This data processing agreement (”Agreement”), including Annexes 1 and 2, form part of the main agreement(s) between LifeLabs Group, Inc. dba LifeLabs Learning and you (“Company”) (each individually a Party and collectively the “Parties”) and all further agreements executed under it including the Rules of Engagement and Statement of Work (collectively, the “Main Agreement”). This Agreement is effective as of the execution date of the Main Agreement


Definitions

The following terms shall have the following meanings. Capitalized terms not defined herein shall have the same meaning set forth in the Main Agreement.

a. “Affiliate” means an entity that owns or controls, is owned or controlled by, or is under common control or ownership with a Party.

b. “Controller” means the Party or Parties to this Agreement that determine(s) the purposes and means of the Processing of Personal Data for purposes of the Agreement or the Main Agreement.

c. “Controller Personal Data” means any Personal Data Processed by a Party under the Agreement in its capacity as a Controller.

d. “Data Protection Law(s)” means all laws and regulations applicable to the Processing of Company Personal Data under the Agreement, including, as applicable, the laws and regulations of the United States, the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, including as applicable the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the California Consumer Privacy Act of 2018 (“CCPA”) and the Brazilian General Data Protection Law (the Lei Geral de Proteção de Dados).

e. “Data Subject” means an identified or identifiable natural person.

f. “Personal Data” shall mean “personal data,” “personal information,” or equivalents as defined in applicable Data Protection Laws. In the absence of applicable Data Protection Laws, “Personal Data” shall mean any information relating, directly or indirectly, to an identified or identifiable natural person.

g. “Process,” “Processes,” “Processing,” or “Processed” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collecting, recording, accessing, releasing, disclosing, making available, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, dissemination or otherwise, aligning or combining, restricting, erasing or destroying.

h. “Processor” means a Party to this Agreement that Processes Personal Data on behalf of Company or Company Affiliates. The term Processor as used herein is equivalent to the term “Processor” as used in the GDPR, and the term “Service Provider” as used in the CCPA.

i. “Sub-processor” means a Processor engaged by a Processor, including LifeLabs, to Process Company Personal Data."

j. “Company Data Subject” means the Data Subject whose Company Personal Data is, or will be, Processed.

k. “Company Personal Data” means Company Data Subject Personal Data that is Processed by LifeLabs for the purposes described in Annex 1 to this Agreement. For purposes of this Agreement, Company Personal Data does not include the name and contact information of those Company employees who are responsible for interacting with LifeLabs to perform under the Main Agreement, and any Personal Data incidentally received by LifeLabs as a result of those interactions.


1. General Terms

1.1. Roles of Parties. The Parties acknowledge and agree that Company is Controller of the Company Personal Data Processed in connection with the Main Agreement, and that LifeLabs is a Processor of such Personal Data.

1.2. Overview of Company Personal Data Processing. LifeLabs shall Process Company Personal Data as indicated in Annex 1. The Parties acknowledge and agree that Annex 1 reflects Company’s written instructions regarding the Processing of Company Personal Data in connection with the Agreement.

1.3. Cross border transfer. If LifeLabs’s Processing of Personal Data involves the transfer of Personal Data of Company Data Subjects in the EEA, United Kingdom and/or Switzerland to a country or territory outside of those regions, the parties hereby incorporate, and agree to comply with, the Standard Contractual Clauses of June 4, 2021 (“SCCs”) approved by the European Commission, Module 2. In such case,

1.3.1. The parties will complete Annex 1, and agree to Annex 2, of this Agreement in lieu of the Annexes to the SCCs.

1.3.2. The competent supervisory authority for purposes of the SCCs is the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

1.3.3. The Parties represent that they do not believe the laws and practices in any country to which Company Personal Data is transferred for purposes of the Main Agreement will prevent LifeLabs from fulfilling its obligations under this Agreement or the SCCs.

1.4. Compliance with laws. LifeLabs shall comply with applicable laws, rules, self-regulatory requirements, and regulations, including Data Protection Laws, in connection with its Processing of Company Personal Data.

1.5. Limitations and Prohibitions.

1.5.1. LifeLabs shall only Process Company Personal Data for the purpose of performing its obligations under the Main Agreement, and may not use Company Personal Data for any other purpose unless otherwise agreed by the Parties in writing.

1.5.2. LifeLabs shall (1) limit access to Company Personal Data to only those employees or agents that require access to perform their roles and responsibilities in connection with the Main Agreement, and (2) under no circumstances rent, sell or disclose Company Personal Data, except as otherwise allowed under this Agreement or the Main Agreement.

1.5.3. LifeLabs will not combine Company Personal Data with data from any other source, company, organization or entity, unless necessary to perform its obligations under the Main Agreement. LifeLabs will not copy or reproduce Company Personal Data for its own purposes or those of any Sub-processor or other third party.

1.6. Data Security. LifeLabs will maintain appropriate measures to protect the integrity, security and confidentiality of all Company Personal Data against any anticipated threats or hazards, and/or unauthorized access to or use of such data, which measures shall include at a minimum those set forth in Annex 2 to this Agreement.

1.7. Data Retention and Deletion

1.7.1. Unless otherwise required by law, LifeLabs shall, and shall require any Sub-processor to, destroy or return to Company (at Company’s election) all Company Personal Data in its/their possession, custody and control: (a) upon termination or expiration of the Main Agreement; (b) upon the winding down or insolvency of the company’s business; (c) once no longer necessary to perform its obligations under the Main Agreement; or (d) upon request by Company. If LifeLabs, or any Sub-processor of LifeLabs, is prevented from deleting or destroying any Company Personal Data in these circumstances by applicable law, it shall notify Company in writing and delete or destroy such Company Personal Data once it is no longer prevented from doing so by applicable law. At Company’s request, LifeLabs shall provide Company with a written log evidencing the destruction and any retention of Company Personal Data. LifeLabs cannot meet the requirements of this paragraph by anonymizing or aggregating Company Personal Data in lieu of destruction or return of such data to Company.

1.8. Data Security Incidents

1.8.1. Notice to Company. LifeLabs shall notify Company without undue delay, and, where feasible, not later than seventy-two (72) hours after discovery of an actual or suspected unauthorized access to, or acquisition or disclosure of, Company Personal Data, or other actual or suspected breach of security or confidentiality with respect to Company Personal Data in the possession or control of LifeLabs, its representatives, and/or any Sub-processor of LifeLabs (a “Data Security Incident”). Such notice shall be sent to the Company persons or team designated to receive notices under the Main Agreement;

1.8.2. Third Party Notices. If a Data Security Incident requires notice to any regulator, Data Subject or other third party: (1) LifeLabs shall assist Company to provide such notifications if requested by Company; (2) Company shall have sole control over the content, timing and method of distribution of any needed notice, unless otherwise required by applicable law; (2) LifeLabs may notify the affected parties only upon Company’s prior written approval and instructions, unless otherwise required by applicable law (in which case LifeLabs shall provide Company with a copy of such notice as soon as possible and in all events prior to providing such notice to any regulator, Data Subject or other third party, unless otherwise required by law).

1.8.3. Notice requirements. The notice to Company required under Paragraph 1.8.1 shall include:

(i) a description of the Data Security Incident, including the location, date and time the Data Security Incident occurred and the location, date and time the Data Security Incident was discovered;

(ii) a description of the steps LifeLabs has taken, or plans to take, to investigate the Data Security Incident;

(iii) an overview of the affected Company Personal Data, including the types of Company Personal Data and whether the Company Personal Data was encrypted or redacted;

(iv) the number of affected Company Data Subjects and the city, state (if applicable) and country of the Data Subjects;

(v) the expected consequences of the Data Security Incident; and a description of the measures LifeLabs has taken, or plans to take, to mitigate such consequences.


2. Processor Terms

2.1. Compliance with Company instructions. LifeLabs shall only process Company Personal Data pursuant to Company’s written instructions, including as reflected in the Main Agreement and this Agreement, unless applicable Data Protection Laws require additional processing of Company Personal Data, or prohibit LifeLabs’s compliance with such written instructions. In such cases, LifeLabs will notify Company of that requirement or prohibition in advance of additional processing, unless prohibited by law from doing so. LifeLabs shall respond promptly to inquiries from Company regarding the Processing of Company Personal Data in compliance with this Agreement and Company’s written instructions regarding Processing of Company Personal Data.

2.2. Assistance to demonstrate compliance with laws. LifeLabs shall reasonably assist Company to demonstrate compliance with applicable Data Protection Laws, including by responding promptly and adequately to inquiries from Company regarding such compliance.

2.3. Requests or Demands from Governmental or Regulatory Bodies. LifeLabs shall inform Company as soon as possible if it receives a request or demand from a governmental or regulatory body with authority over LifeLabs or Company relating to LifeLabs’s Processing of Company Personal Data, and shall fully cooperate with Company in connection with any response to such request or demand.

2.4. Data Subject Rights. LifeLabs shall promptly notify Company of any request by a Company Data Subject to exercise their rights under applicable Data Protection Laws, and reasonably assist Company to fulfill such request. LifeLabs shall not respond to such requests, unless instructed by Company to do so.

2.5. Assistance to Company. LifeLabs will provide reasonable assistance to Company as necessary for Company to comply with applicable Data Protection Laws, which may include assistance relating to: (a) performance of data protection impact assessments; and (b) keeping Company Personal Data accurate and up-to-date.

2.6. Sub-processors

2.6.1. Permitted Sub-processors. Company and LifeLabs agree that LifeLabs may engage any Sub-processor to Process Company Personal Data identified in Annex 1 to this Agreement. In the event LifeLabs seeks to engage a Sub-processor not identified in Annex 1, LifeLabs shall notify Company of its intent to engage such Sub-processor, and the purposes for which it will process Company Personal Data, at least 30 days prior to any Processing of Company Personal Data by the Sub-processor. If Company does not object to such engagement, Company will be deemed to have approved such engagement.

2.6.2. Sub-processor obligations. LifeLabs will not permit any Sub-processor to Process Company Personal Data, unless LifeLabs and the Sub-processor have entered into an agreement that imposes obligations on the Sub-processor that are no less restrictive and at least equally protective of Company Personal Data than those imposed on LifeLabs under this Agreement. Company may request a copy of such agreement between LifeLabs and any Sub-processor, and may withhold consent to the use of such Sub-Processor if LifeLabs does not provide such agreement or such agreement does not contain sufficient protection of Company Personal Data. LifeLabs may redact such agreement prior to sharing with Company to the extent necessary to protect its trade secrets or confidential information.

2.6.3. Sub-processor compliance with Data Protection Laws. LifeLabs is responsible for ensuring the compliance of Sub-processors with applicable Data Protection Laws, and with LifeLabs’s agreements with Sub-processors consistent with Section 2.6.2 of this Agreement, as relates to Sub-processors’ Processing of Company Personal Data.


3. Miscellaneous

3.1. Termination and Survival. This Agreement and all provisions herein shall survive so long as, and to the extent that, LifeLabs Processes or retains Company Personal Data.

3.2. Counterparts. This Agreement may be executed in any number of counterparts and any Party (including any duly authorized representative of a Party) may enter into this Agreement by executing a counterpart.

3.3. Non-compliance: LifeLabs shall promptly inform Company if it is unable to comply with this Agreement. If LifeLabs cannot comply within a reasonable period of time, or the LifeLabs is in substantial or persistent breach of this Agreement or its obligations under this Agreement, Company shall be entitled to terminate the Agreement and the Main Agreement insofar as it concerns processing of Company Personal Data.

3.4. Ineffective clause. If individual provisions of this Agreement are or become ineffective, the effectiveness of the remaining provisions shall not be affected. The Parties shall replace the ineffective clause with a legally allowed clause, which will accomplish the intended commercial intention as closely as possible.

3.5. Conflicts. In case of contradictions between this Agreement and the provisions of the Main Agreement, the provisions of this Agreement shall prevail.

3.6. Applicable law and jurisdiction. The applicable law and jurisdiction as set forth in the Main Agreement apply to this Agreement.



Annex 1 - Overview of Company Personal Data Processing

 

A Description of purpose(s) for which LifeLabs will Process Company Personal Data  To send workshop invitations and provide workshop related materials to participants.
B Categories of Data Subjects Company Consumers: individuals who use the Company’s platform or request/receive products and services via Company
Retailer Employees: individuals who own, operate, or are employed by retailers on Company’s platform
Company Partner Employees: individuals who work for clients or partners of Company (e.g., individuals employed by alcohol brands)
Company Employees
Other (please specify):
Insert text
C Location of Data Subjects ☐ Global
☐ European Economic Area (“EEA”)1, United Kingdom, and/or Switzerland
☐ North America
☐ Asia-Pacific
☐ South and Central America
☐ Middle East
☐ Africa
☐ Other (please specify):
D Countr(y)(ies) to which Company Personal Data will be transferred United States
E Number of data subjects whose data will be transferred ☐ Less than 1,000
☐ Between 1,000 and 10,000
☐ 10,000 to 1,000,000
☐ 1,000,000+
F Personal Data to be Processed by LifeLabs

User or employee profile2
☒ First + last names
☒ Phone / email

G Frequency of transfer ☒ One-time transfer
☐ Repeated transfers
H Period that LifeLabs will retain Company Personal Data, OR, criteria used to determine retention period ☒ Retained for life of Main Agreement
☐ Other (Please state retention period and criteria used to determine it)
I LifeLabs Sub-processors to which LifeLabs transfers Company Personal Data

Sub-processor: Hubspot
Personal Data to be Processed: participant names and email addresses will be imported into Hubspot.
Purpose of the Processing: Personal data will be processed to facilitate the sharing of information on the workshops and provide workshop materials via email to workshop participants.
Duration of the processing: processing will take place during the term of the Main Agreement.

Sub-processor: SurveyMonkey
Personal Data to be Processed: participant email addresses will be collected in Survey Monkey.
Purpose of the Processing: Personal data will be processed to collect learner feedback on our live and asynchronous learning experiences so that we can identify learners who opt-in to being contacted by LifeLabs Learning directly for the purposes of asking about their learning experience. 
Duration of the processing: processing will take place during the term of the Main Agreement.

1 The countries of the EEA are Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden.

2 Excluding the name and contact information of those Company employees who are responsible for interacting with Company in connection with its performance of its obligations under the Main Agreement.



Annex 2 - Organizational/Administrative, Physical and Technical Measures


1. Organizational/Administrative Security Measures: LifeLabs has implemented, and will maintain and update as appropriate throughout its Processing of Company Personal Data:

1.1. A written and comprehensive information security program in compliance with applicable data protection laws.

1.2. A data loss prevention program that reflects reasonable policies or procedures designed to detect, prevent, and mitigate the risk of data security breaches or identify theft, which shall include at a minimum:

1.2.1. appropriate policies and technological controls designed to prevent loss of Company Personal Data; and

1.2.2. a disaster recovery/business continuity plan that addresses ongoing access, maintenance and storage of Company Personal Data as well as security needs for back-up sites and alternate communication networks.

1.3. Policies and procedures to limit access to Company Personal Data to those who require such access to perform their roles and responsibilities in connection with the Main Agreement, including regular updates to such access based on changes to LifeLabs’s personnel, policies or procedures.

1.4. Procedures to verify all access rights through effective authentication methods.

1.5. A government agency data access policy that refuses government access to data, except where such access is required by law, or where there is imminent risk of serious harm to individuals.

1.6. Policies and procedures for assessing legal basis for, and responding to, government agency requests for data.

1.7. Specific training of personnel responsible for managing government agency requests for access to data, which may include requirements under applicable Data Protection Laws.

1.8. Processes to document and record government agency requests for data, the response provided, and the government authorities involved.

1.9. Procedures to notify Company about any request or requirement for government agency access to data, unless legally prohibited.


2. Physical Security Measures

2.1. LifeLabs has implemented, and will maintain and update as appropriate throughout its Processing of Company Personal Data, appropriate physical security measures for any facility used to Process Company Personal Data and continually monitor any changes to the physical infrastructure, business, and known threats.


3. Technical Security Measures: LifeLabs shall throughout its Processing of Company Personal Data:

3.1. perform vulnerability scanning and assessments on applications and infrastructure used to Process Company Personal Data.

3.2. secure its computer networks using multiple layers of access controls to protect against unauthorized access.

3.3. restrict access through mechanisms such as, but not limited to, management approvals, robust controls, logging, and monitoring access events and subsequent audits.

3.4. identify computer systems and applications that warrant security event monitoring and logging, and reasonably maintain and analyze log files.

3.5. use up-to-date, industry standard, commercial virus/malware scanning software that identifies malicious code on all of its systems that Process Company Personal Data.

3.6. encrypt Company Personal Data in transit.

3.7. encrypt Company Personal Data at rest and solely manage and secure all encryption keys (i.e., no other third party shall have access to these encryption keys, including Sub-processors).