Data Processing Addendum (DPA)

This Data Processing Addendum ("DPA") forms part of, and is subject to, the CSA Agreement or other written or electronic terms of service or subscription agreement between Lunchbox Technologies Inc. ("Lunchbox") and the legal entity defined as 'Customer' thereunder.

1. Definitions

• Account: Customer's account in the Service for storing and processing Customer Data
• Customer Data: Information supplied by Customer or submitted/uploaded to Services
• Customer Personal Data: Any Customer Data that is Personal Data
• Data Controller: Entity that determines purposes and means of Processing Personal Data
• Data Processor: Entity that Processes Personal Data on behalf of Data Controller
• Personal Data: Information that can identify a natural person
• Processing: Any operation performed on Personal Data
• Security Incident: Breach leading to destruction, loss, alteration, unauthorized disclosure of Customer Personal Data
• Sub-processor: Other Data Processors engaged by Lunchbox to Process Customer Personal Data

2. Scope and Applicability

Applies where Lunchbox Processes Customer Personal Data on behalf of Customer as Data Processor in providing Lunchbox Offerings.

3. Roles and Scope of Processing

• Lunchbox acts as Data Processor (or sub-processor) on behalf of Customer
• With respect to CCPA, Lunchbox acts as "service provider"
• Customer ensures Processing instructions are lawful

4. Sub-Processing

Customer provides general authorization. Current list at: https://lunchbox.io/subprocessors

5. Security

Appropriate technical and organizational measures as described in Security Addendum at: https://trust.lunchbox.io/resources

6. Security Incident Response

Lunchbox notifies Customer without undue delay if aware of Security Incident.

7. Relationship with the Agreement

• DPA replaces any existing data processing addendum
• May be updated at https://lunchbox.io/dpa
• DPA prevails over Agreement conflicts for Processing of Customer Personal Data