This Data Processing Addendum (Addendum) reflects the parties’ agreement about the processing of Customer Personal Information in connection with the Services (as defined below) under the LawVu SaaS Terms between Customer and LawVu (Agreement). 

1 DEFINITIONS AND INTERPRETATION

1.1 Definitions.

Applicable Privacy Laws means all data protection and privacy laws and regulations applicable to the Personal Information processed by the Services pursuant to the Agreement, including, where applicable, the New Zealand Privacy Act 2020, the UK Data Protection Law, the EU Data Protection Law, the Australian Privacy Act 1988 (Cth), and the CCPA.

CCPA means the California Consumer Privacy Act 2018, as amended by the California Privacy Rights Act and its implementing regulations. The following terms have the definitions given to them in the CCPA: “Business,” “Sale,” “Share,” “Service Provider,” and “Third Party.”

Controller means the entity that determines the purposes and means of processing Personal Information. “Controller” includes equivalent terms in Applicable Privacy Laws, such as the CCPA-defined term “Business”, or “Third Party,” as context requires.

Customer means the entity identified in the Agreement.

Customer Personal Information means any Personal Information processed by LawVu on behalf of the Customer pursuant to the Agreement, including Personal Information contained in any User Data (as defined in the Agreement).

EU Data Protection Laws means all data protection and privacy laws applicable in the European Union to the Personal Information processed by the Services pursuant to Agreement, including the General Data Protection Regulation (EU) 2016/679 (“EU GDPR”).

Personal Information has the meaning given to the phrase “personal information” and “personal data” as provided in Applicable Privacy Laws. 

Personal Information Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Information processed by LawVu pursuant to the Agreement.

Processor means an entity that processes Personal Information on behalf of another entity. “Processor” includes equivalent terms in Applicable Privacy Laws, such as the CCPA-defined term “Service Provider,” as context requires.

Regulatory Bodies means those government departments and regulatory, statutory and other bodies, entities and committees which, whether under statute, rule, regulation, code of practice or otherwise, are entitled to regulate, investigate or influence the matters relating to the security of data, Personal Information, privacy protection or other laws connected to the Agreement.

Services means the services provided by LawVu to the Customer as set out in the Agreement.

Standard Contractual Clauses means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for Transfers of Personal Information to Third Countries not otherwise recognized as offering an adequate level of protection for Personal Information by the European Commission (as amended and updated from time to time).

Subprocessor means any Processor engaged by LawVu to process the Customer Personal Information to provide the Services.

Transfer means making Customer Personal Information accessible to any person other than the data subject, including, but not limited to the active transfer of the data, permitting access, also remotely, storing, sharing and publishing.

Third Country means a country or territory that is not: (a) where the UK GDPR applies, subject to an adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; or (b)

where the EU GDPR applies, subject to an adequacy determination by the European Commission.

UK Addendum means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued under section 119A of the UK Data Protection Act 2018 (as amended and updated from time to time).

UK Data Protection Law means all data protection and privacy laws applicable in the United Kingdom to the Personal Information processed by the Services pursuant to Agreement, including the EU GDPR as it forms part of UK law by virtue of section 3 of the UK Data Protection Act 2018 (the “UK GDPR”).

1.2 Interpretation. In this Addendum, unless the context otherwise requires:

(a) references to “data subject”, “processing” and “special category Personal Information” shall have the same meanings ascribed to them by the Applicable Privacy Laws;

(b) reference to a party shall include that party's executors, administrators, successors and assigns;

(c) reference to a statute or regulation shall include all amendments and re-enactments thereof;

(d) writing includes electronic communications (including email) and written has a corresponding meaning; and

(e) terms not otherwise defined in this Addendum will have the meaning set out in the Agreement.

1.3 Agreement. This Addendum is supplemental to the Agreement. Any breach of this Addendum shall constitute a material breach of the Agreement.

1.4 Priority. In the event of any conflict between the Agreement and this Addendum, the terms in this Addendum shall prevail (to the extent of any such inconsistency).

2 DATA CONTROLLER AND PROCESSOR

2.1 Role of Parties. For the purposes of this Addendum, the Customer (and each group company of the Customer) is a Controller or Processor and LawVu is a Processor. This Addendum applies to the processing of Customer Personal Information by LawVu to provide the Services.

2.2 Customer Obligations. Customer is solely responsible for providing any required notices and obtaining any required consents from data subjects, and for the processing instructions provided to LawVu.

2.3 Appointment as Data Processor. The Customer appoints LawVu as a Processor of the Customer Personal Information, and LawVu accepts the appointment. The categories of Customer Personal Information, the processing operations, the purposes of processing and the for the purposes specified in Annex A to this Addendum. 

2.3 Customer Warranties. The Customer warrants that:

(a) no contractual obligations prohibit the processing of the Customer Personal Information as described in the Agreement (including this Addendum); and

(b) the production, collection, and processing of Customer Personal Information has been and will continue to be carried out in accordance with the Applicable Privacy Laws.

3 CUSTOMER PERSONAL INFORMATION PROCESSING

3.1 Instructions for Processing. LawVu will process Customer Personal Information in only accordance with the Customer’s documented instructions, in accordance with the Addendum and in compliance with Applicable Privacy Laws. Customer instructs LawVu to process Customer Personal Information to provide the Services in accordance with the Agreement (including this Addendum) and as further specified via the Customer’s use of the Services. LawVu shall notify the Customer if it is of the opinion that any instruction provided by the Customer is in breach of any Applicable Privacy Law.

3.2 Outside of instructions. LawVu may process Customer Personal Information outside of the Customer’s instructions only to the extent Appliable Privacy Laws to which LawVu is subject require it.

3.3 LawVu’s obligations as a Service Provider. Where the CCPA applies and LawVu is a Service Provider and the following provisions shall apply:

(a) LawVu is prohibited from: (i) Selling or Sharing Personal Information; (ii) retaining, using, or disclosing Personal Information for any purpose other than for the specific business purpose of performing Customer’s documented instructions for the business purposes defined in clause 3.2.1 and as described in more detail in the Agreement, including retaining, using, or disclosing the Personal Information for a commercial purpose other than performing Customer’s instructions; or (iii) retaining, using, or disclosing the Personal Information outside of the direct business relationship between the parties as defined in this Agreement, unless expressly permitted by the CCPA. 

(b) LawVu is prohibited from combining the Personal Information that it receives from, or on behalf of, the Customer with Personal Information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the consumer, provided that LawVu may combine Personal Information to perform a business purpose as defined in the CCPA (except for providing marketing and advertising services).

(c) LawVu must comply with all applicable sections of the CCPA, including, with respect to the Personal Information it collects pursuant to the Agreement, providing the level of privacy protection that is required of Businesses by the CCPA.

(d) LawVu will notify the Customer if it makes a determination that it can no longer meet its obligations under the CCPA.

(e) LawVu will grant the Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate LawVu’s unauthorized use of Personal Information.

3.4 LawVu’s Obligations as Controller. Where LawVu is a Controller with regard to Personal Information that LawVu collects from data subjects in connection with the Services LawVu will comply with all the relevant requirements of the Applicable Privacy Laws.

3.5 LawVu’s Obligations as a Third Party. Where the CCPA applies and LawVu is a Third Party with regard to Personal Information that is collected, exchanged, or otherwise Processed in connection with its performance of the Agreement, and the following provisions will apply:

(a) LawVu shall only process Personal Information for the limited and specific purposes for which the Personal Information is made available by the Customer to LawVu and according to the written instructions of Customer

(b) LawVu will comply with all applicable sections of the CCPA, including by providing the same level of privacy protections as required of Businesses under the CCPA.

(c) LawVu will grant the Customer the right, with respect to Personal Information that the Customer makes available to LawVu, to take reasonable and appropriate steps to: (i) ensure that LawVu uses the Personal Information in a manner consistent with the Customer’s obligations under the CCPA; and (ii) stop and remediate unauthorized use of Personal Information made available to LawVu by the Customer.

(d) LawVu will notify the Customer if it makes a determination that it can no longer meet its obligations under the CCPA.

4 COOPERATION OBLIGATIONS

4.1 Assistance. LawVu shall take any steps reasonably requested by the Customer to assist the Customer to demonstrate compliance with its obligations under Applicable Privacy Laws, including to assist and support the Customer:

(a) in the event of an investigation or other control measures or by any Regulatory Body to the extent that such investigation relates to Customer Personal Information;

(b) in the event of the exercise of any claims by data subjects or third parties related to the processing of Customer Personal Information under this Addendum or the Agreement;

(c) complying with the rights of data subjects, including the right to obtain transparent information, the right to access, rectify, and erase their Personal Information, restrict, or object to, the processing of their Personal Information, exercise their right to data portability;

(d) in notifying, consulting with and obtaining approvals from Regulatory Bodies where required; and

(e) in performing data protection impact assessments.

4.2 Data subject rights.

(a) LawVu shall promptly comply with any request from the Customer requiring LawVu to access, amend, obtain a copy or delete any Customer Personal Information, in a manner consistent with the functionality of the Services and LawVu’s role as a Processor,

(b) For the avoidance of doubt, Customer is responsible for responding to requests from data subjects to exercise rights under Applicable Privacy Laws. LawVu must inform the Customer promptly, in accordance with the notification requirements under Applicable Privacy Laws, following LawVu’s receipt of any inquiry from a data subject with respect to Customer Personal Information.

(c) Provided that the Customer acts in accordance with Applicable Privacy Laws, LawVu shall not respond to any such request referred to in clause 4.2(b) unless expressly authorised to do so by the Customer.

4.3 Regulatory action. LawVu will promptly notify the Customer about:

(a) any legally binding request addressed to LawVu or any of its Subprocessors for the disclosure of Customer Personal Information by a Regulatory Body, unless otherwise prohibited by the applicable law; and

(b) any monitoring activities and measures undertaken by the Regulatory Body, including where a Regulatory Body investigates LawVu for a possible breach of Applicable Privacy Laws.

4.4 Audit rights. Upon Customer’s request, not more than once per calendar year, and subject to non-disclosure agreement, LawVu shall provide to Customer the most recent audit report performed by an independent auditor so that Customer can verify LawVu’s compliance with its obligations under this Addendum. To the extent that the Customer reasonably determines that the report is not sufficient to demonstrate compliance or to respond to a regulatory audit, LawVu will allow for and contribute to audits of LawVu’s processing activities and facilities conducted by the Customer (to the extent such measures are able to be audited), including inspections. Any audit or inspection undertaken by the Customer shall be (a) at a mutually agreed time, duration and scope; (b) at the Customer’s cost; and (c) to the extent the audit is conducted by a third party audit firm, the third party audit firm enters into an agreement containing confidentiality terms no less protective than the confidentiality terms set out in the Agreement.

5 PERSONAL INFORMATION BREACH

5.1 Personal Information Breach: To the extent LawVu becomes aware of any Personal Information Breach, then LawVu must without undue delay (and where feasible, within 72 hours of becoming aware of the breach):

(a) notify the Customer, taking into account the notification duty requirements imposed on the Customer under Applicable Privacy Laws;

(b) investigate the Personal Information Breach and provide the Customer with the information set out in clause 5.b; and

(c) take all the necessary measures to remedy or mitigate the Personal Information Breach and to prevent further similar Personal Information Breaches.

 5.2 Information obligations. LawVu shall summarise in reasonable detail the impact of the Personal Information Breach, including describing to the extent this is known to LawVu: (a) the nature of the Personal Information Breach; (b) the categories and numbers of data subjects concerned; (c) the categories and numbers of Personal Information records concerned; (d) the details of any unlawful recipient (including names, addresses and business sectors); (e) the estimated risk and the likely consequences of the Personal Information Breach; and (f) the measures taken or proposed to be taken to address the Personal Information Breach.

6 TECHNICAL AND ORGANISATIONAL MEASURES

6.1 Authorised Persons. LawVu will: (a) ensure that the personnel it authorises to process Customer Personal Information are under appropriate confidentiality obligations; and (b) inform its authorised personnel that the Customer Personal Information is only to be processed in accordance with the Agreement and as otherwise instructed by the Customer.

6.2 Data Security. During the processing of Customer Personal Information, LawVu shall take appropriate technical and organisational measures to ensure a level of security appropriate to protect the Customer Personal Information from the risk of a Personal Information Breach as described in the LawVu Security Pack https://lawvu.com/trust-center/.

7 CROSS BORDER TRANSFERS

7.1 Cross-Border Transfers. It is noted that LawVu is based in New Zealand and the location of its Subprocessors of Customer Personal Information are located here.

7.2 EU and UK Transfers. Customer gives LawVu general written consent to transfer Customer Personal Information to a Subprocessors located in a Third Country provided that LawVu has done all such acts and things as are necessary to ensure that the transfer is compliant with the Applicable Privacy Laws and specifically: (a) where the EU GDPR applies to the Customer Personal Information, LawVu has signed with the Subprocessor the applicable Standard Contractual Clauses; or (b) where the UK GDPR applies to the Personal Information, LawVu has signed with the Subprocessor the UK Addendum.

8 SUBPROCESSORS

8.1 Subprocessors. Customer provides LawVu general written consent for LawVu to authorise any third party to process Customer Personal Information as a Subprocessor, subject to the following conditions:

(a) LawVu maintains a list of the names and locations of all Subprocessors engaged at the effective date of the Agreement, which is available at https://lawvu.com/trust-center/privacy/subprocessors/

(b) in its contracts with the Subprocessors LawVu includes terms which provide substantially the same protections to the Customer Personal Information as those set out in this Addendum;

(c) LawVu will assume liabilities for the acts and omissions of its Subprocessors in relation to the Services provided to the Customer.

(d) LawVu notifies Customer of the appointment of any new Subprocessors with thirty (30) days prior notice. Customer agrees that such notice may be provided by means of a publicly-accessible webpage where LawVu provides details of all of its Subprocessors, including proposed Subprocessor appointments. Subject to clause 7.2, the new Subprocessor will start processing Customer Personal Information at the end of the thirty (30) days prior notice.

8.2 Subprocessor Objection Right. Customer may object to the appointment of the new Subprocessor on reasonable grounds relating to data protection by providing written notice to LawVu within the following fifteen (15) days following notification pursuant to 7.1(d) above. In which case LawVu will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid processing of Customer Personal Information by the objected-to new Subprocessor.

9 LIABILITY

9.1 Agreement. Unless expressly prohibited by law, with regard to the parties' liability to each other under or in connection with the Agreement and this Addendum, the provisions of the Agreement shall apply. To the extent permitted by law, any liability cap and liability exclusions applicable to a party under the Agreement (including without limitation exclusions of any special, indirect or consequential loss, or loss of profits, loss or corruption of data, revenue, business or goodwill) shall apply in respect of that party’s total liability under this Addendum and the Agreement.

10 TERM AND TERMINATION

10.1 Term and Termination. This Addendum will commence on the date it is agreed by the parties, and will terminate on the date the Agreement terminates or expires, except that either party may terminate this Addendum earlier than the Agreement where the parties sign a new data processing agreement to replace this Addendum.

10.2 Return and Destruction of Customer Personal Information. Upon termination of the Agreement or request of the Customer LawVu shall hand over to the Customer all Customer Personal Information, and shall erase or destroy the related Customer Personal Information in accordance with the relevant provisions of the Agreement. This requirement shall not apply to the extent that LawVu is required to retain some or all of the Customer Personal Information pursuant to Applicable Privacy Laws.

Annex A

Description of the Processing

1. Categories of data subjects whose Personal Information is processed under the Agreement:

Customer may submit Personal Information to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of data subjects:

• Customer’s employees, contractors, advisors, agents (who are natural persons);
• Individuals authorised by the Customer to access the Services;
• Employees of business partners, suppliers, customers and prospects (who are natural persons); and
• Individuals who are the subject of any contracts, memorandums and other documents used to manage legal matters that are uploaded to the Services.

2. Categories of Personal Information processed under the Agreement:

Customer may submit Personal Information to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Information:

• First and last name
• Contact information
• Employment information (employer, job title, academic and professional qualifications)
• System access / usage/ authorisation data
• Personal Information contained in contracts, memorandums and other documents used to manage legal matters that are uploaded to the Services
• Personal Information contained in emails and related messages uploaded to the Services

3. Special category Personal Information processed (if applicable):

Special categories Personal Information are not required to use the service. 

Customer may submit special category Personal Information to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which is for the sake of clarity Personal Information with information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

The Customer submits special category Personal Information to the Services acknowledging the adequacy of the security measures described in art. 6 of this Addendum.

4. Nature and purpose of the processing:

LawVu will process Customer Personal Information as necessary to provide the Services under the Agreement.

DEFINITIONS     

"Business Day" means any day other than a Saturday, Sunday or statutory public holiday in Auckland, New Zealand;

“Data Protection Laws” means all applicable data protection laws and regulations protecting the right to privacy which apply to you and us that we are legally obliged to comply with in our processing of User Data under the Agreement.

“Confidential Information” means information which would be reasonably expected to be confidential by nature, is marked or identified as confidential, relates to Our IP, our financial position, business, sales, marketing or other operations.  It also includes your User Data. It does not include      information that is public knowledge (except as a result of a breach of an obligation of confidence under this Agreement), or information received from a third party without restriction and without breach of any obligation of confidentiality. 

"Personal Data" means Personal Data, having the meaning given in the Data Protection Laws (and, for the purposes of the New Zealand Privacy Act 2020 and the Australian Privacy Act 1988, having the meaning given to the term 'personal information'), which is received by us or the Platform from, or on behalf of you;

"Personnel" means your and your affiliates employees and contractors (for avoidance of doubt, this does not include us);

"Platform" means the technology and systems through which we provide you with the Services;

"Service/s" means the software-as-a-service provided to you via the Platform, which may include any associated professional services, as specified in an Order Form; and

"Service Provider" means individuals who you authorise to use and access the Platform pursuant to, and in accordance with, the terms of this Agreement; and

"User Data" means all electronic data and information (including Personal Data) that is submitted or uploaded to and stored in the Platform by you, your Personnel or Service Providers in connection with this Agreement, or generated by the Platform as an output derived from such data, but excluding all data and information supplied by us and any database or insights utilising aggregated or anonymised data.

INTERPRETATION

In this Agreement, unless the context otherwise requires:

headings are to be ignored in the interpretation of this Agreement;

the singular includes the plural and vice versa;

a reference to a statute or other law includes regulations and other instruments under it and consolidations, amendments, re-enactments or replacements of any of them;

use of the word "include" or "including" is deemed to be followed by the words "without limitation";

reference to any document includes reference to that document (and, where applicable, any of its provisions) as amended, novated, supplemented, or replaced from time to time;

reference to a party, person or entity includes: (i) an individual, partnership, company, body corporate, association, trust, state, government or any agency thereof and any other entity, whether incorporated or not; and (ii) any Personnel, successor, permitted assign, administrator and other representative of such party, person or entity;

a breach of any term of the Agreement by your Personnel, affiliates and Service Providers is deemed to be a breach of the Agreement by you. You will be liable to us for the acts, defaults and neglect of your Personnel, affiliates and Service Providers as if they were your acts, defaults or neglect;

reference to a section, clause, sub-clause, schedule, or a party is a reference to that section, clause, sub-clause, schedule, or party in this Agreement unless stated otherwise; and

references to any document are references to that document as modified, assigned, novated, supplemented, varied or replaced from time to time and in any form, whether on paper or in an electronic form.