Journey Start
This Data Processing Agreement (the “Partner DPA”) is incorporated into the agreement(s) entered into by you (“Partner”) and LuvCoach AI, Inc. (“LuvCoach AI”), and governs the data sharing between you and LuvCoach AI (but excluding customer agreements between Partner and LuvCoach AI that govern Partner’s purchase and use of LuvCoach AI products and services) (“Partner Agreement”).
This Partner DPA covers the processing of: (1) Personal Data that the Partner uploads, transfers, or otherwise provides to LuvCoach AI in connection with a Partner Agreement; and (2) Personal Data that LuvCoach AI (or its customers) uploads, transfers, or otherwise provides to Partner in connection with the Partner Agreement.
Collectively, this Partner DPA (including the SCCs, as defined below) and the Partner Agreement are referred to in this Partner DPA as the “Agreement.” In the event of any conflict or inconsistency between any of the terms of the Agreement, the provisions of the following documents (in order of precedence) shall prevail: (a) the SCCs (b) this Partner DPA; and (c) the Partner Agreement.
The Purpose of this Partner DPA is to establish a framework to address scenarios where:
“Business” and “Service Provider” will have the meanings given to them in the CCPA.
“California Personal Information” means Personal Data that is subject to the protection of the CCPA.
“CCPA” means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018), as amended by the California Privacy rights Act of 2020 or “CPRA”.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Data Privacy Framework” means the U.S. Data Privacy Framework. Data Privacy Framework self-certification programs (as applicable) operated by the U.S. Department of Commerce; as may be amended, superseded or replaced.
“Data Privacy Framework Principles” means the Principles and Supplemental Principles contained in the relevant Data Privacy Framework; as may be amended, superseded or replaced.
“Data Protection Laws” means all applicable worldwide legislation or regulations relating to data protection and privacy which applies to the respective party in the role of Processing Personal Data in question under the Agreement.“
Joint Customer” means a customer of both Partner and LuvCoach AI.
“Joint Customer Personal Data” means any Personal Data for which a Joint Customer acts as a Controller.
“LuvCoach AI Personal Data” means any Personal Data for which LuvCoach AI acts as a Controller.
“Partner Personal Data” means any Personal Data for which Partner acts as a Controller.
“Personal Data” means any information relating to an identified or identifiable individual where such information is contained within LuvCoach AI Personal Data, Partner Personal Data or Joint Customer Personal Data and is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws.
“Personal Data Breach” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
“Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms “Process”, “Processes” and “Processed” will be construed accordingly.
“Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
The parties shall each represent and warrant that they will comply with their respective obligations and duties under applicable Data Protection Laws.
Each party, to the extent that it, along with the other party, acts as a Processor with respect to Joint Customer Personal Data, will (i) comply with the instructions and restrictions set forth in any agreement(s) with the Joint Customer; and (ii) reasonably cooperate with the other party to enable the exercise of data protection rights as set forth in applicable Data Protection Laws. The parties both acknowledge and agree that each party is acting as a Processor for the Joint Customer and neither party is engaging the other as a Subprocessor.
Each party, to the extent that it, along with the other party, acts as a Controller with respect to Personal Data, will reasonably cooperate with the other party to enable the exercise of data protection rights as set forth in applicable Data Protection Laws.
5.1 Relationship of the parties. The rights, responsibilities, and obligations of the parties with regard to the ‘Controller Obligations’, ‘Processor Obligations’, ‘Audit Certification’ and ‘Data Return and Deletion’ sections of this DPA shall be as follows:
For Processing operations where LuvCoach AI processes Personal Data on Partner’s behalf and at Partner’s direction, the term “Processor” refers to LuvCoach AI, the term “Controller” refers to Partner, and the term “Personal Data” refers to Partner Personal Data. For data processing operations where Partner processes Personal Data on LuvCoach AI’s behalf and at LuvCoach AI’s direction, the term “Processor” refers to Partner, the term “Controller” refers to LuvCoach AI, and the term “Personal Data” refers to LuvCoach AI Personal Data.
5.2 Scope of Processing. In the context of the scenarios described in the ‘Relationship of the parties’ section above, each party agrees to process Personal Data only for the purposes set forth in the applicable Partner Agreement and/or the agreement(s) with the Joint Customer. For the avoidance of doubt, the categories of Personal Data processed and the categories of data subjects subject to this DPA are described in Schedule A to this DPA.
The parties in their capacity as a Controller agree to:
a. Provide instructions to the Processor and determine the purposes and means of the Processor’s processing of Personal Data in accordance with the Agreement; and
b. Comply with its protection, security and other obligations with respect to Personal Data prescribed by applicable Data Protection Laws for a Controller by: (i) establishing and maintaining a procedure for the exercise of the rights of the individuals whose Personal Data are processed on behalf of the Controller; (ii) processing only data that has been lawfully and validly collected and ensuring that such data will be relevant and proportionate to the respective uses; and (iii) ensuring compliance with the provisions of this DPA by its personnel or by any third party accessing or using Personal Data on its behalf.
7.1 Processing Requirements. The parties in their capacity as a Processor agree to:
a. Process Personal Data (i) only for the purpose of providing, supporting and improving the Processor’s product and services (including to provide insights and other reporting), using appropriate technical and organizational security measures; and (ii) in compliance with the instructions received from the Controller. The Processor will not use or process Personal Data for any other purpose. The Processor will promptly inform the Controller in writing if it cannot comply with the requirements under the ‘Controller Obligations’, ‘Processor Obligations’, ‘Audit Certification’ and ‘Data Return and Deletion’ sections of this DPA, in which case the Controller may terminate the Agreement, and any applicable Partner Agreement, or take any other reasonable action, including suspending data processing operations;
b. Inform the Controller promptly and without undue delay if, in the Processor’s opinion, an instruction from the Controller violates applicable Data Protection Laws;
c. If the Processor is collecting Personal Data from individuals on behalf of the Controller, follow the Controller’s instructions regarding such Personal Data collection;
d. Take commercially reasonable steps to ensure that (i) persons employed by it and (ii) other persons engaged to perform on the Processor’s behalf comply with the terms of the Agreement, and applicable Partner Agreements;
e. Represent and warrant that its employees, authorized agents and any Subprocessors are subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to process the personal data who is not under such a duty of confidentiality;
f. If it intends to engage Subprocessors to help it satisfy its obligations in accordance with this DPA or to delegate all or part of the processing activities to such Subprocessors, (i) provide a list of Subprocessors currently engaged by the Processor to the Controller, and notify the Controller of the engagement of any new Subprocessors at least 30 days in advance, giving the Controller the opportunity to object; (ii) remain liable to the Controller for the Subprocessors’ acts and omissions with regard to data protection where such Subprocessors act on the Processor’s instructions; and (iii) enter into contractual arrangements with such Subprocessors binding them to provide the same level of data protection and information security to that provided for herein;
g. Upon request, provide the Controller with the Processor’s privacy and security policies; and
h. Inform the Controller if the Processor undertakes an independent security review.
7.2 Notice to the Controller. The Processor will immediately and without undue delay inform the Controller if the Processor becomes aware of:
a. Any non-compliance by Processor or its employees with the ‘Controller Obligations’, ‘Processor Obligations’, ‘Audit Certification’ and ‘Data Return and Deletion’ sections of this DPA or applicable Data Protection Laws relating to the protection of Personal Data processed under this DPA;
b. Any legally binding request for disclosure of Personal Data by a law enforcement or government authority, unless the Processor is otherwise forbidden by law to inform the Controller, for example to preserve the confidentiality of an investigation by law enforcement authorities;
c. Any notice, inquiry or investigation by a Supervisory Authority with respect to Personal Data; or
d. Any complaint or request (in particular, requests for access to, rectification or blocking of Personal Data) received directly from data subjects of the Controller. The Processor will not respond to any such request without the Controller’s prior written authorization.
7.3 Assistance to the Controller. The Processor will provide timely and reasonable assistance to the Controller regarding:
a. Responding to any request from an individual to exercise rights under applicable Data Protection Laws (including its rights of access, correction, objection, erasure and data portability, as applicable) and the Processor agrees to promptly inform the Controller if such a request is received directly;
b. The investigation of Personal Data Breaches and the notification to the Supervisory Authority and the Controller data subjects regarding such Personal Data Breaches; and
c. where appropriate, the preparation of data protection impact assessments and, where necessary, carrying out consultations with any Supervisory Authority.
7.4 Required Processing. If the Processor is required by Data Protection Laws to process any Personal Data for a reason other than in connection with the Agreement, the Processor will inform the Controller of this requirement in advance of any processing, unless the Processor is legally prohibited from informing the Controller of such processing (e.g., as a result of secrecy requirements that may exist under applicable EU member state laws).
7.5 Security. The Processor will:
a. Maintain appropriate organizational and technical security measures (including with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response, encryption of Personal Data while in transit and at rest) to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of Personal Data;
b. Be responsible for the sufficiency of the security, privacy, and confidentiality safeguards of all of the Processor’s personnel with respect to Personal Data and liable for any failure by such Processor personnel to meet the terms of this DPA;
c. Take appropriate steps to confirm that all of the Processor’s personnel are protecting the security, privacy and confidentiality of Personal Data consistent with the requirements of this DPA; and
d. Notify the Controller of any Personal Data Breach by the Processor, its Subprocessors, or any other third parties acting on the Processor’s behalf without undue delay and in any event within 48 hours of becoming aware of a Personal Data Breach.
7.6 Additional Provisions for California Personal Information. When the Processor Processes California Personal Information in accordance with the instructions received from the Controller, the parties acknowledge and agree that the Controller is a Business and the Processor is a Service Provider for the purposes of the CCPA. The parties agree that the Processor will Process California Personal Information as a Service Provider strictly for the purpose of providing, supporting and improving the Processor’s services (including to provide insights and other reporting) (the “Business Purpose”) or as otherwise permitted by the CCPA. Further, the Processor (i) will not Sell or Share California Personal Information; (ii) will not Process California Personal Information outside the direct business relationship between the parties, unless required by applicable law; and (iii) will not combine the California Personal Information with personal information that collected or received from another source (other than information received rom another source in connection with Processor’s obligations under the applicable Partner Agreement and/or the agreement(s) with the Joint Customer).
8.1 Supervisory Authority Audit. If a Supervisory Authority requires an audit of the data processing facilities from which the Processor processes Personal Data in order to ascertain or monitor compliance with Data Protection Laws, the Processor will cooperate with such audit. The Controller will reimburse the Processor for its reasonable expenses incurred to cooperate with the audit, unless such audit reveals the Processor’s noncompliance with this DPA.
8.2 Processor Certification. The Processor must, upon the Controller’s request provide a certification of compliance to the Controller (not to exceed one request per calendar year) by email (where LuvCoach AI is the Processor, such emails shall be sent to privacy@LuvCoach AI.com; where Partner is the Processor, Partner shall establish and provide to LuvCoach AI upon request a single point of contact for email correspondence regarding data protection), certify compliance with this DPA in writing.
The parties agree that on the termination of the data processing services or upon the Controller’s reasonable request, the Processor shall and shall take reasonable measures to cause any Subprocessors to, at the choice of the Controller, return all the Personal Data and copies of such data to the Controller or securely destroy them and demonstrate to the satisfaction of the Controller that it has taken such measures, unless applicable Data Protection Laws prevent the Processor from returning or destroying all or part of the Personal Data disclosed. In such case, the Processor agrees to preserve the confidentiality of the Personal Data retained by it and that it will only actively process such Personal Data after such date in order to comply with applicable laws.
This DPA shall remain in effect as long as either party carries out Personal Data processing operations on the Personal Data uploaded or otherwise provided by the other party pursuant to and in accordance with the Partner Agreement.
Each Party shall defend, indemnify, and hold harmless the other and its subsidiaries, affiliates, and its respective officers, directors, employees, and agents from and against all losses, damages, liabilities, deficiencies, actions, judgments, interest, awards, penalties, fines, costs, or expenses of whatever kind, including reasonable attorneys’ fees, the cost of enforcing any right to indemnification hereunder, and the cost of pursuing any insurance providers, arising out of or resulting from any third-party claim against the other arising out of or resulting from the breaching party’s failure to comply with any of its obligations under this DPA or the applicable laws, regulations, or principles contained. Each Party’s liability shall be subject to the limitation of liability in the applicable Partner Agreement.
SCHEDULE A
ANNEX A
DESCRIPTION OF THE TRANSFER
Categories of Data Subjects
The personal data transferred concerns the following categories of data subjects, depending on the agreement between the data importer and data exporter:
LuvCoach AI members; prospects, customers and employees of the data exporter; sales and marketing leads of the data exporter; prospects, customers and employees of the data importer, third parties that have, or may have, a commercial relationship with the data exporter or the data importer (e.g. advertisers, corporate subscribers, contractors and product users).
The personal data transferred concern the following categories of data depending on the agreement between the data importer and the data exporter:
Such personal data may include first name, last name, email address, contact information, education and work history and other information provided in LuvCoach AI member profiles, resumes, CRM data concerning marketing and sales leads and customer lists, any notes provided by the data exporter regarding the foregoing and other activities of LuvCoach AI members taken on the LuvCoach AI platform.
Sensitive data (if appropriate) The processing of Sensitive Data is subject to the scope limitations, restrictions, and safeguards mutually agreed upon by the parties, as reflected in the permissible scope of the Joint Customer Subscription Services.
Frequency of transfer
The personal data is transferred continuously.
Nature and purpose of the processing
The transfer is made for the following purposes: (1) to comply with the obligations set in the applicable Partner Agreement; and (2) to comply with Applicable Data Protection Law.
Period for which personal data will be retained
The personal data transferred between the parties may only be retained for the period of time permitted under the Partner Agreement. The parties agree that each party will, to the extent that it, along with the other party, acts as a Controller with respect to Personal Data, reasonably cooperate with the other party to enable the exercise of data protection rights as set forth in Data Protection Laws.
Subject matter, nature and duration of the processing
The subject matter, nature and duration of the processing is as described in the Agreement, including this DPA.
Competent supervisory authority
For the purposes of the Standard Contractual Clauses, the competent supervisory authority is the authority of the EEA member state in which Partner or Partner’s EEA representative is established (with respect to Partner Personal Data).
ANNEX B
SECURITY MEASURES
We use a variety of security technologies and procedures to help protect your Personal Data. All Personal Data is protected using appropriate physical, technical and organizational measures. For more on Security at LuvCoach AI, please see https://MiraLuna.life/security.