LighthouseAI Data Processing Addendum
Last Revised: May 1, 2023
1. Scope, Order of Precedence and Parties
This is the Data Processing Addendum (“DPA”) of Pharma Solutions USA, Inc., DBA LighthouseAI. It applies to the Processing of Personal Data by LIghthouseAI and its Affiliates on your behalf when providing software services, support services or consulting services (“Services”). The Services are described in the relevant license and/or services Agreement and the applicable order for Services (collectively, the “Agreement”). In the event of a conflict between the terms of the Agreement and this DPA, the terms of this DPA shall control. In the event of a conflict between the terms of this DPA and the EU Standard Contractual Clauses, the UK SCC Addendum and/or Swiss Addendum (if applicable), the terms of the EU Standard Contractual Clauses, the UK SCC Addendum and/or Swiss Addendum (if applicable) shall control.
This DPA is between the end-user customer (“Subscriber”, “You”, “Your”) and the LighthouseAI contracting entity (“LighthouseAI”, “We”, “Us”, “Our”) and is incorporated by reference into the Agreement.
“Affiliate” means any subsidiary of LighthouseAI that may assist LighthouseAI in processing Your Personal Data under this DPA.
“Aggregate” means information related to a group or category of individuals from which identities have been removed such that the information is not linked or reasonably linkable to any individual subject to Applicable Data Protection Laws. “Applicable Data Protection Laws” means (i) the EU General Data Protection Regulation 2016/679 (“GDPR”) and laws or regulations implementing or supplementing the GDPR; and (ii) any other international, federal, state, provincial and local privacy or data protection laws, rules, regulations, directives and governmental requirements currently in effect and as they become effective that apply to the Processing of Personal Data under this Agreement and this DPA.
“Customer Content” means any data that We access or receive or that You send or upload for storage or Processing for LighthouseAI to perform Services.
“Personal Data” means any Customer Content Processed in connection with the performance of Services that can identify a unique individual, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of individuals or as such information may be otherwise defined under Applicable Data Protection Laws.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed to perform the Services that compromise the security of the Personal Data.
“Sub-Processor” means any third party engaged to assist with Processing Personal Data for the performance of Services under the Agreement.
Terms used but not defined in this DPA (e.g., “Business Purpose, Consumer, Controller, Data Subject,
Process/Processing, Processor”) shall have the same meaning outlined in the Agreement or Applicable Data Protection Laws.
3. Roles as Data Controller and Data Processor
For purposes of this DPA, You are the Data Controller of the Personal Data Processed by LighthouseAI in its performance of the Services under the terms of the Agreement. You are responsible for complying with your obligations as a Controller under Applicable Data Protection Laws governing your provision of Personal Data to us for the performance of the Services, including without limitation obtaining any consents, providing any notices, or otherwise establishing the required legal basis and responding promptly to any inquiries from a Supervisory Authority. Unless specified in the Agreement, You will not provide Us with access to any Personal Data that imposes specific data protection requirements greater than those agreed to in the Agreement and this DPA, and you will limit Our access to Personal Data as necessary to perform the Services.
LighthouseAI is the Data Processor and service provider concerning such Personal Data, except when You act as a Processor of Personal Data, in which case We are a Sub-Processor. Your Data remains Your exclusive property and is Confidential Information under the terms of the Agreement. LighthouseAI is responsible for complying with its obligations under Applicable Data Protection Laws that apply to its Processing of Personal Data under the Agreement and this DPA.
4. Purpose of Processing
LighthouseAI and any persons acting under its authority under this DPA, including Sub-Processors and Affiliates as described in Section 6, will Process Personal Data only to perform the Services in accordance with your written instructions as specified in the Agreement, this DPA and in accordance with Applicable Data Protection Laws. We may also aggregate Personal Data as part of the Services to provide, secure, and enhance LighthouseAI products and Services.
We will not disclose Personal Data in response to a subpoena, judicial or administrative order, or other binding instruments (a “Demand”) unless required by law. We will promptly notify You of any Demand unless prohibited by law and provide You reasonable assistance to facilitate Your timely response. We may provide Personal Data to Affiliates in connection with any anticipated or actual merger, acquisition, sale, bankruptcy, or other reorganization of some or all of its business, subject to the obligation to protect Personal Data consistent with the terms of this DPA.
Data Subjects and Categories of Personal Data
You determine the Personal Data to which You provide Us access to perform the Services. This may involve the Processing of Personal Data of the following categories of Your Data Subjects, Employees, and applicants
- Customers and end users
- Suppliers, agents, and contractors
The Processing of Your Data may also include the following categories of Personal Data:
- Direct identifiers such as first name, last name, date of birth, and home address
- Communications data such as home telephone number, cell telephone number, email address, postal mail address, and fax number
- Family and other personal circumstance information, such as age, date of birth, marital status, spouse or partner, and number and names of children
- Employment information such as the employer, work address, work email and phone, job title and function, salary, manager, employment ID, system usernames and passwords, performance information, and CV data
- Other data such as financial, goods or services purchased, device identifiers, online profiles and behaviors, and IP address
- Other Personal Data to which You provide Us access in connection with the provision of products or Services
Subject to the terms of this DPA, You authorize us to engage Sub-Processors and Affiliates for the Processing of Personal Data. These Sub-Processors and Affiliates are bound by written agreements requiring them to provide at least the data protection that LighthouseAI needs by the Agreement and this DPA. We have implemented commercially reasonable measures designed to confirm compliance with such measures. You may request us to audit a Sub-Processor or obtain an existing third-party audit report related to the Sub-Processor’s operations to verify compliance with these requirements. You may also request copies of the data protection terms. We have in place with any Sub-Processor or Affiliate involved in providing the Services. We remain responsible at all times for such Sub-Processors’ and Affiliates’ compliance with the requirements of the Agreement, this DPA and Applicable Data Protection Laws.
Where LighthouseAI is a Processor (and not a Sub-Processor), the following terms apply:
- If based on reasonable grounds related to the inability of such Sub-Processor or Affiliate to protect Personal Data, You do not approve of a new Sub-Processor or Affiliate, then You may terminate any subscription for the affected Service by providing, before the end of the notice period, written notice of termination that includes an explanation of the grounds for non-approval.
- If the affected Service is part of a suite (or a similar single purchase of Services), any such termination will apply to the entire suite.
- After such termination, You shall remain obligated to make all payments required under any purchase order or other contractual obligation of LighthouseAI. You shall not be entitled to any refund or return of payment from LighthouseAI.
7. Requests from Data Subjects
We will make available to You the Personal Data of Your Data Subjects and the ability to fulfil requests by Data Subjects to exercise one or more of their rights under Applicable Data Protection Laws in a manner consistent with our role as a Data Processor. We will provide reasonable assistance to assist with Your response.
Suppose We receive a request directly from Your Data Subject to exercise one or more of their rights under Applicable Data Protection Laws. In that case, We will direct the Data Subject to You unless prohibited by law.
We shall implement and maintain appropriate administrative, technical, and organizational practices designed to protect Personal Data against any misuse or accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. Such security practices are outlined in the LighthouseAI Services Security Exhibit, available at https://www.pharma.solutions/services-security-exhibit.html. We seek to continually strengthen and improve its security practices and reserve the right to modify the controls described herein. Any modifications will not diminish the level of security during the relevant term of Services. Appropriate confidentiality agreements bind our employees, who must take regular data protection trainings and comply with our corporate privacy and security policies and procedures.
9. Personal Data Breach
We shall notify You without undue delay after becoming aware of a Personal Data Breach involving Personal Data in our possession, custody or control. Such notification shall at least: (i) describe the nature of the Personal Data Breach including, where possible, the categories and approximate number of Your Data Subjects concerned and the categories and an approximate number of Personal Data records concerned; (ii) provide the name and contact details of the data protection officer or another contact where more information can be obtained; and (iii) describe the measures taken or proposed to be taken to address the Personal Data Breach including, where appropriate, measures to mitigate its possible adverse effects. You will coordinate with Us on the content of public statements or required notices to individuals and/or Supervisory Authorities.
10. Your Instructions and Providing Information & Assistance
You may provide additional instructions to Us related to the Processing of Personal Data necessary for You and LighthouseAI to comply with our respective obligations under Applicable Data Protection Laws as a Data Controller and Data Processor. We will comply with Your instructions at no additional charge, provided that if Your instructions impose costs on Us beyond those included in the scope of Services under the Agreement, the parties agree to negotiate in good faith to determine the additional costs. We will promptly inform You if We believe that Your instructions are inconsistent with Applicable Data Protection Laws, provided that We will not be obligated to inspect or verify Your Processing of Personal Data independently.
We will provide You with information reasonably necessary to assist You in enabling Your compliance with Your obligations under Applicable Data Protection Laws, including, without limitation, Our obligations under the EU General Data Protection Regulation to implement appropriate data security measures, carry out a data protection impact assessment and consult the competent Supervisory Authority (taking into account the nature of Processing and the information available to Us), and as further specified in this DPA.
11. Return and Deletion of Personal Data
We will return or provide an opportunity for You to retrieve all Personal Data after the end of the provision of Services and delete existing copies. With respect to cloud services, You shall have thirty (30) calendar days to download Your Data after the termination of the Agreement, and You must contact technical support for download access and instructions. In the event You do not get technical support for this purpose within 30 calendar days after the end of the provision of Services, We shall delete Your Data promptly once that Personal Data is no longer accessible by You, except for (i) back-ups deleted in the ordinary course, and (ii) retention as required by applicable law or normal IT operations. In the event of either (i) or (ii), We will continue to comply with the relevant provisions of this DPA until such data has been deleted. We will provide written confirmation of deletion upon request.
Suppose the information you request of LighthouseAI under Section 11 above does not satisfy your obligations under Applicable Data Protection Laws. In that case, You may audit our Processing of Your Data once per year or as otherwise required by Applicable Data Protection Laws. To request an audit, you must provide Us with a proposed detailed audit plan three weeks in advance, and We will work with you in good faith to agree on a final written project. Any such audit shall be conducted at Your own expense, during regular business hours, without disruption to our business, and in accordance with our security rules and requirements. Before any audit, We undertake to provide You reasonably requested information and associated evidence to satisfy Your audit obligations, and You undertake to review this information before undertaking any independent audit. Suppose any of the requested scope of the audit is covered by an audit report issued to Us by a qualified third-party auditor within the prior twelve months. In that case, the parties agree that the scope of Your audit will be reduced accordingly.
You may use a third-party auditor with our Agreement, which will not be unreasonably withheld. Before any third-party audit, such an auditor must execute an appropriate confidentiality agreement with us. Suppose the third party is Your Supervisory Authority that applicable law enables it to audit Us directly. In that case, we will cooperate with and provide reasonable assistance to the Supervisory Authority in accordance with Applicable Data Protection Laws.
You will provide us with a copy of any final report unless prohibited by Applicable Data Protection Laws, will treat the findings as Confidential Information in accordance with the terms of the Agreement (or confidentiality agreement entered into between You and LighthouseAI), and use it solely for the purpose of assessing our compliance with the terms of the Agreement, this DPA, and Applicable Data Protection Laws
This DPA becomes effective upon Your purchase of the Services. Termination of the Agreement does not relieve either party of its obligations under this DPA. LighthouseAI reserves the right to revise this DPA to meet changing regulatory and compliance needs subject to the commitments of Section 8. When it does so, LighthouseAI will update the “Last revised” date” at the top.