Data Processing Agreement

This Data Processing Agreement ("DPA") supplements the Terms of Service between Lemma, Inc. ("Processor") and the entity agreeing to these terms ("Controller") and applies to the extent that Lemma processes Personal Data on behalf of the Controller in connection with the Service. This DPA is incorporated into and forms part of the agreement between Controller and Processor. In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the processing of Personal Data.

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by Lemma on behalf of the Controller. "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, or erasure. "Sub-processor" means any third party engaged by Lemma to process Personal Data on behalf of the Controller. "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.

Lemma shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. Lemma shall immediately inform the Controller if, in its opinion, an instruction infringes applicable data protection legislation. Lemma shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Lemma shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

The Controller provides general authorization for Lemma to engage Sub-processors, subject to the conditions set out in this section. Lemma shall maintain an up-to-date list of Sub-processors on its website and shall notify the Controller of any intended changes to Sub-processors at least thirty (30) days in advance. The Controller may object to the appointment of a new Sub-processor by notifying Lemma in writing within fourteen (14) days of receiving notice. Lemma shall impose contractual obligations on each Sub-processor that are no less protective than those set out in this DPA.

Lemma shall assist the Controller in fulfilling its obligation to respond to requests from Data Subjects exercising their rights under applicable data protection law. Lemma shall promptly notify the Controller of any request received directly from a Data Subject and shall not respond to such request without the Controller's prior authorization. Lemma shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.