Data Privacy Agreement
Last updated June 1, 2025
This Data Processing Agreement (“DPA”) forms an integral part of the Colabor8.ai Terms of Service (“Terms”) between the party named as “Customer” in the Terms (“Customer” or “Controller”) and Colabor8.ai, an LSC Global LLC company (“Company” or “Processor”) and sets out the parties’ respective obligations when Customer personal data is processed by Company in relation to the Services performed by Company on Customer’s behalf pursuant to the Terms. The purpose of the DPA is to ensure such processing is conducted in accordance with applicable laws and with due respect for the rights and freedoms of individuals whose personal data is processed. This DPA will be effective from the date on which the authorized signatories of the parties sign the Order Form.
1. Definitions and Interpretation
1.1. Capitalized terms and expressions used in this DPA shall have the following meaning. Any capitalized term used but not defined in this DPA has the meaning ascribed to it in the Terms.
1.1.1. “DPA” means this Data Processing Agreement and all Schedules attached hereto;
1.1.2. “Customer Personal Data” means any Personal Data processed by Company on behalf of Customer pursuant to or in connection with the Terms;
1.1.3. “Data Protection Laws” means any applicable laws and regulations in any relevant jurisdiction where Services are provided relating to the use or processing of Personal Data, which may include depending on the circumstances (but is not limited to): (i) the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 et seq.), as amended by the California Privacy Rights Act of 2020 (“CCPA”); (ii) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”); (iii) the UK Data Protection Act 2018 and the EU GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”) (together with the EU GDPR, collectively, the “GDPR”); and (iii) the Swiss Federal Act on Data Protection (“FADP”); in each case, as updated, amended or replaced from time to time;
1.1.4. “EEA” means the European Economic Area;
1.1.5. “Restricted Transfer” means: (i) where the GDPR applies, a transfer of personal data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of personal data from the UK to any other country which is not based on adequacy regulations pursuant to Section 17A of the Data Protection Act 2018; and (iii) where the Swiss DPA applies, a transfer of personal data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner;
1.1.6. “EU SCCs” means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of personal data to countries not otherwise recognized as offering an adequate level of protection for personal data by the European Commission (as amended and updated from time to time).
1.1.7. “ex-UK Transfer” means the transfer of Personal Data covered by Chapter V of the UK GDPR, which is processed in accordance with the UK GDPR and the Data Protection Act 2018, from the Data Exporter to the Data Importer (or its premises) outside the United Kingdom (the “UK”), and such transfer is not governed by an adequacy decision made by the Secretary of State in accordance with the relevant provisions of the UK GDPR and the Data Protection Act 2018.
1.1.8. “Standard Contractual Clauses” means the EU SCCs and the UK SCCs.
1.1.9. “UK SCCs” means the EU SCCs, as amended by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses of 21 March 2022 issued under Section 119A of the UK Data Protection Act 2018, available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf (the “UK Addendum” and incorporated by reference to this DPA.
1.1.10. “Personal Data” or “personal data” or “personal information” means any information, including personal information, relating to an identified or identifiable natural person (“data subject”) or as defined in and subject to Data Protection Laws.
1.1.11. “Personal Data Breach” means a breach of security of Company or its Sub-Processors leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data in Company’s possession, custody or control. Personal Data Breaches do not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
1.1.12. “Sub-Processor” means (a) Company, when Company is processing Customer Personal Data and where Customer is itself a processor of such Customer Personal Data, or (b) any third-party Processor engaged by Company to assist in fulfilling Company’s obligations under the Terms and which processes Customer Personal Data. Sub-Processors may include third parties or Company’s affiliates, but shall exclude Company employees, contractors or consultants.
1.2. The terms, “Business”, “Commission”, “Controller”, “Data Subject”, “Member State”, “Processor”, “Processing”, “Service Provider”, and “Supervisory Authority” shall have the same meaning ascribed by relevant Data Protection Laws.
2. Applicability and Scope
2.1. Applicability. This DPA will apply only to the extent that Company processes, on behalf of Customer, Personal Data to which applicable Data Protection Laws apply.
2.2. Scope. The subject matter of the data processing is the provision of the Services, and the processing will be carried out for the duration of the Terms. Exhibit A sets out the nature and purposes of the processing, the types of Personal Data Company processes and the categories of data subjects whose Personal Data is processed.
3A. Processing of Customer Personal Data
3.1. Customer appoints Company as a Processor to process Customer Personal Data on behalf of, and in accordance with, Customer’s instructions (a) as set forth in the Terms, this DPA and as otherwise necessary to provide the Services to Customer (which may include investigating attempted or confirmed security breaches, and detecting and preventing exploits or abuse); (b) as necessary to comply with applicable law, including Data Protection Laws; and (c) as otherwise agreed in writing between the Parties (“Permitted Purposes”).
3.2. Customer shall, in its use of the Services, at all times provide and/or process Personal Data, and provide instructions to Company for the processing of such Personal Data, in compliance with Data Protection Laws. Customer shall ensure that the processing of Personal Data in accordance with Customer’s instructions will not cause Company to be in breach of the Data Protection Laws. Customer is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to Company by or on behalf of Customer, (ii) the means by which Customer acquired any such Personal Data, and (iii) the instructions it provides to Company regarding the processing of such Personal Data. Customer shall not provide or make available to Company any Personal Data in violation of the DPA or otherwise inappropriate for the nature of the Services and shall indemnify Company from all claims and losses in connection therewith.
3.3. Company shall:
3.3.1. comply with all applicable Data Protection Laws in the Processing of Customer Personal Data; and
3.3.2. only Process Customer Personal Data on the relevant Customer’s documented instructions.
3.4. Company shall not process Personal Data for any reason other than the Permitted Purposes, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by Supervisory Authority to which the Company is subject; in such a case, the Company shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest, or (iii) in violation of Data Protection Laws.
3.5. Following completion of the Services, Company shall delete Customer’s Personal Data, unless further storage of such Personal Data is required or authorized by applicable law. If return or destruction is impracticable or prohibited by law, rule or regulation, Company shall take measures to block such Personal Data from any further processing (except to the extent necessary for its continued hosting or processing required by law, rule or regulation) and shall continue to appropriately protect the Personal Data remaining in its possession, custody, or control. If Customer and Company have entered into Standard Contractual Clauses as described in Section 11 (Restricted Transfer), the parties agree that the certification of deletion of Personal Data that is described in Clause 8.1(d) and Clause 8.5 of the EU SCCs (as applicable) shall be provided by Company to Customer only upon Customer’s written request.
3.6. Company shall notify Customer after Company determines that it can no longer meet its obligations under Data Protection Laws.
3B. Processor Personnel
Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant
Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4. Confidentiality
4.1. Security Policy and Confidentiality. Company requires all employees to acknowledge in writing, at the time of hire, they will adhere to terms that are in accordance with Company’s security policy and to protect Customer Personal Data at all times. Company requires all employees to sign a confidentiality statement at the time of hire.
4.2. Company will ensure that any person that it authorizes to process Customer Personal Data (including its staff, agents, and subcontractors) shall be subject to a duty of confidentiality (whether in accordance with Company’s confidentiality obligations in the Agreement or a statutory duty).
4.3. Background Checks. Company conducts at its expense a criminal background investigation on all employees who are to perform material aspects of the Services under this Agreement.
5. Security
5.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Customer Personal Data have in place and maintain throughout the term of the Terms and this DPA appropriate technical and organizational measures designed to ensure a level of security appropriate to that risk, including, as appropriate, the measures identified in Exhibit C hereto. In assessing the appropriate level of security, Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
5.2. Customer is solely responsible for its use of the Services, including (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of Customer Personal Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Service; and (c) backing up Customer Personal Data.
6. Sub processing
6.1. Customer acknowledges and agrees that Company has Customer’s general authorization to (1) engage its Affiliates and Sub-Processors to access and process Customer Personal Data solely in connection with the Services including the Permitted Purposes and (2) from time to time engage additional Sub-Processors for the purpose of providing the Services, including without limitation the processing of Customer Personal Data.
6.2. A list of Company’s current Sub-Processors (the “List”) is available to Customer at https://useColabor8.ai.com/subprocessors. Such List may be updated by Company from time to time. Upon request, Company will provide a mechanism to subscribe to notifications (which may include but are not limited to email and Slack notifications) of changes or additions to the Sub-Processors on the List and Customer, if it wishes, will subscribe to such notifications. If Customer does not subscribe to such notifications, Customer waives any right it may have to receive prior notice of changes to the List. At least ten (10) days before enabling any change or addition to the Sub-Processors authorized by Company to perform Services under the Terms and this DPA, Company will make such change to the List and notify all subscribers to the List, including Customer if subscribed, via the aforementioned notification channels. Customer may object to such a change by informing Company in writing within fourteen (14) days of receipt of the aforementioned notice from Company, provided such objection is in writing and based on reasonable grounds relating to the protection of Customer Personal Data pursuant to the terms of this DPA. Customer acknowledges that certain Sub-Processors are essential to providing the Services and that objecting to the use of such a Sub-Processor may prevent Company from offering the Services to Customer.
6.3. If Customer reasonably objects to an engagement in accordance with Section 6.2, and Company cannot provide a commercially reasonable alternative within a reasonable period of time, Customer may discontinue the use of the affected Service by providing written notice to Company. Discontinuation shall not relieve Customer of any fees owed to Company under the Terms.
6.4. If Customer does not object to a Sub-Processor change or addition in accordance with Section 6.2 within the applicable notice period, such Sub-Processor change or addition shall be deemed accepted by Customer for the purposes of this DPA.
6.5. Company will enter into a written agreement with all Sub-Processors imposing on them Sub-Processor data protection obligations comparable to those imposed on Company under this DPA with respect to the protection of Customer Personal Data. Company shall remain responsible for the acts and omissions of its Sub-Processors as if they were the acts and/or omissions of Company hereunder.
6.6. If Customer and Company have entered into Standard Contractual Clauses as described in Section 12 (Transfers of Personal Data), (i) the above authorizations will constitute Customer’s prior written consent to the subcontracting by Company of the processing of Customer Personal Data if such consent is required under the Standard Contractual Clauses, and (ii) the parties agree that the copies of the agreements with Sub-Processors that must be provided by Company to Customer pursuant to Clause 9(c) of the EU SCCs may have commercial information, or information unrelated to the Standard Contractual Clauses or their equivalent, removed by the Company beforehand, and that such copies will be provided by the Company only upon written request from Customer.
7. Data Subject Rights
7.1. Taking into account the nature of the Processing, Processor shall reasonably assist the Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Company obligations, as reasonably understood by Company, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
7.2. Processor shall:
7.2.1. promptly notify Controller if it receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; and
7.2.2. ensure that it does not respond to a request from a Data Subject identified as an individual connected to Customer Personal Data except on the documented instructions of Controller or as required by Data Protection Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Data Protection Laws inform Controller of that legal requirement before the Processor responds to the request.
8. Personal Data Breach
8.1. Processor shall notify Controller within 72 hours upon Processor becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
8.2. Processor shall cooperate with the Controller and take reasonable commercial steps as directed by Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
9. Data Protection Impact Assessment and Prior Consultation
Processor shall provide reasonable assistance to the Controller with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Controller reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, the Processor.
10. Deletion or return of Customer Personal Data
10.1 Subject to Section 10, Processor shall promptly and in any event within 30 business days of the date of cessation of any Services involving the Processing of Customer Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Customer Personal Data.
11. Audit rights
11.1. Subject to the requirements of this section, Processor shall make available to Controller on written request all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to reasonable requests for audits, including inspections, by the Customer or a third-party auditor retained by the Customer in relation to the Processing of the Customer Personal Data by the Processor.
11.2. All audits requested hereunder shall be (a) carried out at Customer’s sole cost and expense, (b) mutual agreement as to the details of the audit including a reasonable start date, scope and duration of such audit, (c) subject to Company’s security and confidentiality terms and guidelines, and (d) may only be performed a maximum of once annually (with exception for a Personal Data Breach). All third-party auditors must be approved by Company in writing in advance.
12. Restricted Transfer
12.1. The parties agree that Company may transfer Personal Data processed under this DPA outside the EEA, the UK, or Switzerland as necessary to provide the Services. Customer acknowledges that Company’s primary processing operations take place in the United States, and that the transfer of Customer’s Personal Data to the United States is necessary for the provision of the Services to Customer. If Company transfers Personal Data protected under this DPA to a jurisdiction for which the European Commission has not issued an adequacy decision, Company will ensure that appropriate safeguards have been implemented for the transfer of Personal Data in accordance with Data Protection Laws.
12.2. The parties agree that Restricted Transfers are made pursuant to the EU SCCs, which are deemed entered into (and incorporated into this DPA by this reference) and completed as follows:
12.2.1. Module One (Controller to Controller) of the EU SCCs apply when both Company and Customer are processing Personal Data as a Controller.
12.2.2. Module Two (Controller to Processor) of the EU SCCs apply when Customer is a Controller and Company is a Processor to Customer.
12.2.3. Module Three (Processor to Sub-Processor) of the EU SCCs apply when Customer is a Processor and Company is a Sub-processor to Customer.
12.3. For each module, where applicable, the following applies:
12.3.1. In Clause 7, the optional docking clause does not apply.
12.3.2. In Clause 9, Option 2 (general written authorization) applies, and the period for notice is set forth in Section 6 (Sub-processing);
12.3.3. In Clause 11, the optional language does not apply.
12.3.4. All square brackets in Clause 13 are hereby removed.
12.3.5. In Clause 17 (Option 1), the EU SCCs will be governed by the laws of the Republic of Ireland.
12.3.6. In Clause 18(b), disputes will be resolved before the courts of Ireland.
12.3.7. Exhibit B to this DPA contains the information required in Annex I and Annex III of the EU SCCs.
12.3.8. Exhibit C to this DPA contains the information required in Annex II of the EU SCCs; and
12.3.9. By entering into this DPA, the parties are deemed to have signed the EU SCCs incorporated herein, including their Annexes.
12.4. Ex-UK Transfers. The parties agree that ex-UK Transfers are made pursuant to the UK SCCs, which are deemed entered into and incorporated into this DPA by reference, and amended and completed in accordance with the UK Addendum, which is incorporated herein as Exhibit D of this DPA.
12.5. Transfers from Switzerland. The parties agree that transfers of Customer Personal Data from Switzerland are made pursuant to the EU SCCs with the following modifications:
12.5.1. The terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” as utilized in the EU SCCs shall be interpreted to include the Federal Act on Data Protection of 19 June 1992 (the “FADP,” and as revised as of 25 September 2020, the “Revised FADP”) with respect to data transfers subject to the FADP.
12.5.2. The terms of the EU SCCs shall be interpreted to protect the data of legal entities until the effective date of the Revised FADP.
12.5.3. Clause 13 of the EU SCCs is modified to provide that the Federal Data Protection and Information Commissioner (“FDPIC”) of Switzerland shall have authority over data transfers governed by the FADP and the appropriate EU supervisory authority shall have authority over data transfers governed by the EU GDPR. Subject to the foregoing, all other requirements of Clause 13 shall be observed.
12.5.4. The term “EU Member State” as utilized in the EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the EU SCCs
12.6. Supplementary Measures. In respect of any Restricted Transfer or ex-UK Transfer, the following supplementary measures shall apply:
12.6.1. As of the date of this DPA, the Processor has not received any formal legal requests from any government intelligence or security service/agencies in the country to which the Customer Personal Data is being exported, for access to (or for copies of) Customer’s Personal Data (“Government Agency Requests”);
12.6.2. If, after the date of this DPA, the Processor receives any Government Agency Requests, it shall attempt to redirect the law enforcement or government agency to request that data directly from Customer. As part of this effort, Company may provide Customer’s basic contact information to the government agency. If compelled to disclose Customer’s Personal Data to a law enforcement or government agency, Company shall give Customer reasonable notice of the demand and cooperate to allow Customer to seek a protective order or other appropriate remedy unless Company is legally prohibited from doing so. Company shall not voluntarily disclose Customer Personal Data to any law enforcement or government agency. Customer and Company shall (as soon as reasonably practicable) discuss and determine whether all or any transfers of Customer Personal Data pursuant to this DPA should be suspended in the light of the such Government Agency Requests; and
12.6.3. The Customer and Company will meet as needed to consider whether:
12.6.3.1 . the protection afforded by the laws of the country of the Processor to data subjects whose Personal Data is being transferred is sufficient to provide broadly equivalent protection to that afforded in the EEA or the UK, whichever the case may be;
12.6.3.2. additional measures are reasonably necessary to enable the transfer to be compliant with the Data Protection Laws; and
12.6.3.3. it is still appropriate for Personal Data to be transferred to the relevant Processor, taking into account all relevant information available to the parties, together with guidance provided by the supervisory authorities.
12.6.4. To the extent that Company adopts an alternative data transfer mechanism (including any new version of or successor to the SCCs adopted pursuant to Data Protection Laws), (“Alternative Transfer Mechanism”) the Alternative Transfer Mechanism shall upon written notice to Customer and an opportunity to object, apply instead of any applicable transfer mechanism described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with Data Protection Legislation applicable to the EEA and extends to territories to which Customer Personal Data is transferred).
13. No Sale or Sharing
To the extent that the processing of Customer Personal Data is subject to U.S. data protection laws, Company is prohibited from: (a) selling Customer Personal Data or otherwise making Customer Personal Data available to any third party for monetary or other valuable consideration; (b) sharing Customer Personal Data with any third party for cross-behavioral advertising; (c) retaining, using, or disclosing Customer Personal Data for any purpose other than for the business purposes specified in this DPA or as otherwise permitted by U.S. data protection laws; (d) retaining, using or disclosing Customer Personal Data outside of the direct business relationship between the parties, and; (e) except as otherwise permitted by U.S. data protection laws, combining Customer Personal Data with personal data that Company receives from or on behalf of another person or persons, or collects from its own interaction with the data subject. Company will notify Customer promptly if it makes the determination that it can no longer meet its obligations under applicable U.S. data protection laws.
14. General Terms
14.1 Confidentiality. Each Party must keep this DPA and information it receives about the other Party and its business in connection with this DPA and the Terms (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that: (a) disclosure is required by law; (b) the relevant information is already in the public domain.
14.2. Notices. All notices and communications given under this DPA must be in writing and will be delivered personally, sent by post, sent by email, or sent by Slack to the address or email address as notified from time to time by the Parties in writing.
14.3. Any claims brought in connection with this DPA will be subject to the terms and conditions, including, but not limited to, the exclusions and limitations set forth in the Terms.
14.4. Notwithstanding anything in the Terms or any order form entered in connection therewith, the parties acknowledge and agree that Company’s access to Customer Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Services.
14.5. In no event shall this DPA benefit or create any right or cause of action on behalf of a third party (including a Third-Party Controller), but without prejudice to the rights or remedies available to Data Subjects under Data Protection Laws or this DPA (including the SCCs).