undue delay if we become aware of a personal data breach affecting Customer Personal Data.

4. Subprocessors

4.1. Authorized Subprocessors

You acknowledge and agree that we may retain our affiliates and other third parties to further process Customer Personal Data on your behalf as Subprocessors in connection with the provision of the Cloud Services. We maintain a current list of our Subprocessors on our Trust Centre, which we will update at least 30 days before the addition or replacement of any Subprocessor. You may also opt to receive email notifications of any change to our list of Subprocessors.

4.2. Objections to Subprocessors

In the event you have a reasonable objection to any new Subprocessor, either (A) we will if possible, continue to provide our Services, without such new sub-processor in accordance with the terms of the Lucio Agreement and any applicable Order Form, or (B) if we cannot provide the Services without the use of such Subprocessor, you may, as your sole and exclusive remedy, terminate this Agreement and any applicable Order Form and receive a refund of any prepaid fees for unused Subscriptions.

4.3. Subprocessor Obligations

Lucio will impose on each Subprocessor the same data protection obligations as are imposed on us under this DPA. We will be liable to you for the performance of the Subprocessors' obligations to the extent required by Data Protection Law.

5. Data Subject Requests

5.1. To assist with your obligations to respond to requests from data subjects, the Lucio Platform provides Customer with the ability to retrieve, correct, or delete Customer Personal Data. Customer may use these controls to assist it in connection with its obligations under Data Protection Law, including its obligations related to any request from a data subject to exercise their rights under Data Protection Law (each, a “Data Subject Request”).

5.2. If a data subject contacts Lucio with a Data Subject Request that identifies Customer, to the extent legally permitted, we will promptly notify Customer. Solely to the extent that Customer is unable to access Customer Personal Data itself, and Lucio is legally permitted to do so, we will provide commercially reasonable assistance to Customer in responding to the Data Subject Request. To the extent legally permitted, Customer will be responsible for any costs arising from Lucio’s provision of such assistance, including any fees associated with the provision of additional functionality.

6. Requests for Customer Personal Data

6.1. If we receive a valid and binding legal order (“Request”) from any governmental body (“Requesting Party”) for disclosure of Customer Personal Data, we will use commercially reasonable efforts to redirect the Requesting Party to seek that Customer Personal Data directly from Customer.

6.2. If, despite our efforts, we are compelled to disclose Customer Personal Data to a Requesting Party, we will:

If legally permitted, promptly notify Customer of the Request to allow Customer to seek a protective order or other appropriate remedy. If we are prohibited from notifying Customer, we will use commercially reasonable efforts to obtain a waiver of that prohibition;

Challenge any over-broad or inappropriate Request (including Requests that conflict with the law of the European Union); and

Disclose only the minimum amount of Customer Personal Data necessary to satisfy the Request.

7. Cooperation

Taking into account the nature of the processing and the information available to us, at your request and cost, Lucio will provide reasonable assistance to ensure compliance with the obligations under applicable Data Protection Law with respect to implementing appropriate security measures, personal data breach notifications, impact assessments and consultations with supervisory authorities or regulators, in each case solely related to processing of Customer Personal Data by Lucio.

8. Customer Audit Rights

Upon Customer’s request, and subject to the confidentiality obligations set forth in your Lucio Agreement, Lucio will make available to Customer (or Customer’s independent, third-party auditor) information regarding Lucio’s compliance with the security obligations set forth in this DPA in the form of third-party certifications and audits.

If that information is not sufficient to demonstrate our compliance with the security obligations in the DPA, you may contact Lucio in accordance with the notice provision of your Lucio Agreement to conduct your own audit, in the form of requesting information relevant to the protection of Customer Personal Data, only to the extent required under applicable Data Protection Law. Customer will reimburse Lucio for its reasonable costs associated with any such information collation and sharing.

Customer will promptly notify Lucio with information regarding any non-compliance discovered during the course of an audit, and Lucio will use commercially reasonable efforts to address any confirmed non-compliance.

9. Data Transfers

9.1. Data Deployment Locations

When required by Data Protection Law, any transfers by Customer of Customer Personal Data between different national jurisdictions will be governed by the transfer mechanisms described in Section 9.2 below.

9.2. Transfer Mechanism

As and when required by Data Protection Law, for transferring of Customer Personal Data between different national jurisdictions, Lucio will

Provide at least the same level of privacy protection to Customer Personal Data as is required by Data Protection Law

Notify Customer if Lucio makes a determination it can no longer meet its obligation to provide the same level of protection as is required by Data Protection Law
Upon notice, take reasonable and appropriate steps to remediate unauthorized processing of Customer Personal Data. Where the transfer of Customer Personal Data is from the EEA, Switzerland or the United Kingdom to a territory which has not been recognized by the relevant authorities as providing an adequate level of protection for personal data according to Data Protection Law, Lucio agrees to process that Customer Personal Data in compliance with the provisions set out in Schedule 1 below, which forms an integral part of this DPA

10. Return or Deletion of Data

Customer may retrieve or delete all Customer Personal Data upon expiration or termination of the Lucio Agreement. Upon termination of your Lucio Agreement or upon your request, Lucio will delete any Customer Personal Data not deleted by Customer, subject to statutory archival requirements.

11. CCPA Obligations

For purposes of this Section 11, Customer Personal Data shall include “personal information” (as that term is defined under CCPA) that Customer uploads into the Cloud Services that is processed by Lucio. Lucio is a “service provider” as defined in CCPA.

11.1. Lucio will not:

Retain, use, or disclose Customer Personal Data for any purpose other than providing the Services

Retain, use, or disclose Customer Personal Data outside of the direct business relationship between Lucio and Customer;

Sell or share Customer Personal Data (as the terms “sell” and “share” are defined in CCPA); or

Combine Customer Personal Data with personal information that Lucio has received from another Lucio customer, except as permitted under CCPA.

11.2. We will notify you if we determine that we can no longer comply with our obligations as a service provider under CCPA.

11.3. You have the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information that is protected under CCPA.

SCHEDULE 1

STANDARD CONTRACTUAL CLAUSES

1. For purposes of this Schedule 1, “Standard Contractual Clauses” means, as the circumstances may require, the applicable module(s) of the Standard Contractual Clauses approved by the European Commission in decision 2021/914, or any subsequent versions of the Standard Contractual Clauses which may be adopted by the European Commission from time to time. Upon the effective date of adoption for any revised Standard Contractual Clauses by the European Commission, all references in this DPA to the “Standard Contractual Clauses” shall refer to that latest version thereof.

2. Pursuant to Section 9.3 of the DPA, where the transfer of Customer Personal Data is from the EEA, Switzerland or the United Kingdom to a territory which has not been recognized by the relevant authorities as providing an adequate level of protection for personal data according to Data Protection Law, then the Standard Contractual Clauses shall apply in accordance with this Schedule 1.3

3. Incorporation of the Standard Contractual Clauses

3.1. When the Standard Contractual Clauses are the applicable transfer mechanism in accordance with Section 2 above, the parties agree that:

Clause 7 will not apply

Notify Customer if Lucio makes a determination it can no longer meet its obligation to provide the same level of protection as is required by Data Protection Law
In Clause 9(a), Option 2 will apply, and the time period for prior notice of Subprocessor changes will be as set forth in Section 4.1 of the DPA.

In Clause 11(a), the optional language will not apply

In Clause 17, Option 1 will apply, and the Standard Contractual Clauses will be governed by the law of the Republic of Ireland.

In Clause 18(b), disputes will be resolved before the courts of the Republic of Ireland.

3.2. For purposes of Annex I, Part A of the Standard Contractual Clauses (List of Parties):

3.2.1. Data Exporter: Customer

Contact Details: Customer’s account owner email address, or to the email address(es) for which Customer elects to receive legal communications.
Data Exporter Role: Data Exporter’s role is outlined in Section 2 of the DPA.

Signature & Date: By entering into the Lucio Agreement, Data Exporter is deemed to have signed the Standard Contractual Clauses, including their Annexes and configured according to Section 3 of this Schedule I to the DPA, as of the effective date of the Lucio Agreement.

3.2.2. Data Importer: Lucio, on its own behalf and on behalf of its non-EEA Affiliates.

Contact Details: Lucio’s DPO at privacy@lucioai.com

Data Importer Role: Data Importer’s role is outlined in Section 2 of the DPA.

Signature & Date: By entering into the Lucio Agreement, Data Importer is deemed to have signed the Standard Contractual Clauses, including their Annexes and configured according to Section 3 of this Schedule 1 to the DPA, as of the effective date of the Lucio Agreement.

3.3. For purposes of Annex I, Part B of the Standard Contractual Clauses (Description of Transfer):

The categories of data subjects are described in Section 2.2.5 of the DPA.

The categories of data subjects are described in Section 2.2.5 of the DPA.

The frequency of the transfer is on a continuous basis for the duration of the Lucio Agreement.

The nature and purpose of the processing is described in Section 2.2.3 of the DPA.

The period of retention of Customer Personal Data in relation to the processing will end upon termination of the Lucio Agreement.

For transfers to Subprocessors, the subject matter and nature of the processing is described on Lucio’s Trust Centre. The duration of processing by Subprocessors is the same as by Data Importer.

3.4. For purposes of Annex I, Part C of the Standard Contractual Clauses (Competent Supervisory Authority), the competent supervisory authority/ies shall be determined in accordance with EU GDPR and Clause 13 of the Standard Contractual Clauses.

3.5. Sections 3 and 4.3 of the DPA contain the information required under Annex II of the Standard Contractual Clauses (Technical and Organizational Measures).

3.6. In addition to the above stipulations, each of the following forms part of the Standard Contractual Clauses and sets out the parties’ understanding of their respective obligations under the Standard Contractual Clauses:

Clause 8.9 of the Standard Contractual Clauses: Audit. Data Exporter acknowledges and agrees that it exercises its audit right(s) under Clause 8.9 by instructing Data Importer to comply with the audit measures described in Section 8 (Customer Audit Rights) of the DPA.

Clause 9(c) of the Standard Contractual Clauses: Disclosure of Subprocessor agreements. The parties acknowledge that, pursuant to subprocessor confidentiality restrictions, Data Importer may be restricted from disclosing onward subprocessor agreements to Data Exporter. Even where Data Importer cannot disclose a subprocessor agreement to Data Exporter, the parties agree that, upon the request of Data Exporter, Data Importer shall (on a confidential basis) provide all information it reasonably can in connection with such subprocessing agreement to Data Exporter.

Clause 12 of the Standard Contractual Clauses: Liability. To the greatest extent permitted under Data Protection Law, any claims brought under the Standard Contractual Clauses will be subject to any aggregate limitations on liability set out in the Lucio Agreement.

4. Transfers of Customer Personal Data Protected by Swiss FADP

4.1. With respect to transfers of Customer Personal Data protected by FADP, the Standard Contractual Clauses will apply in accordance with Sections 2 and 3 above, with the following modifications:

Any references in the Standard Contractual Clauses to "Directive 95/46/EC" or "Regulation (EU) 2016/679" shall be interpreted as references to FADP;

References to "EU", "Union", "Member State" and "Member State law" shall be interpreted as references to Switzerland and Swiss law, as the case may be; and

References to the "competent supervisory authority" and "competent courts" shall be interpreted as references to the Swiss Federal Data Protection and Information Commissioner and competent courts in Switzerland.

5. Transfers of Customer Personal Data Protected by UK GDPR.

5.1. With respect to transfers of Customer Personal Data protected by UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued under S119A(1) Data Protection Act 2018 (“UK Addendum”), shall apply and be incorporated by reference into this DPA, with Part 1: Tables completed in accordance with the applicable stipulations in Section 3 of this Schedule 1. Either data exporter or data importer may terminate the UK Addendum pursuant to Section 19 of the UK Addendum if, after a good faith effort by the parties to amend the DPA to account for the approved changes and any reasonable clarifications to the UK Addendum, the parties are unable to come to agreement. To the extent of any conflict between Section 3 of this Schedule 1 and any mandatory clauses of the UK Addendum, the UK Addendum shall govern to the extent UK GDPR applies to the transfer.

Platform Privacy Policy ›