Data Processing Agreement

This Global Data Processing Agreement (“DPA”), effective as of the date of the Master Agreement (the “Effective Date”), is entered into by and between L9 Labs, Inc. dba Duckbill (“Provider” or “Data Processor”), and Customer (or “Data Controller”) (each, a “Party” and together, the “Parties”). 

The Data Processor may from time to time process Personal Information on behalf of the Data Controller to enable the Data Processor to provide services through its Skyway platform (“Services”) to the Data Controller in accordance with the Master Agreement entered into by and between the Parties (“Master Agreement”). The Data Controller may make Personal Information available to the Data Processor in connection with these Services and the Parties intend that the processing activities carried out by the Data Processor on behalf of the Data Controller shall comply with the provisions of this DPA and the Master Agreement.

  1. DATA PROCESSING AND PROTECTION.
  1. Compliance with Law. Provider will comply with all Privacy Laws applicable to Provider relating to the privacy, confidentiality, security, or Processing of Personal Information in connection with the Services.
  2. Limitations on Use. Provider will Process Personal Information (i) on Customer’s behalf, in the context of its business relationship with Customer and in accordance with Customer’s instructions, and (ii) as required by Privacy Laws or any other legal obligation to which Provider is subject, provided that Provider will inform Customer (unless prohibited by law) of the applicable legal requirement before any such processing. Specifically, the scope, classification and details of Processing (the “Business Purpose”) are described in Schedule A below (Description of Transfer).  The duration of the Processing will be the same as the duration of the Master Agreement, except as otherwise agreed to in this DPA. The details provided in Schedule A are deemed to satisfy any requirement to provide such details under any Privacy Laws.  
  3. CCPA. Provider acknowledges and agrees that the obligations in this DPA apply with respect to Personal Information subject to CCPA. The terms “commercial purpose,” “personal information,” “service provider,” “sell,” and “share,” have the meanings set out in CCPA. Provider acknowledges that it is a service provider and agrees and certifies that it shall not: (a) sell or share Personal Information; (b) retain, use, or disclose Personal Information for any purpose, including a commercial purpose, other than the Business Purpose; (c) retain, use, or disclose Personal Information outside of the direct business relationship between Provider and Customer; or (d) combine Personal Information with personal information that Provider receives from or on behalf of another person, or collects from its own interactions with the Individual. 
  4. Confidentiality. Provider will ensure that Provider Personnel who will be provided access to, or will otherwise Process, Personal Information are subject to a written confidentiality agreement or are under an appropriate statutory obligation of confidentiality.
  5. Information Security Program. Provider will implement, maintain, and, where necessary, update a written information security program that contains appropriate administrative, technical and physical safeguards to ensure the integrity and resilience of Personal Information and protect Personal Information against anticipated threats or hazards to its security, confidentiality or integrity (such as unauthorized access, collection, use, copying, modification, or disposal; unauthorized, unlawful or accidental loss, destruction, acquisition or damage; or any other unauthorized form of Processing) (“Information Security Program”). 
  6. Subprocessors. Customer hereby provides general authorization to Provider’s use of subprocessors to process Customer Information. A list of subprocessors currently engaged by Provider is available at https://trust.duckbillhq.com/subprocessors. Provider will enter into written agreements with each subprocessor containing reasonable provisions relating to the implementation of technical and organizational measures in compliance with Privacy Laws. Provider will remain liable for acts and omissions of its subprocessors in connection with its obligations under the Master Agreement. 
  7. Requests or Complaints from Individuals. To the extent Customer is unable to independently access the relevant Personal Information within Skyway, Provider will, taking into account the nature of the Processing, provide reasonable cooperation to assist Customer to respond to any requests or complaints from Individuals or applicable data protection authorities relating to the Processing of Personal Information under the Master Agreement. If any such request is made to Provider directly, Provider will not respond unless expressly authorized to do so by Customer, unless Provider is legally compelled to do so. If Provider is legally compelled to respond to such a request, Provider will promptly notify Customer and provide it with a copy of the request unless it is legally prohibited from doing so.
  8.  Regulatory Investigations. Upon notice to Provider, Provider will assist and support Customer in the event of an investigation by any law enforcement body or regulator, including a data protection or similar authority, if and to the extent that such investigation relates to Personal Information handled by Provider on behalf of Customer in accordance with this DPA. Such assistance will be at Customer’s sole expense, except where investigation was required due to Provider’s acts or omissions, in which case such assistance will be at Provider’s sole expense. 
  9. Data Breach.  Provider will notify Customer without undue delay (and in any event within seventy-two (72) hours) of any known breach of security leading to the accidental, unauthorized or unlawful destruction, loss, alteration, disclosure of, or access to, Customer Information stored or otherwise Processed by Provider in connection with the Master Agreement (a “Data Breach”). Provider will also provide reasonable assistance to Customer in Customer’s compliance with its Data Breach-related obligations, including without limitation by: (a) taking steps to mitigate the effects of the Data Breach and reduce the risk to Individuals whose Personal Information was involved (such steps to be determined by Provider in its sole discretion); and (b) providing Customer with the following information, to the extent known: (i) the nature of the Data Breach, including, where possible, how the Data Breach occurred, the categories and approximate number of Individuals concerned, and the categories and approximate number of records containing Customer Information concerned; (ii) the likely consequences of the Data Breach; and (iii) the measures Provider has taken or proposes to take to address the Data Breach, including where appropriate measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification will contain the information then available and further information will, as it becomes available, subsequently be provided without undue delay. For the avoidance of doubt, “Data Breach” does not include unsuccessful attempts or activities that do not result in the accidental, unauthorized or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Information, including, but not limited to, unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems. The parties agree that notice under this section is not an admission of fault or liability by the notifying party.. 
  10. Return or Disposal. Provider will, as appropriate and as directed by Customer, regularly dispose of Personal Information that is maintained by Provider but that is no longer necessary to perform its obligations under the Master Agreement or applicable laws. Upon Customer’s request or as otherwise required by law, Provider will immediately cease handling Personal Information and will return such Personal Information in a manner and format reasonably requested by Customer or, if specifically directed by Customer, will destroy, any or all Personal Information in Provider’s possession, power or control, except as otherwise required by law applicable to Provider. If Provider has such a legal obligation to retain Personal Information beyond the period otherwise specified by this Section, Provider will notify Customer in writing of that obligation, to the extent permitted by applicable law, and will return or destroy the Personal Information in accordance with this Section as soon as possible after that legally required retention period has ended. Upon request, Provider will provide a written certification that Personal Information has been returned or securely destroyed in accordance with this DPA.
  11. Assistance. Taking into account the nature of the processing and the information available to Provider, Provider will provide reasonable assistance to Customer in complying with Customer’s obligations under applicable Privacy Laws which address obligations with regard to security, breach notifications, data protection impact assessments, and prior consultation. Any such assistance is subject to Provider’s written agreement and may be subject to additional fees. In addition, Provider will inform Customer if Provider believes that any instructions of Customer regarding the Processing of Personal Information would violate applicable law.
  12. Adverse Changes. Provider will notify Customer promptly if Provider: (i) has reason to believe that it is unable to comply with any of its obligations under this DPA and cannot cure this inability to comply within a reasonable time frame; or (ii) becomes aware of any circumstances or change in applicable law that is likely to prevent it from fulfilling its obligations under this DPA.  In the event that this DPA, or any actions to be taken or contemplated to be taken in performance of this DPA, do not or would not satisfy either party’s obligations under the laws applicable to each Party, the Parties will negotiate in good faith upon an appropriate amendment to this DPA.

MISCELLANEOUS. The obligations of Provider under this DPA will continue for as long as Provider continues to have access to, is in possession or control of, or acquires Personal Information, even if all agreements between Provider and Customer have expired or have been terminated. The Parties agree that this DPA may be amended only by written agreement between the Parties. To the extent there is any conflict between Sections 1 to 3 of this DPA and the terms of any applicable Standard Contractual Clauses (“SCC’s”) , the terms of the SCC’s will prevail. To the extent the terms of the DPA conflict with any Agreement between the Parties with regard to the Processing of Personal Information, the terms of the DPA will prevail. This DPA may be executed in several counterparts (including delivery via facsimile or electronic mail), each of which will be deemed to be an original but all of which together will constitute one and the same instrument. 

DEFINITIONS. Capitalized terms used but not defined in this DPA will have the meanings set forth in the applicable Master Agreement. 

  1. CCPA” means the California Consumer Privacy Act of 2018, as may be amended and superseded from time to time, including by the California Privacy Rights Act of 2020, and any regulations promulgated thereunder
  2. Customer Information” means information or data provided by Customer in any form, and data used, generated or stored in connection with Customer’s use of the Services, including Personal Data. 
  3. Individual” means any individual about whom Personal Information may be Processed under this DPA.
  4. Personal Information” or “Personal Data” means any Customer Information received under this DPA that identifies, directly or indirectly, an individual or relates to an identifiable individual.
  5. Privacy Laws” means all applicable international, federal, state, provincial and local laws, rules, regulations, directives and governmental requirements currently in effect and as they become effective relating in any way to the privacy, confidentiality or security or Processing of Personal Information including, without limitation, the CCPA, the General Data Protection Regulation (2016/679), the European Union Directives governing electronic commerce (Directive 2002/58/EC), and data retention (Directive 2006/24/EC); the UK General Data Protection Regulation; the Privacy Act 1988 (Cth), the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s anti-spam legislation or “CASL”); the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM); information security breach notification laws (such as Cal. Civ. Code §§ 1798.29, 1798.82 – 1798.84); laws imposing minimum information security requirements (such as Cal. Civ. Code § 1798.81.5 and 201 Mass. Code Reg. 17.00); laws requiring the secure disposal of records containing certain Personal Information (such as N.Y. Gen. Bus. Law § 399-H), and all similar international, federal, provincial, state and local requirements
  6. Process” or “Processing” means any operation or set of operations performed upon any information or data, whether or not by automatic means, including the collection, recording, organization, structuring, alteration, access, disclosure, copying, transfer, storage, deletion, retention, combination, restriction, adaptation, retrieval, consultation, destruction, disposal, sale, sharing, augmentation or other use of Personal Information, whether by automated means or otherwise.
  7. Provider Personnel” means any Provider’s employee, contractor, subcontractor or agent to whom Provider authorizes to access or Process Customer Information. 
  8. Transfer” means the access by, transfer or delivery to or disclosure of Personal Information to a person, entity or system located in a country or jurisdiction other than the country or jurisdiction from which the Personal Information originated.

Schedule A

Details of the Processing Activities

Nature and Purpose of Processing: Provider will process Customer Information as necessary to provide the Services under the Master Agreement, for the purposes specified in the  Agreement and this DPA, and in accordance with Customer’s instructions as set forth in this DPA.

Duration of Processing: Provider will process Customer’s Personal Data as long as required (i) to provide the Services to Customer under the Agreement; (ii) for Provider’s legitimate business needs; or (iii) by applicable law or regulation. Customer Content and Usage Data will be processed and stored as set forth in the Agreement and this DPA. 

Categories of Data Subjects: Customer employees

Categories of Personal Data: Provider processes Personal Data contained in Customer Content, Usage Data, and any Personal Data provided by Customer (including any Personal Data Customer collects from its end users and processes through its use of the Services) or collected by Provider in order to provide the Services or as otherwise set forth in the Agreement or this DPA. Categories of Personal Data include name, location, email address, and unique identifiers such as passwords.

Sensitive Data or Special Categories of Data: None