This Data Protection Agreement (this “DPA”) is incorporated into and forms part of the written contract between Laylo, Inc. (“Laylo”) and any Customer (as defined in the Terms of Service (as defined below)). Laylo and Customer may each be referred to as a “Party” and collectively referred to as the “Parties.” Customer acknowledges and agrees that Customer is also bound by and agrees to abide by Laylo’s Terms of
Service, Privacy Policy and Cookie Policy (collectively, “Laylo’s Policies”) as posted and made available on Laylo’s official website (www.laylo.com). Customer understands that Laylo’s Policies are subject to change at Laylo’s discretion, and Customer’s continued use of the Services shall constitute acceptance of any such changes.
Definitions. For purposes of this DPA:
“Data Protection Laws” means all laws, regulations, and other legal or self-
regulatory requirements in any jurisdiction directly applicable to Laylo relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended and including its regulations (the “CCPA”), the Colorado Privacy Act and its regulations, the Connecticut Data Privacy Act, the Oregon Consumer Privacy Act, the Texas Data Privacy and Security Act, the Utah Consumer Privacy Act, the Virginia Consumer Data Protection Act, the Telephone Consumer Protection Act, 47 U.S.C. § 227 (the “TCPA“), and other applicable U.S. state and federal laws. For the avoidance of doubt, if the Parties’ Personal Data Processing activities are not within the scope of a given Data Protection Law, such law is not applicable for purposes of this DPA.
“Data Subject” means an identified or identifiable natural person to whom
Personal Data relates, and is deemed to also refer to “consumer” as defined in Data Protection Laws.
“Laylo Data” means any Personal Data collected by Laylo, including user
registration data for the Services (e.g., the name, date of birth, city, email, and phone number of an individual signing up to Laylo’s Platform (as defined in the Terms of Service) or Services), any related user data Processed by Laylo in connection with use of the Platform (e.g., timestamp for join date, message content), and phone numbers, messages, and metadata from messages generated in connection with the use of the Services. For clarity, Laylo Data does not include Customer Data.
“Customer Data” means any Personal Data Processed by Laylo on Customer’s behalf in connection with its use of the Services. Customer Data does not include Laylo Data.
"Personal Data” includes “personal data,” “personal information,” “personally
identifiable information,” and analogous terms, as defined by Data Protection
Laws, that Laylo Processes in relation to the Terms of Service, and if applicable, the relevant separate written agreement and/or one or more statements of work, governing Customer’s use of the Services (the
“Agreement”). The definition of Personal Data shall not include anonymized data and/or Resultant Data.
“Process” and its cognates “Processing,” “Processed,” etc. mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
“Resultant Data” means information, data and other content that is derived by or through the Services from Processing or aggregating Personal Data or any other customer data and is sufficiently different from such Personal Data or company data, as applicable, that such Personal Data or company data, as applicable, cannot be reverse engineered or otherwise identified from the inspection, analysis or further Processing of such information, data or content.
“Security Breach” means any actual accidental or unlawful acquisition,
destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
“Services” means the services that Laylo performs on behalf of Customer
pursuant to the Terms of Service or any other written agreement or SOW entered into between Laylo and Customer.
“Subprocessor” means any third party that Laylo engages to Process Personal Data to provide the Services.
The terms “Business,” “Controller,” “Processor,” and “Service Provider” are defined as in Data Protection Laws. “Controller” is deemed to also refer to “Business,” and “Processor” is deemed to also refer to “Service Provider.”
Roles of the Parties; Scope and Purposes of Processing.
This DPA applies to all Personal Data that Laylo Processes in relation to the
Agreement.
Customer is the Controller of Personal Data and Laylo is its Processor.
Laylo will Process Personal Data solely (i) in compliance with Data Protection Laws, (ii) on Customer’s behalf, and (iii) to fulfill its obligations to Customer under the Agreement, including this DPA.
Customer retains the right to take reasonable and appropriate steps to (i) ensure that Laylo Processes Personal Data in a manner consistent with Data Protection Laws, and (ii) upon notice, stop and remediate unauthorized Processing of Personal Data, including any use of Personal Data not expressly authorized in this DPA.
Each Party shall reasonably cooperate with the other Party to facilitate
compliance with applicable laws, including but not limited to notification of
affected individuals and reports to government authorities.
Personal Data Processing Requirements. Except as permitted by Data Protection
Laws or Laylo’s Policies, Laylo will:
Not retain, use, or disclose Personal Data outside of the direct business
relationship between Customer and Laylo, or for any purpose (including any
commercial purpose) not set forth in this DPA, except as necessary to provide the Services.
Not “sell” or “share” any Personal Data, or use Personal Data for purposes of
“targeted advertising,” as such terms are defined in Data Protection Laws,.
Comply with any applicable restrictions under Data Protection Laws on
combining Personal Data with personal data that Laylo receives from, or on
behalf of, another person or persons, or that Laylo collects from any interaction between it and any individual.
Not attempt to (i) re-identify any pseudonymized, anonymized, aggregate, or de-identified Personal Data, or (ii) link, identify, or otherwise create a relationship between Personal Data and any other data, without Customer’s express written permission.
Not otherwise engage in any Processing of Personal Data that is prohibited or not permitted by Processors or Service Providers under Data Protection Laws.
Ensure that the persons it authorizes to Process the Personal Data have committed themselves or agreed to confidentiality or are under an appropriate statutory or fiduciary obligation of confidentiality.
To the extent required by Data Protection Laws, use its commercially reasonable efforts to provide Customer with reasonable assistance and cooperation for the fulfillment of Customer’s obligations under Data Protection Laws, including but not limited to Customer’s obligation to (i) respond to requests by Data Subjects (or their lawful representatives) to exercise their rights under Data Protection Laws with regard to their Personal Data; (ii) perform any required data protection impact assessment of Processing or proposed Processing of Personal Data; and (iii) consult with regulatory authorities in relation to the Processing or proposed Processing of Personal Data, including any applicable obligation upon Laylo to consult with a regulatory authority in relation to Laylo’s Processing or proposed Processing of Personal Data. Laylo will promptly, and in any event
within ten (10) days, notify Customer of any Data Subject or government
requests regarding Laylo’s Processing of Personal Data on Customer’s behalf, and will await written instructions from Customer on how, if at all, to assist, at Customer’s sole cost, in responding, except that Laylo may respond solely to direct a Data Subject to contact Customer regarding their request.
Promptly notify Customer if Laylo determines that (i) it can no longer meet its
obligations under this DPA or Data Protection Laws; (ii) it has breached this DPA, and shall use its commercially reasonable efforts to cooperate to remediate such breach; or (iii) in Laylo’s opinion, an instruction from Customer infringes Data Protection Laws.
TCPA. Laylo shall at all times comply with the TCPA, including by maintaining a
mechanism through which consumers may opt out of text messages and refraining from messaging any consumer who has opted out of text messages unless and until such consumer has opted back in.
Data Security. Laylo will implement appropriate administrative, technical, physical, and organizational measures to protect Personal Data, as set forth in Annex A attached hereto. Laylo will provide the level of protection for Personal Data that is required under Data Protection Laws applicable to Laylo with respect to the Services.
Security Breach. Laylo will notify Customer of any Security Breach without undue delay, and in any event within forty-eight (48) business hours after becoming aware of such Security Breach. Laylo will comply with the Security Breach-related obligations directly applicable to it under Data Protection Laws and will use its commercially reasonable efforts to or cause Vanta (or such other provider as is otherwise engaged by Laylo) to assist Customer in Customer’s compliance with its Security Breach-related obligations, including without limitation by:
taking steps to reasonably mitigate the effects of the Security Breach and
reasonably reduce the risk to Data Subjects whose Personal Data was involved; and
Providing or causing Vanta (or such other provider as is otherwise engaged by Laylo) to provide Customer with the following information, to the extent known:
The nature of the Security Breach, including, where possible, how the
Security Breach occurred, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned;
The likely consequences of the Security Breach; and
Measures taken or proposed to be taken by Laylo to address the Security Breach, including, where appropriate, measures to reasonably mitigate its possible adverse effects.
Subprocessors. Customer acknowledges and agrees that Laylo may use
Subprocessors to Process Personal Data in accordance with this DPA and Data
Protection Laws. Where Laylo sub-contracts any of its rights or obligations
concerning Personal Data to a Subprocessor, Laylo will: (i) take steps to select and retain Subprocessors that are capable of maintaining appropriate privacy and security measures to protect Personal Data consistent with applicable Data
Protection Laws; and (ii) enter into a written agreement (which may be electronic)
with each Subprocessor and use Laylo’s commercially reasonable efforts to require such Supbrocessor to abide by the same or substantially similar terms as those contained in this DPA. Subject to the Terms of Service, Laylo will remain liable for any breaches of this DPA caused by its Subprocessors.
The list of such Subprocessors (which shall be updated from time-to-time) may be made separately available to Customer at Customer’s request. If Customer objects to any new Subprocessor that has been added to the list, it may stop using the Services or if applicable, terminate the Agreement with written notice to Laylo that includes legitimate and documented grounds for the objection.
Audits. Laylo will make available to Customer all information relevant to the
processing of Personal Data by Laylo and its Subprocessors reasonably necessary to demonstrate compliance with this DPA and will allow for audits, including inspections, conducted by Customer or another independent, accredited third-party auditor selected by Customer, at Laylo’s normal business hours, provided that, except in the case of a material Security Breach, for which there is no frequency limitation, such audit shall occur not more than once every twelve (12) calendar months, upon reasonable prior written notice, and to the extent Laylo’s personnel are required to cooperate therewith, during Laylo’s normal business hours. Before the commencement of any audit or inspection, Customer and Laylo will mutually agree upon the scope, timing, duration, control and evidence requirements, and fees for the audit or inspection. Customer is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time Laylo expends for any such audit, in addition to the rates for services performed by Laylo. If the audit report generated as a result of Customer’s audit includes any finding of material non-compliance, Customer shall share such audit report with Laylo and Laylo shall promptly cure any material non-compliance, subject to the terms of Laylo’s Policies.
Data Transfers. In the event of a restricted transfer of Customer Data via the
Services from the European Economic Area, the United Kingdom, or Switzerland to another territory not recognized by the applicable competent regulatory authority or governmental body as providing an adequate level of protection for Personal Data, the parties will agree to Standard Contractual Clauses. Any transfer of Customer Data from Laylo to a Subprocessor shall be done in compliance with a permitted legal mechanism or agreement as required under Data Protection Law, including, as applicable, the Standard Contractual Clauses, which Customer authorizes Laylo to enter into with a Subprocessor on Customer’s behalf.
Laylo Data. Unless agreed to by the Parties pursuant to the Agreement, with respect to Laylo Data, the parties acknowledge that Laylo is the Controller and an
independent controller, as applicable under Data Protection Laws, not the Customer’s Processor or a joint controller with Customer. Laylo will Process Laylo
Data consistent with the Privacy Policy (available at: https://laylo.com/privacy). In
the event of a transfer of Laylo Data from Laylo to Customer, each party shall
independently comply with its own obligations under Data Protection Laws and
parties shall be independent controllers.
Laylo may offer Customer the ability to export certain Laylo Data from the Services, using the Services’ then-existing features and functionality and subject to Laylo’s policies, terms, and legal obligations. If Customer receives an export of Laylo Data, then: (a) Customer will Process such Laylo Data consistent with Customer’s privacy policy; (b) if and to the extent the term “sell” is defined under the Data Protection Laws, Customer shall not sell such information; and (c) except with Laylo’s prior written consent, Customer shall not, directly or indirectly, use any included Personal Data to call or send text messages to any individual.
Return or Destruction of Personal Data. Except to the extent required otherwise
by Data Protection Laws and subject to the terms of the Agreement, Laylo will, at its choice, return to Customer and/or securely destroy all Personal Data upon (a)
written request of Customer or (b) termination of the Agreement. Except to the extent prohibited by Data Protection Laws, Laylo will inform Customer if it is not able to return or delete Personal Data.
Indemnification and Limitation of Liability. To the extent permitted by Data
Protection Laws, the Parties will indemnify each other, subject to the terms of Laylo’s Policies.
Survival. The provisions of this DPA survive the termination or expiration of the
Agreement for so long as Laylo or its Subprocessors Process Personal Data, subject to the terms of Laylo’s Policies and the Agreement and provided that any
indemnification and liability limitations in Laylo’s Policies and the Agreement shall
survive any termination or expiration of the Agreement.
Severability. If any provision of this DPA is invalid, illegal or unenforceable in any
jurisdiction, such invalidity, illegality or unenforceability shall not affect any other
term or provision of this DPA or invalidate or render unenforceable such term or
provision in any other jurisdiction. Upon such determination that any term or other provision is invalid, illegal or unenforceable, the parties shall negotiate in good faith to modify this DPA so as to effect the original intent of the parties as closely as possible in a mutually acceptable manner in order that the transactions
contemplated by this DPA be consummated as originally contemplated to the greatest extent possible.
Governing Law; Submission to Jurisdiction; WAIVER OF JURY TRIAL. This DPA is governed by and shall be construed in accordance with the internal laws of the State of California without giving effect to any choice or conflict of law provision or rule that would require or permit the application of the laws of any other jurisdiction. Any Action arising out of or related to this DPA, the licenses granted hereunder or the transactions contemplated hereby shall be instituted exclusively in the federal courts of the United States of America or the courts of the State of California, in each case located in the City of Los Angeles, and each party irrevocably submits to the exclusive jurisdiction of such courts in any such Action. In the event of any Action arising out of or related to this DPA, the licenses granted hereunder or the transactions contemplated hereby, the prevailing party thereto shall be entitled to, in addition to any other damages assessed, its reasonable attorneys’ fees and all other costs and expenses incurred in connection therewith; provided that any obligation by Laylo hereunder remains subject to the terms of Laylo’s Policies and the Agreement.
EACH PARTY IRREVOCABLY AND UNCONDITIONALLY WAIVES ANY RIGHT IT MAY HAVE TO A TRIAL BY JURY IN RESPECT OF ANY ACTION ARISING OUT OF OR RELATING TO THIS DPA, THE LICENSES GRANTED HEREUNDER OR THE TRANSACTIONS CONTEMPLATED HEREBY.
Relationship of the Parties. The relationship between the parties is that of
independent contractors. Nothing contained in this DPA shall be construed as
creating any agency, partnership, joint venture or other form of joint enterprise,
employment or fiduciary relationship between the parties, and neither party shall
have authority to contract for or bind the other party in any manner whatsoever.
Entire Agreement. This DPA, the Agreement and Laylo’s Policies constitute the sole and entire agreement between the Parties with respect to the subject matter of this DPA and supersede and merge all prior and contemporaneous proposals,
understandings, agreements, representations and warranties, both written and oral, between the parties relating to such subject matter. In the event of any conflict or inconsistency between the terms of this DPA, the Agreement, the Terms of Service and Laylo’s Policies, this DPA and the terms of Laylo’s Policies shall prevail, unless otherwise expressly indicated in any such Agreement.
Authority. Each Party has the legal authority to enter into this DPA and perform its obligations hereunder. The person signing this DPA on behalf of such Party has the full authority to execute and bind such Party to this DPA and all the agreements referenced herein.
Updates. Laylo may update the terms of this DPA from time to time; provided,
however, Laylo will provide prior reasonable notice to Customer when an update is (a) required by applicable laws or (b) as a result of a merger, acquisition, or other similar transaction.
Failure to Perform. In the event that changes in Data Protection Laws render
performance of this DPA impossible or commercially unreasonable, the Parties may renegotiate this DPA in good faith. If renegotiation would not cure the impossibility or the parties cannot reach an agreement, the parties may mutually agree to terminate the DPA for convenience.
Incorporation by Reference: The Parties hereby agree that by Customer using any Services, each Party shall (a) be deemed to have agreed to all of the agreements and covenants made by such Party under this DPA fully and to the same extent as if such Party was an original signatory hereto and (b) be deemed to have made the representations and warranties as set forth in this DPA, in each case as of the earlier of (i) the date of the Agreement and (ii) such Customer’s use of any Services. Customer further represents and warrants that such Customer has read this DPA and hereby agrees to be bound by the terms of this DPA and to abide by all of its conditions and provisions. This DPA is binding upon each Party and its successors and assigns and is for the benefit of each Party and all of its affiliates.