Data Processing Agreement

This Data Processing Agreement (“DPA”) describes the relationship between you, (“Customer” or “Controller”), and Lava.ai, Inc., a Delaware corporation with offices at 1517 Northpoint, #482, San Francisco, CA 94123 (“LAVA” or “Processor”) (each, a “Party” and collectively the “Parties”) and defines the roles and responsibilities with respect to processing of Covered Data in accordance with applicable consumer data laws and regulations, and in the context of the Agreement between you and LAVA. This DPA supplements the General Terms & Conditions found here: https://www.lava.ai/generalterms-online, and the Order Form entered into between the Parties and to which this DPA is attached.

1.    DEFINITIONS

a.    Capitalized terms used but not defined within this DPA will have the meaning set forth in the Agreement. The following capitalized terms used in this DPA will be defined as follows:

b.    “Agreement” means these Online General Terms of Service, the associated Order Form, any applicable Product & Services License and/or Statement of Work, as well as this DPA.

c.    “Covered Data” means Personal Data that is provided by or on behalf of Controller to Processor in connection with the Services.

d.    “Customer” means the entity identified in the Order Form as “Customer” or otherwise identified in the Order Form as the customer.

e.    “Data Subject” means a natural person whose Personal Data is Processed.

f.    “Deidentified Data” means data created using Covered Data that cannot reasonably be linked to such Covered Data, directly or indirectly.

g.    “EU GDPR and US Data Protection Laws” means, to the extent applicable, European Union, United Kingdom and federal and state laws of the United States relating to data protection, the Processing of Personal Data, privacy and/or data protection in force from time to time in the EU and the US.

h.    “Order Form” means the sales order form, products and services license, statement of work, or other written document for the Products and Services that is executed between LAVA and Customer.

i.    “Personal Data” means any data or information that: (a) is linked or reasonably linkable to an identified or identifiable natural person; or (b) is otherwise “personal data,” “personal information,” “personally identifiable information,” or similarly defined data or information under EU GDPR and US Data Protection Laws.

j.    "Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means. “Process”, “Processes” and “Processed” will be interpreted accordingly.

k.    "Security Incident" means a confirmed or reasonably suspected breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to (including unauthorized internal access to), Covered Data.

l.    "Services" means the services to be provided by the Processor pursuant to the Agreement.

m.    "Sub-processor" means an entity appointed by a Processor to Process Covered Data on its behalf.

2.    INTERACTION WITH THE AGREEMENT

a.    This DPA is incorporated into and forms an integral part of the Agreement. This DPA supplements and (in case of contradictions) supersedes the Agreement with respect to any Processing of Covered Data.

b.    Any Processing operation as described in clause 4 (Details of Data Processing) and Schedule 1 (Details of Processing) to this DPA will be subject to this DPA.

3.    ROLE OF THE PARTIES

a.    The Parties acknowledge and agree that for the purposes of the EU GDPR and US Data Protection Laws, Processor will act as a "service provider" or “processor” (as defined in EU GDPR and US Data Protection Laws), as applicable, in its performance of its obligations pursuant to the Agreement and this DPA.

4.    DETAILS OF DATA PROCESSING

a.    The details of the Processing of Personal Data under the Agreement and this DPA (such as subject matter, nature and purpose of the Processing, categories of Personal Data and Data Subjects) are described in the Agreement and in Schedule 1 (Details Of processing).

b.    Covered Data will only be Processed on behalf of and under the instructions of Controller and in accordance with EU GDPR and US Data Protection Laws. The Agreement and this DPA will generally constitute instructions for the Processing of Covered Data. Controller may issue further written instructions in accordance with this DPA. Without limiting the foregoing, Processor is prohibited from:

c.    selling Covered Data or otherwise making Covered Data available to any third party for monetary or other valuable consideration;

d.    sharing Covered Data with any third party for cross-context behavioral advertising;

e.    retaining, using, or disclosing Covered Data for any purpose other than for the business purposes specified in the Agreement or as otherwise permitted by EU GDPR and US Data Protection Laws;

f.    retaining, using, or disclosing Covered Data outside of the direct business relationship between the Parties; and

g.    except as otherwise permitted by EU GDPR and US Data Protection Laws, combining Covered Data with Personal Data that Processor receives from or on behalf of another person or persons, or collects from its own interaction with the Data Subject.

h.    Processor is permitted to deidentify Personal Data through a reliable state of the art anonymization procedure and use such Deidentified Data for its own business purposes.

i.    Processor will limit access to Covered Data to personnel who have a business need to have access to such Covered Data, and will ensure that such personnel are subject to obligations at least as protective of the Covered Data as the terms of this DPA and the Agreement.

j.    Processor may Process Covered Data anywhere that Processor or its Sub-processors maintain facilities, subject to clause 5 (Sub-Processors) of this DPA.

k.    Processor will provide Controller with information to enable Controller to conduct and document any data protection assessments required under EU GDPR and US Data Protection Laws. In addition, Processor will notify Controller promptly if Processor determines that it can no longer meet its obligations under EU GDPR andUS Data Protection Laws.

l.    Controller will have the right to take reasonable and appropriate steps to ensure that Processor uses Covered Data in a manner consistent with Controller’s obligations under EU GDPR and US Data Protection Laws.

5.    SUB-PROCESSORS

a.    Controller grants Processor the general authorization to engage Sub-processors, subject to clause 5.b, as well as Processor's current Sub-processors listed in Schedule 3 (Sub-Processors) as of the Effective Date.

b.    Processor will enter into a written agreement with each Sub-processor imposing data protection obligations that, in substance, are no less protective of Covered Data than Processor’s obligations under this DPA.

c.    Processor will provide Controller with at least thirty (30) days’ notice of any proposed changes to the Sub-processors it uses to Process Covered Data. Controller may object to Processor’s use of a new Sub-processor by providing Processor with written notice of the objection within ten (10) days after Processor has provided notice to Controller of such proposed change (an "Objection"). If Controller does not object to the engagement within the Objection period, consent regarding the engagement will be assumed. In the event Controller objects to Processor’s use of a new Sub-processor, Controller and Processor will work together in good faith to find a mutually acceptable resolution to address such Objection. If the Parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, either Party may, as its sole and exclusive remedy, terminate the portion of the Agreement relating to the Services affected by such change by providing written notice to the other Party. During any such Objection period, Processor may suspend the affected portion of the Services.

6.    DATA SUBJECT RIGHTS REQUESTS

a.    As between the Parties, Controller will have sole discretion and responsibility in responding to the rights asserted by any individual in relation to Covered Data under EU GDPR and US Data Protection Laws (each, a "Data Subject Request").

b.    Processor will promptly forward to Controller without undue delay any Data Subject Request received by Processor or any Sub-processor and may advise the individual to submit their request directly to Controller.

c.    Processor will provide Controller with reasonable assistance as necessary for Controller to fulfil its obligation under EU GDPR and US Data Protection Laws to respond to Data Subject Requests, including if applicable, Controller’s obligation to respond to requests for exercising the rights set out in EU GDPR and US Data Protection Laws.

7.    SECURITY AND AUDITS

a.    Processor will implement and maintain appropriate technical and organizational data protection and security measures designed to ensure security of Covered Data, including, without limitation, protection against unauthorized or unlawful Processing and against accidental loss, destruction, or damage of or to it. When assessing the appropriate level of security, account will be taken in particular of the nature, scope, context and purpose of the Processing as well as the risks that are presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Covered Data.

b.    Processor will implement and maintain as a minimum standard the measures set out in Schedule 2 (Technical and organizational measures).

c.    Controller will have the right to audit Processor’s compliance with this DPA. The Parties agree that all such audits will be conducted:

d.    upon reasonable written notice to Processor;

e.    only once per year; and

f.    only during Processor’s normal business hours.

g.    In conducting such audits, Controller may engage a third-party auditor subject to such auditor complying with the requirements under clause 7 and provided that such auditor is suitably qualified and independent.

h.    To request an audit, Controller must submit a detailed proposed audit plan to Processor at least two weeks in advance of the proposed audit date. Processor will review the proposed audit plan and work cooperatively with Controller to agree on a final audit plan. All such audits must be conducted subject to the agreed final audit plan and Processor’s health and safety or other relevant policies.

i.    Controller will promptly notify Processor of any non-compliance discovered during an audit.

j.    Controller will bear the costs for any audit initiated by Controller, unless the audit reveals material non-compliance with the requirements of this DPA.

k.    Upon request, Processor will provide to Controller documentation reasonably evidencing the implementation of the technical and organizational data security measures in accordance with industry standards. Processor may, in its discretion, provide data protection compliance certifications issued by a commonly accepted certification issuer which has been audited by a data security expert, or by a publicly certified auditing company. If the requested audit scope is addressed in such a certification produced by a qualified third-party auditor within twelve (12) months of Controller’s audit request and Processor confirms there are no known material changes in the controls audited, Controller agrees to accept those findings in lieu of requesting an audit of the controls covered by the report.

l.    Processor will audit its Sub-processors on a regular basis and will, upon Controller’s request, confirm their compliance with EU GDPR and US Data Protection Laws and the Sub-processors’ contractual obligations.

8.    SECURITY INCIDENTS

a.    Processor will notify Controller in writing without undue delay after becoming aware of any Security Incident, and reasonably cooperate in any obligation of Controller under EU GDPR and US Data Protection Laws to make any notifications, such as to individuals or government agencies. Processor will take reasonable steps to contain, investigate, and mitigate any Security Incident, and will send Controller timely information about the Security Incident, including, but not limited to, the nature of the Security Incident, the measures taken to mitigate or contain the Security Incident, and the status of the investigation. Processor’s notification of or response to a Security Incident under this clause 8 will not be construed as an acknowledgement by Processor of any fault or liability with respect to the Security Incident.

b.    Processor will provide reasonable assistance with Controller's investigation of the possible Security Incident and any notification obligation of Controller under EU GDPR and US Data Protection Laws, such as in relation to individuals or supervisory authorities.

9.    DELETION AND RETURN

a.    Processor will, within thirty (30) days of the date of termination or expiry of the Agreement, (a) if requested to do so by Controller within that period, return a copy of all Covered Data or provide a self-service functionality allowing Controller to do the same; and (b) delete all other copies of Covered Data Processed by Processor or any Sub-processors.

10.    CONTRACT PERIOD

a.    This DPA will commence on the Effective Date and, notwithstanding any termination of the Agreement, will remain in effect until, and automatically expire upon, Processor’s deletion of all Covered Data as described in this DPA.

11.    DEIDENTIFIED DATA

a.    If Processor receives Deidentified Data from or on behalf of Controller, then Processor will:

b.    take reasonable measures to ensure the information cannot be associated with a Data Subject.

c.    publicly commit to Process the Deidentified Data solely in deidentified form and not to attempt to reidentify the information.

d.    contractually obligate any recipients of the Deidentified Data to comply with the foregoing requirements and EU GDPR and US Data Protection Laws.

12.    GENERAL

a.    The Parties hereby certify that they understand the requirements in this DPA and will comply with them.

b.    The Parties agree to negotiate in good faith any amendments to this DPA as may be required in connection with changes in EU GDPR and US Data Protection Laws.

c.    This DPA and the Agreement set forth the entire agreement between the Parties with respect to the subject matter hereof.



SCHEDULE 1

DETAILS OF PROCESSING

1.    Categories of Data Subjects
The categories of Data Subjects whose Personal Data are Processed: Controller’s End Users.

2.    Categories of Personal Data
The Processed categories of Personal Data are: name, phone number, email address, address, time zone.

3.    Categories of Sensitive Personal Data (if applicable)
The Processed Personal Data includes the following categories of sensitive data: N/A

4.    Frequency of the Processing
The Processing is performed continuously.

5.    Purpose(s) of the Processing
The purpose of the Processing is: perform the Services as stipulated in the Agreement.

6.    Duration
The period during which the Personal Data will be Processed, or, if that is not possible, the criteria used to determine that period: if Personal Data is not deleted upon request by Controller during the term of the Agreement, the duration of Processing will be as long as this DPA remains in effect.

7.    Sub-processor (if applicable)
For Processing by sub-processors, specify subject matter, nature, and duration of the Processing: perform specific Services to facilitate LAVA’s performance of the Services under the Agreement for as long as necessary to provide such services, unless otherwise terminated by LAVA.


SCHEDULE 2

TECHNICAL AND ORGANIZATIONAL MEASURES

Processor has implemented the following technical and organizational measures (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, as well as the risks for the rights and freedoms of natural persons:

1) Organizational management and dedicated staff responsible for the development, implementation, and maintenance of Processor’s information security program.

2) Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Processor’s organization, monitoring and maintaining compliance with Processor’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.

3) Utilization of commercially available and industry standard encryption technologies for Covered Data that is:

a) being transmitted by Processor over public networks (i.e., the Internet) or when transmitted wirelessly; or

b) at rest or stored on portable or removable media (i.e., laptop computers, CD/DVD, USB drives, back-up tapes).

4) Data security controls which include at a minimum, but may not be limited to, logical segregation of data, logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g., granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review, and revoking/changing access promptly when employment terminates or changes in job functions occur).

5) Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that Processor’s passwords that are assigned to its employees: (i) be at least eight (8) characters in length, (ii) not be stored in readable format on Processor’s computer systems; (iii) must have defined complexity; (iv) must have a history threshold to prevent reuse of recent passwords; (v) use multi-factor authentication; and (vi) newly issued passwords must be changed after first use.

6) System audit or event logging and related monitoring procedures to proactively record user access and system activity for routine review.

7) Physical and environmental security of data center, server room facilities and other areas containing Personal Data designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor, and log movement of persons into and out of Processor facilities, and (iii) guard against environmental hazards such as heat, fire, and water damage.

8) Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems according to prescribed internal and adopted industry standards, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Processor’s possession.

9) Change management procedures and tracking mechanisms designed to test, approve, and monitor all changes to Processor’s technology and information assets.

10) Incident / problem management procedures designed to allow Processor to investigate, respond to, mitigate, and notify of events related to Processor’s technology and information assets.

11) Network security controls that provide for the use of firewall systems, intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.

12) Vulnerability assessment, patch management and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate, and protect against identified security threats, viruses, and other malicious code.

13) Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.

SCHEDULE 3

SUB-PROCESSORS

​

Processor//Description of Services

- Google Cloud Services//Infrastructure Hosting

- Amazon Web Services (S3 Buckets)//Infrastructure Hosting

- Google//Infrastructure Hosting

- Tableau (YES)//Platform - Passes and Push Notifications

- Datadog (Month to Month)//Passes and Push Notifications

- Twilio (Phone #'s) transactional//Platform - Analytics

- Mailgun (Emails)//Platform - Logging

Please also feel free to contact LAVA if you have any questions about this DPA or any other part of the Agreement. You may contact LAVA through your client success lead, at support@LAVA.com generally, or at our mailing address: 1517 Northpoint, #482,San Francisco, CA 94123.
Last updated: May 16, 2025