Lytics Terms of Service

DATE OF LAST UPDATE: June 30, 2023

Welcome to Lytics. We offer online Subscription Services that combine advanced data science with our machine learning decision engine to help you achieve your marketing goals. We offer these Services under these Lytics Terms of Service (this “Agreement“).

BY INDICATING YOUR ACCEPTANCE OF THIS AGREEMENT OR ACCESSING OR USING THE SERVICES, YOU ARE AGREEING TO BE BOUND BY ALL TERMS, CONDITIONS AND NOTICES CONTAINED OR REFERENCED IN THIS AGREEMENT. IF YOU DO NOT AGREE TO THIS AGREEMENT, PLEASE DO NOT USE THE SERVICES. FOR CLARITY, EACH PARTY EXPRESSLY AGREES THAT THIS AGREEMENT IS LEGALLY BINDING UPON IT.

This Agreement is entered into by and between Lytics, Inc., a Delaware corporation (“Lytics” or “we“), and the organization placing an order for the Services (“Customer” or “you“) or whose User is accessing the Services. This Agreement consists of the terms and conditions set forth below, any appendices identified below and any ordering documents, online registration, order descriptions or order confirmations referencing this Agreement (“Service Orders“). If you are accessing or using the Services on behalf of your organization, you represent that you are authorized to accept this Agreement on behalf of your organization, and all references to “you“, “your“, or “Customer” reference your organization. “Party” refers to you and Lytics separately and Parties” refers to you and Lytics collectively.

The “Effective Date” of this Agreement is the earlier of (a) the date of Customer’s initial access to the Services (as defined below) through any online provisioning, registration or order process or (b) the effective date of the first Service Order referencing this Agreement. This Agreement will govern Customer’s initial purchase on the Effective Date as well as any future purchases made by Customer that reference this Agreement.

---

1. Definitions

1.1 “Affiliate” means a legal entity that, directly or indirectly controls, is controlled by or is under joint control with another legal entity. For this purpose, a legal entity is deemed to control another legal entity if it (a) owns, directly or indirectly, at least 50 percent of the capital of the other company.

1.2 “Connected Platform” means a third-party integration software used by Customer with the Subscription Services.

1.3 “Customer Data” means any data that under this Agreement is provided by Customer to Lytics or accessed or processed by Lytics on behalf of Customer (including data retrieved from Connected Platforms), including any Personal Data. Customer Data does not include Usage Data.

1.4 “Destination” means a third-party Connected Platform or other destination to which Customer chooses to send Customer Data or a website, third-party Connected Platform, or other data source from which Customer Data is sent to the Subscription Services platform for processing.

1.5 “Documentation” means the technical documentation which is made available by Lytics to Customer and describes the operation and functionality of the Services.

1.6 “Laws” means all applicable local, state, federal and international laws, and regulations, including Personal Data Protection Laws and export controls in force as of the Effective Date.

1.7 “Output” means any reports or other output of the Services.

1.8 “Personal Data” means “personal data”, “personal information”, “personally identifiable information” or similar information defined in and governed by Personal Data Protection Laws.

1.9 “Personal Data Protection Laws” means, with respect to a party, all privacy, data protection and information security-related laws and regulations applicable to such party’s Processing of Personal Data.

1.10 “Professional Services” means the implementation and consulting services performed by Lytics or its subcontractors as specified in a SOW or Service Order.

1.11 “Sensitive Information” means any of the following: (i) credit, debit or other payment card data subject to the Payment Card Industry Data Security Standards, (ii) financial account numbers or credentials; (iii) Protected Health Information as defined in the Health Insurance Portability and Accountability Act; or (iv) social security numbers, driver’s license numbers or other government-issued identification numbers.

1.12 “Services” means Subscription Services and Professional Services.

1.13 “Source” means a Customer website, third-party Connected Platform, or other data source from which Customer chooses to send Customer Data to the Subscription Services platform for processing.

1.14 “Subscription Service(s)” means the proprietary Lytics platform specified in a Service Order, including access to any related Lytics dashboards, APIs and any set of instructions and statements written by Lytics using a computer programming language (“Lytics Code”), as well as technical support as described in this Agreement and Service Orders.

1.15 “Usage Data” means Lytics’ technical logs, account and login data, and data and learnings about Customer’s use of the Services (e.g., frequency of logins, volume of Customer Data collected or sent to Destinations). Usage Data does not include Customer Data.

1.16 “Users” means your employees, representatives, consultants, contractors or agents who are authorized to use the Subscription Service for Customer’s benefit and have unique user identifications and passwords for the Subscription Service.

2. Service Purchase, Renewal, and Trials

2.1. Subscription Services Generally. Services are purchased via a Service Order. Subscription Services are purchased as a subscription for their access and use for the period specified on a Service Order (each, a “Subscription Term). Each Service Order will specify the Subscription Service features and usage limits. Expanded scope of use may be purchased via a new Service Order during a Subscription Term for the pricing stated in the underlying Service Order and will terminate at the end of the Subscription Term. Unless otherwise stated in the Service Order, each Subscription Service will automatically renew for a 12-month Subscription Term unless either Party notifies the other at least 90 days prior to the end of the Subscription Term of its intention not to renew.

2.2. Service Trials. If Lytics offers you a Service Trial, you may use the Service during the trial period specified in the Service Order solely to determine whether to purchase Service. If you do not choose to order Service prior to completion of the Service Trial, then following the end of the Trial Period your access to the Services will be terminated and your Customer Data then hosted by Lytics will be deleted. Service Trials may not include all features or functionality offered as part of paid-for Services, and Lytics reserves the right to add or subtract any features or functionality at any time for Service Trials. Lytics has the right to suspend or terminate a Service Trial that is provided for free at any time for any reason.

NOTWITHSTANDING THE “WARRANTIES AND DISCLAIMERS” SECTION AND “INDEMNIFICATION” SECTIONS BELOW, FREE SERVICES ARE PROVIDED “AS-IS” WITHOUT ANY WARRANTY AND LYTICS SHALL HAVE NO INDEMNIFICATION OBLIGATIONS NOR LIABILITY OF ANY TYPE WITH RESPECT TO THE FREE SERVICES UNLESS SUCH EXCLUSION OF LIABILITY IS NOT ENFORCEABLE UNDER APPLICABLE LAW IN WHICH CASE LYTICS LIABILITY WITH RESPECT TO THE FREE SERVICES SHALL NOT EXCEED $1,000.00.

2.3. Beta Releases. You may receive access to a Service (or Service features) as an early access offering (“Beta Release”). Lytics identifies all Beta Releases as such and any usage by Customer is optional. Use of a Beta Release is permitted only for your internal evaluation during the period designated by Lytics and may be subject to additional terms provided by Lytics and agreed by you. Lytics may suspend or terminate your access to Beta Releases at any time for any reason. Beta Releases may be inoperable, incomplete or include features that Lytics may never release, and their features and performance information are Lytics’ Confidential Information. Notwithstanding anything else in this Agreement, Lytics’ liability arising out of or related to Beta Releases will not exceed US$100.

3. Service Provisioning

3.1. Availability and Access. Lytics will use commercially reasonable efforts to provide the Subscription Services to you 24 hours a day, 7 days a week in accordance with our Target Uptime Service Level Agreement stated in Appendix A hereto. During the Subscription Term, we will provide your Users access to use the logically separated Subscription Service account(s) you have ordered. Subscription Services include a restricted-access administrative interface enabling your account administrator to assign roles to Users so they can configure, manage, and monitor Customer’s use of the Subscription Services.

3.2. Support. Lytics Standard Technical Support is included with Subscription Services unless you order Premium Technical Support. Lytics technical support consists of (a) responding to Customer requests for technical support related to the Subscription Services as further described in Appendix A; (b) access to our online Documentation regarding the installation, function, and operation of the Subscription Services: and (c) Subscription Services releases provided to all our customers, with the timing of releases at Lytics’ discretion. Lytics technical support does not include debugging code not maintained by Lytics, assistance with Customer systems, or use of the Subscription Services other than as described in the Documentation.

3.4. Professional Services. Professional Services will be described in and delivered in accordance with the applicable Service Order or a mutually executed Statement of Work (“SOW”). The Parties may change a SOW only by a Change Order signed by the Parties. Professional Services will be deemed accepted ten (10) days following their completion unless Customer notifies Lytics within such 10-day period that they do not conform to the Service Order or SOW under which they were provided, in which event Lytics will reperform (at no additional charge) the Professional Services at issue to conform to the Service Order or SOW, as applicable. Lytics may use subcontractors to provide Professional Services under this Agreement. Lytics remains responsible for compliance of any such subcontractor with the terms of this Agreement and the provision of the Services as required under this Agreement.

4. Data Processing

4.1 Sources and Destination. The Subscription Services allow Customer to send Customer Data from its Sources to the Subscription Services platform and to send Customer Data from that platform to Customer’s Destinations for Customer’s further use. Supported Sources and Destinations are identified in the Documentation. As further described below and in the Documentation, Customer determines the Sources and Destinations which it uses with the Subscription Service, as well as the types and content of Customer Data it shares between its Sources and Destinations. You may choose to implement Lytics Code on your website properties to collect Customer Data from those properties and transmit it to the Subscription Services platform. The Lytics Code will access only Customer Data that is identified in the applicable Statement of Work or that Customer has configured the Subscription Services to collect. In addition, Lytics will receive Customer Data from Sources only as directed by Customer.

4.2 Data Availability. Customer may access, retrieve, and export Customer Data from the Subscription Services platform during the Subscription Term, using the Subscription Services features and functionality. See Documentation regarding event and record retention periods during a Service Order Subscription Term. See Section 7.3 for information regarding Customer account and Customer Data deletion following termination of this Agreement or a Service Order.

4.3 Security Measures. We implement and maintain physical, technical and administrative security measures designed to protect the Subscription Services and Customer Data from unauthorized access, destruction, use, modification or disclosure at a level not materially less protective than as described in Appendix B.

4.4 Data Processing Agreement. If you are a paying Customer, the terms of Appendix C (the data processing agreement or “DPA”) apply and the Parties agree to comply with such terms. The DPA addresses privacy compliance topics, including security Incident notification and management. To the extent that Lytics processes any personal data subject to the European Union General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”) and you are the data exporter of such personal data, your agreeing to these Terms of Service shall be treated as signing the Standard Contractual Clauses and their Annexes attached to the DPA for purposes of any transfer of personal data subject to the GDPR in connection with the Subscription Services.

5. Fees and Payment

5.1 Fees. All fees for purchased Services (“Fees”) will be itemized on the applicable Service Order. Except as otherwise stated in Section 7.3 (Effect of Termination), (a) Fees are based on Services purchased and will not be reduced during the Subscription Term, and (b), except as otherwise agreed herein, payment obligations are non-cancellable, and Fees are non-refundable.

5.2. Invoicing and Payment. All properly invoiced amounts are due and payable in United States currency within thirty (30) days following the invoice date (or thirty (30) days following the renewal date for any renewed Service) unless a different currency and period is specified in the Service Order. Payment Invoices will be sent to the address included on the invoice unless Customer instructs Lytics otherwise in writing. If payment of any properly invoiced amount is not received by Lytics by the due date, then without limiting Lytics’ rights or remedies, the invoiced amount may accrue late interest at the rate of 1.5% of the outstanding balance per month or the maximum rate permitted by law, whichever is lower

5.3 Taxes. Fees do not include any taxes (including any withholding taxes) assessable by any jurisdiction (collectively, “Taxes”). Customer is responsible for paying all Taxes associated with its purchases hereunder. If Lytics has the obligation to collect or pay Taxes for which Customer is responsible under this Section 5.3, Lytics will invoice such Taxes and Customer will pay them to Lytics unless Customer provides Lytics with a valid taxation exemption certificate from the relevant taxing authority. Lytics is solely responsible for taxes assessable against Lytics based on its income, property, and employees.

5.4. Overages. If you exceed your subscribed Subscription Services usage during the Subscription Term, we reserve the right to charge you overage Fees for such excess usage in accordance with, and at the applicable overage rates set forth in, the Service Order.

5.5 Travel Expenses. Customer will reimburse Lytics for reasonable travel expenses, if any, directly related to providing the Services under this Agreement only if Customer approves the travel in advance by email and Lytics follows any travel policy which Customer provides to Lytics prior to such travel. Any approved travel expenses will be invoiced separately and paid within 30 days of receipt.

6. Rights and Ownership

6.1. Customer Data. As between Lytics and Customer, Customer Data is owned by Customer. Customer shall retain all right, title and interest (including any and all intellectual property rights) in and to Customer Data. Subject to the terms of this Agreement, Customer hereby grants to Lytics a non-exclusive, worldwide, royalty-free license to use, copy, store, transmit, modify, create derivative works of and display the Customer Data solely to the extent necessary to provide Services to Customer during the Subscription Term.

6.2. Services. Users have the right to access and use the Subscription Services for Customer’s business purposes worldwide in accordance with this Agreement. Customer also has the right to use, copy and distribute the Lytics Code for use on Customer’s online properties in connection with Customer’s use of the Subscription Services. Customer may extend these rights to its Affiliates and to contractors acting on Customer’s or its Affiliates’ behalf, but Customer will remain responsible for their compliance hereunder. If Professional Services include the delivery of documents to Customer, Customer will own such documents, except for any Lytics or third-party intellectual property contained therein to which Lytics hereby grants to Customer and its Affiliates and agents a worldwide, nonexclusive, non-transferable, royalty-free right to use such intellectual property in connection with the Subscription Services. Subject to the rights expressly granted hereunder, Lytics and its licensors reserve all of their respective rights, titles, and interests in and to the Services, including all related intellectual property rights.

6.3. Feedback. Lytics has not agreed to and does not agree to treat as confidential any Feedback (as defined below) you provide to Lytics, and nothing in this Agreement or in our dealings with you arising out of or related to this Agreement will restrict Lytics right to use, disclose, or otherwise exploit Feedback, without compensating or crediting you. (“Feedback” refers to any suggestion or idea for improving or otherwise modifying any of Lytics products or services.)

7. Term and Termination

7.1. Term. This Agreement starts on the Effective Date and will terminate 30 days after the most recent Subscription Term is no longer in effect unless this Agreement is terminated earlier as provided herein.

7.2. Termination. Either Party may terminate this Agreement and any Service Order (a) if the other Party fails to cure a breach of any material provision of the Agreement and Service Order, as applicable, within thirty (30) days after receipt of written notice of such breach or (b) upon written notice if the other Party becomes the subject of a petition for bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors.

7.3. Effect of Termination. Upon termination of this Agreement or the most recent Subscription Term, without prejudice to any other rights or remedies which the Parties may have (a) all rights to use the Subscription Services will terminate; (b) Customer will pay to Lytics all outstanding Fees that have accrued hereunder prior to the date of termination; (c) each Party will return the other Party’s Confidential Information or delete it and confirm such deletion upon request; and (d) Customer will remove Lytics Code from Customer Systems within a reasonable period of time after termination. If Lytics terminates this Agreement or a Service Order pursuant to Section 7.2(a), Customer will promptly pay Lytics all unpaid Fees due through the end of the Subscription Term effectively terminated. If Customer terminates this Agreement or a Service Order pursuant to Section 7.2.(a), Lytics will refund to Customer on a pro-rata basis any prepaid fees applicable to Services not yet rendered.

7.4. Account and Data Retention and Deletion.

7.4.1 Account and Data Retention During the Subscription Term. Customers may retrieve and export Customer Data from the Lytics platform using the Subscription Services features and functionality. Lytics retains Known Profiles for the duration of the Customer account, Inbound Events for 12 months from the date received, and Anonymous Profiles for 12 months total to allow for potential identity resolution into a Known Profile. Anonymous Profiles will be removed from active indexing after 30 days of inactivity. (For processing efficiency, after 30 days of inactivity by an individual for whom an Anonymous Profile has been created, the Anonymous Profile will be removed from active indexing and retained for an additional 11 months for potential identity resolution into a Known Profile. Once removed from active indexing, the Anonymous Profile may not appear in Profile counts available via the UI or in historic segmentation.)

7.4.2 Account and Data Deletion Following Termination. In fewer than 30 days following termination of this Agreement or the latest Subscription Term, Lytics will terminate access to Customer Data and begin logical deletion of Customer Data followed by cryptographic erasure, except that this requirement shall not apply to the extent Lytics is required by applicable law to retain some or all of the Customer Data. This deletion, including the deletion of Customer Data on backup systems, will be completed as soon as practicable in accordance with the deletion schedules of Lytics’ underlying cloud services provider, and the Customer Data will remain encrypted until cryptographically erased.

7.5. Survival. All provisions of this Agreement that must survive the termination of this Agreement to fulfill their essential purpose, including payment and indemnification provisions, will survive.

8. Confidential Information.

“Confidential Information” means information disclosed by one Party to the other that is marked as confidential or proprietary or that, because of its subject matter, ought reasonably to be understood as confidential or proprietary. All Customer Data and Output is deemed Customer’s Confidential Information. Confidential Information excludes information that the recipient already lawfully knew prior to disclosure by Customer, that becomes public through no fault of the recipient, that was independently developed by the recipient or that was rightfully obtained by the recipient from a third party. The recipient agrees not to disclose Confidential Information except to Affiliates, employees and agents who need to know it and have agreed in writing to keep it confidential. Only those parties may use the Confidential Information, and only to exercise the recipient’s rights and fulfill its obligations under this Agreement, while using at least a reasonable degree of care to protect it. Notwithstanding anything to the contrary in this Agreement, the recipient may also disclose Confidential Information to the extent required by law after providing reasonable notice to the discloser and cooperating to obtain confidential treatment. Unauthorized disclosure of Confidential Information may cause harm not compensable by monetary damages, and the disclosing Party may seek injunctive or equitable relief in a court of competent jurisdiction, without posting a bond, to protect its Confidential Information.

9. Warranties and Disclaimer

9.1. Both Parties. Each Party warrants that it has the full right and power to enter into and perform under this Agreement, without any third-party consents or conflicts with any other agreement.

9.2. Customer. Customer warrants that it (a) will not transmit to Lytics, nor require Lytics to process, any Sensitive Information; (b) will use the Services only in accordance with this Agreement and all applicable laws and regulations; (c) Lytics’ processing of Customer Data in accordance with this Agreement will not violate any Laws or third party rights; (d) will not modify, reverse engineer, disassemble, decompile (except within the strict limits and conditions of applicable law) the Subscription Services or reproduce or create derivative works from them; (e) will not sell, rent, lease or use the Subscription Services for time sharing purposes; (f) will not remove or obscure any proprietary or other notices contained in the Services; and (g) will use reasonable efforts to protect the security and confidentiality of the User IDs and passwords that its Users use to access Customer’s Lytics account and will notify Lytics promptly if it discovers any unauthorized access to, or use of, the Subscription Service.

9.3. Lytics. Lytics represents and warrants that: (a) during the Subscription Term the Subscription Services will perform materially as described in the Documentation; (b) Professional Services will be performed in a professional and workmanlike manner; (c) it will make the Services available in accordance with Lytics’ obligations under applicable laws and government regulations, including applicable privacy laws; (d) it will not introduce any viruses or other computer instructions or technological means intended to disrupt, damage, or interfere with the use of computers, including Customer systems; (e) it owns the Subscription Services and every component thereof or is the recipient of a valid license thereto, and will maintain the authority to grant the intellectual property and other rights granted in this Agreement; and (f) the Lytics Code will not contain any code licensed under any version of any GPL or other “copyleft” license. Within 30 days of Lytics’ receipt of written notice from Customer that it has breached the warranty at 9.3.(a), Lytics will correct or repair the Subscription Services to conform to such warranty, and if Lytics fails to do so, Customer may terminate this Agreement and/or the applicable Service Order, in which event Lytics will refund to Customer any prepaid fees for the period remaining in the Subscription Term following receipt of such notice. In the event of a breach of the warranty at 9.3.(e), Lytics, at its own expense, will (i) secure the right for Customer’s continued access and use of the affected Subscription Services; (ii) modify the affected Subscription Services to make them non-infringing, provided that the same material functionality is maintained; or (iii) if the actions described earlier in this sentence are not commercially feasible for Lytics, terminate Customer’s subscription for the affected Subscription Services upon 30 days written notice and refund to Customer any prepaid fees for the period remaining in the Subscription Term following termination.

9.4. Disclaimer. EXCEPT AS EXPLICITLY STATED IN THIS AGREEMENT, NEITHER PARTY MAKES ANY WARRANTIES OF ANY KIND AND EACH PARTY EXPRESSLY DISCLAIMS ANY AND ALL OTHER WARRANTIES OF ANY KIND OR NATURE, WHETHER EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. BETA SERVICES ARE PROVIDED “AS IS,” AND AS AVAILABLE EXCLUSIVE OF ANY WARRANTY WHATSOEVER.

9.5. Records, Audits, and Testing. Lytics will maintain for three (3) years after the termination or expiration of this Agreement complete and accurate records relating to its provision of the Services, including fees charged hereunder. Lytics will provide to Customer, without charge and upon request, copies of third-party audit or compliance reports (including, without limitation, any SSAE-16 or similar reports) and penetration test reports issued with respect to Lytics or the Services. Because on site security audits, penetration tests and vulnerability scans are disruptive to Lytics business and the support of Lytics customers who are served in a multi-tenant environment, on site security audits are not supported, and penetration testing and load testing conducted by Customer or on its behalf are not permitted without Lytics prior written consent in each instance, and then only subject to such conditions as Lytics reasonably requires.

10. Indemnification

10.1 Indemnification by Lytics. Lytics will defend and indemnify Customer and its Affiliates and each of their respective directors, employees, and agents against any “Indemnified Claim“” meaning any third party claim, suite, or proceeding arising out of, related to, or alleging (a) infringement of any patent, copyright, trade secret, or other intellectual property right by a Subscription Service; (b) bodily injury or tangible or real property damage caused by the act or omission of Lytics or any of its employees, agents and subcontractors; and (c) unauthorized disclosure or exposure of Personal Data caused by the act or omission of Lytics or any of its employees, agents and subcontractors.

10.2 Indemnification by Customer. Customer will defend and indemnify Lytics and its directors, employees, and agents against any “Indemnified Claim” meaning any third party claim, suite, or proceeding arising out of, related to, or alleging violation of a privacy or confidentiality right or Law by Lytics’ processing (including its receipt and storage) of Customer Data in accordance with this Agreement.

10.3 Indemnification Generally. With respect to each Indemnified Claim the indemnitor’s obligations include retention and payment of attorneys and payment of court costs, as well as settlement at indemnitor’s expense and payment of judgments, but indemnitor’s obligations will be excused to the extent the failure of the Party to be indemnified or of its director, employee, or agent to provide prompt written notice of the Indemnified Claim or to cooperate materially prejudices the defense. The indemnitor will control the defense of any Indemnified claim, including appeals, negotiations, and any settlement or compromise thereof; provided the indemnified Party will have the right, not to be exercised unreasonably, to reject any settlement or compromise that requires that it admit wrongdoing or liability or subjects it to any ongoing affirmative obligations.

11. Limitations and Exclusions of Liability

11.1. Exclusion of Consequential Damages. NEITHER PARTY WILL BE LIABLE TO THE OTHER PARTY FOR ANY LOSS OF USE, INTERRUPTION OF BUSINESS, LOST PROFITS, OR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY KIND REGARDLESS OF WHETHER ANY ACTION OR CLAIM IS BASED IN CONTRACT, TORT, STRICT LIABILITY OR OTHERWISE, EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

11.2. Limitation of Liability. EXCEPT FOR EACH PARTY’S INDEMNIFICATION OBLIGATIONS, THE AGGREGATE LIABILITY OF EACH PARTY TOGETHER WITH ITS AFFILIATES WILL BE LIMITED TO AN AMOUNT EQUAL TO THE TOTAL FEES PAID OR PAYABLE BY CUSTOMER AND ITS AFFILIATES TO LYTICS FOR THE SERVICES GIVING RISE TO THE LIABILITY IN THE TWELVE MONTH PERIOD PRECEDING THE EVENT GIVING RISE TO THE CLAIM FOR LIABILITY. THE AGGREGATE LIABILITY OF EACH PARTY AND ITS AFFILIATES WITH RESPECT TO ITS INDEMNIFICATION OBLIGATIONS WILL BE LIMITED TO AN AMOUNT EQUAL TO THREE TIMES THE TOTAL FEES PAID OR PAYABLE BY CUSTOMER AND ITS AFFILIATES TO LYTICS FOR THE SERVICES GIVING RISE TO THE LIABILITY IN THE TWELVE MONTH PERIOD PRECEDING THE EVENT GIVING RISE TO THE CLAIM FOR LIABILITY. THE FOREGOING LIMITATIONS WILL APPLY WHETHER AN ACTION IS IN CONTRACT OR TORT AND REGARDLESS OF THE THEORY OF LIABILITY, BUT WILL NOT LIMIT CUSTOMER’S AND ITS AFFILIATES’ PAYMENT OBLIGATIONS UNDER THE “FEES AND PAYMENT” SECTION ABOVE.

12. Insurance.

During the term of this Agreement and for three years thereafter Lytics will maintain the following insurance coverages: adequate automobile, and workers’ compensation coverages, including such insurance coverage as may be required by law; no less than $5,000,000 in Errors and Omissions and Cyber Liability coverage; and no less than $5,000,000 in Comprehensive General Liability coverage. Upon request, Lytics will provide Customers with a certificate of insurance stating Lytics’ insurance coverage.

13. Assignment.

Neither Party may assign this Agreement without the other Party’s prior written consent, except that either Party without such consent may assign this Agreement to an Affiliate or any other entity in connection with a reorganization, merger, consolidation, acquisition, or other restructuring involving all or substantially all of such Party’s voting securities or assets. Non-permitted assignments are void.

14. Reference

During the Subscription Term, Lytics may use Customer’s name and logo on the Lytics website and in marketing materials to identify Customer as a Lytics customer.

15. Federal Government End Use Provisions.

Lytics provides the Subscription Services, including related software and technology, for ultimate federal government end use in accordance with the following: The Subscription Services consist of “commercial items,” as defined at FAR 2.101. In accordance with FAR 12.211-12.212 and DFARS 227.7102-4 and 227.7202-4, as applicable, the rights of the U.S. Government to use, modify, reproduce, release, perform, display, or disclose commercial computer software, commercial computer software documentation, and technical data furnished in connection with the Subscription Services shall be as provided in this Agreement, except that, for U.S. Department of Defense end users, technical data customarily provided to the public is furnished in accordance with DFARS 252.227-7015. If a government agency needs additional rights, it must negotiate a mutually acceptable written amendment to this Agreement specifically granting those rights.

16. Export Control.

In its use of the Subscription Services, Customer agrees to comply with all export and import laws and regulations of the United States and other applicable jurisdictions. Without limiting the foregoing, (i) Customer represents and warrants that it is not listed on any U.S. government list of prohibited or restricted parties or located in (or a national of) a country that is subject to a U.S. government embargo or that has been designated by the U.S. government as a “terrorist supporting” country, (ii) Customer shall not (and shall not permit any of its users to) access or use the Subscription Services in violation of any U.S. export embargo, prohibition or restriction, and (iii) Customer shall not submit to the Subscription Services any information that is controlled under the U.S. International Traffic in Arms Regulations.

17. Entire Agreement, Severability, and Headings.

This Agreement constitutes the complete agreement between the Parties and supersedes all prior and contemporaneous writings, negotiations, and discussions with respect to its subject matter. Neither Party has relied upon any such prior or contemporaneous communications. The Agreement may not be modified except in a written agreement signed by authorized representatives of the Parties. If any provision is found to be unenforceable, it (and related provisions) will be interpreted to best accomplish the parties’ intended purpose and the remaining terms of this Agreement will remain in full force and effect. The captions and headings are included in this Agreement for convenience only and will not be used to limit the scope or intent of any Agreement provision.

18. Conflicts.

In the event of conflict with the main body of the Agreement, a Service Order will govern, but only with respect to the subject matter of the Service Order. The terms on any purchase order or similar Customer document submitted to Lytics will have no effect on this Agreement and are hereby rejected.

19. Notice.

All notices and consents under this Agreement must be delivered in writing, in person, by overnight courier, or by certified or registered mail (postage prepaid and return receipt requested) to the other Party at its address stated at the beginning of this Agreement and to the person signing this Agreement on behalf of such Party. Customer shall provide a copy of any notice to legal@lytics.com. If the Parties have not signed this Agreement electronically or otherwise, Lytics may provide notice to Customer’s email address on file or through the Services. Any email notices shall be deemed to have been received upon delivery. Notices and consents will be deemed effective upon receipt. Either Party may change the recipient or its address for notices by providing notice to the other Party as specified herein.

20. Waivers.

No failure or delay by either Party in exercising any right under this Agreement will constitute a waiver of that right. Waivers must be signed by the waiving party and one waiver will not imply any future waiver.

21. Governing Law

This Agreement is deemed to have been made in, and will be governed by and construed in accordance with the laws of, the State of Oregon, without reference to its conflicts of law principles or the United Nations Convention on the International Sale of Goods. All disputes arising out of or relating to these Terms of Service will be submitted to the exclusive jurisdiction of a court of competent jurisdiction located in Portland, Oregon and each party irrevocably consents to such personal jurisdiction and waives all objections to this venue.

22. Modification.

Lytics expressly reserves the right to modify the Terms of Service at any time in its sole discretion by including such alteration and/or modification in these Terms of Service, along with a notice of the effective date of such modified Terms of Service. If a revision meaningfully reduces your rights, we will use reasonable efforts to notify you (by, for example, through your Customer Account or in the Service itself). To the extent you have purchased a subscription to the Service, the modified terms will be effective as to such subscription Service upon the earlier of (i) your next subscription renewal, or (ii) your acceptance of the modified Terms of Service by clicking “Agree” (or similar button or checkbox) at the time you are presented with the modified Terms of Service. If you object to the updated Terms of Service, as your exclusive remedy, you may choose not to renew, including cancelling any terms set to auto-renew. In all other cases, any continued use by you of the Service after the posting of such modified Terms of Service shall be deemed to indicate your irrevocable agreement to such modified Terms of Service.

APPENDIX A

SUPPORT and TARGET UPTIME SLA

I. SUPPORT

1. Scope of Support. Lytics offers Standard and Premium Technical Support Plans. Each plan includes assisting the Customer to troubleshoot and resolve specific implementation and/or production issues resulting from the use of the Subscription Services and Lytics platform. The Lytics Technical Support team is responsible for handling Lytics JavaScript tag installation errors, user issues and any other technical problem with the Subscription Services that prevents the Customer from using the Subscription Services.1.1 Standard Technical Support.
   • (a) Production Support. Production support applies to issues that involve Customer’s production instance of Lytics and its associated JavaScript tag, and such issues can be triaged as Severity Level 1, 2 or 3 issues.
   • (b) Implementation Support. Post-onboarding implementation support applies to issues that involve Customer’s development or staging instance of Lytics and its associated JavaScript tag, and such issues are triaged as a Severity Level 3 issue.
   • (c) Support for Lytics Warehouse and Clean Room. Three Professional Services offerings support the Lytics Subscription Services access to Google BigQuery and Analytics Hub: Lytics Warehouse, Lytics Managed Warehouse, and Managed Warehouse + Clean Room. All Technical Support issues in support of these offerings are triaged as Severity Level 3 issues.

   1.2 Premium Technical Support. Designed as an add-on module to the Standard Support plan, Lytics Premium Support offers the same services as the Standard Support plan, plus faster initial response times to technical Support requests as indicated in the Support Plan Features chart below, as well as access to the Lytics Video Training Library as described below.

   1.3 Types of Services and Support Plan Features Under Standard and Premium Support. The following types of services are typically supported under each Support Plan with Lytics Support and Customer cooperating in the troubleshooting and resolution of issues:

   • Help in understanding specific features in Lytics,
   • Clarification of documentation,
   • Addressing performance issues, and
   • Support of Lytics’ standard or custom integrations

   Support Plan Features	Standard Plan	Premium Plan
   Access to Learn Lytics Knowledge Center	Yes	Yes
   Access to Lytics Support Portal	Yes	Yes
   CDP system availability and performance monitoring 24/7	Yes	Yes
   New Subscription Service releases at Lytics’s discretion	Yes	Yes
   Named Customer Contacts per Customer instance 1	2 contacts	4 contacts
   Root Cause Analysis (for Severity 1 incidents only) 2	No	Yes
   Access to the Lytics Training Video Library 3	No	Yes (3 users)

   ¹Named Customer Contacts. To ensure the Lytics Technical Service team is able to engage with knowledgeable Customer contacts, each Support Plan has a set of allowed Named Customer Contacts which have the ability to submit support cases via the Lytics Support Portal.

   ²Root Cause Analysis. For Premium Support Plans, Customers may request more detailed technical analysis of critical production-impacting issues (Severity Level 1), in the form of a follow-up report summarizing technical root cause and remediation steps to mitigate any further risk.

   ³Access to Lytics Training Video Library. During onboarding and implementation, Premium Support Customers will have access to a library of pre-recorded, on-demand training videos, targeted to get our Customer developer and marketing teams learning quickly. After onboarding and implementation and for the remainder of each Subscription Term, Premium Support Customers will have ongoing access to the Lytics Training Video Library for up to three (3) users. Customer may request additional user seats for an additional, associated Annual Subscription Fee

2. Support Service Levels
   

   Severity Level	Definition	Initial Response Target*
   		Standard Support	Premium Support
   1 (Critical)	A Critical Severity issue has a critical business impact; Lytics is down or functioning at a significantly reduced capacity. Premium Support Plan Customers may request more detailed root cause analysis of Critical Severity, Level 1 production-impacting issues.	4 Hours	2 Hours
   2 (Medium)	A Medium Severity issue has some business impact on a production system, resulting in some functionality loss on Customer’s production system. Lytics is usable, but the service does not provide a function in the most convenient or expeditious manner.	2 Days	8 hours
   3 (Low)	A Low Severity issue is any issue pertaining to a non‐production instance and, for production instances, any issue that does not fall into either a Critical or Medium Severity Level above, including general usage questions, issues related to a non‐production environment, or feature requests. There is no impact on the quality, performance, or functionality on Customer’s production system. All Implementation Support is categorized as Low Severity, Level 3. Support for BigQuery and Analytics Hub via Lytics Warehouse, Lytics Managed Warehouse, and Managed Warehouse + Clean Room are all triaged as Low Severity, Level 3.	3 Days	1 day

3. Support Hours and Means. Routine support is available as follows:
   • Hours
     • Business hours from Monday through Friday, 6:00 a.m. to 5:00 p.m. Pacific Time (PST or PDT, as applicable on date support is requested).
     • The Lytics Support Portal indicates how Customer should report Severity Level 1 issues outside normal business hours noted above.
   • Via Lytics Support Portal: support.lytics.com.
   • Via Email: support@lytics.com.
   • Via Phone: 503-479-5880 for ticket initiation. (Leave a message providing the name of your company, your email address, and a description of the issue, and a support ticket will be generated from your message.)
4. Named Customer Contacts. Customer will identify up to two (2) contacts for Standard Support & four (4) contacts for Premium Support. These Named Support Contacts (NSCs) will serve as primary Support contacts between Customer and Lytics.
5. Required information for Logging a Support Request. When submitting a Support request, please provide the following information:
   • Brief description of the problem in the email subject line.
   • Case number in the email subject line, if this is a continuation of an existing request.
   • Detailed description of the problem, including any steps required to reproduce the problem.
   • If your organization has multiple Lytics accounts, include the account name and/or ID.
   • For any ongoing communication with Support about an active case, please include the case number.

II. TARGET UPTIME SERVICE LEVEL AGREEMENT

This Service Level Agreement (“SLA”) is issued under and forms part of the Master Subscription Agreement or other agreement with Lytics which references this SLA (“Agreement”). Any capitalized terms not defined herein has the meanings ascribed to them in the Agreement.

1. Uptime and Reliability. Subject to the concurrent throughput limits (including as may be caused by external factors) as described in the Documentation, Lytics will use commercially reasonable efforts to make its Data Ingestion API available and operational to Customer with an uptime of 99.99%, calculated on a monthly, per-minute basis (“Target Uptime”). “Data Ingestion API” means the Lytics http endpoints that ingest Customer Data. Current status reports are available at https://lytics.statuspage.io/.
2. Exclusions. The calculation of uptime will not include unavailability to the extent due to: (i) Customer’s use of the Services in a manner not authorized in the Agreement or Documentation, (ii) general Internet problems, force majeure events or other factors outside of the reasonable control of Lytics (such as denial of service attacks or third-party service outages), (iii) Customer’s (or one of its vendors’) equipment, software, network connections, utilities or other infrastructure, (iv) third party systems, acts or omissions, (v) Scheduled Maintenance or reasonable emergency maintenance, (vi) non-production traffic (e.g. load testing, internal account traffic); or (vii) development, testing, accepting or other non-production environments.
3. Scheduled Maintenance. “Scheduled Maintenance” means scheduled maintenance that may affect Target Uptime. For all Scheduled Maintenance, Lytics will use commercially reasonable efforts to notify Customer via email or text at least three (3) business days prior to starting such maintenance. Scheduled Maintenance will not exceed (2) hours per month in the aggregate and, to the extent practicable, will be scheduled during the weekend hours between 6:00 PM Friday and 11:00 PM Sunday Pacific Standard Time. In the event of any unavailability described above, Lytics will use commercially reasonable efforts to minimize any disruption, inaccessibility and/or inoperability of the Customer Data Ingestion API in connection with outages, whether scheduled or not.
4. Special Termination Right. In the event of a verified failure of the Data Ingestion API to meet the Target Uptime in two (2) consecutive months or in any three (3) of six (6) consecutive months (a “Recurring Outage”), Customer may terminate the Agreement upon written notice to Lytics and will receive as its sole remedy a refund of any fees Customer has pre-paid for use of the Services for the terminated portion of the applicable Subscription Term (“Special Termination Right”). Customer must exercise the Special Termination Right within 30 days of reasonably becoming aware of a Data Ingestion API failure or such right will be deemed waived. The Special Termination Right is Customer’s sole and exclusive remedy, and Lytics’ sole and exclusive liability, for any failure of the Data Ingestion API to achieve the Target Uptime.
5. Service Credits Available with Premium Support. If Customer has ordered Premium Support and Lytics fails to meet the Target Uptime, Customer may request and receive a service credit based on the following percentages of the Fees for the affected Subscription Services prorated for the month during which the Target Uptime was not met (the “Service Credit”).
   

   Monthly Availability	Service Credit Percentage
   99.00% up to < 99.99%	10%
   98.50% up to < 99.00%	20%
   98.00% up to < 98.50%	30%
   < 98.00%	50%

   Service Credits will be issued as credits against subscription renewal Fees or, if the subscription is not renewed, the Service Credits will be paid to Customer in the form of a refund within 30 days after the subscription termination date. To receive a Service Credit hereunder, Customer must provide written notice to Lytics of its Service Credit claim within 10 business days following the end of the month for which a Service Credit is sought. All Service Credit claims are subject to verification by Lytics’ systems.

6. Exclusive Remedy. Except for the alternative Special Termination Right Due To Recurring Outage discussed above, Service Credits are Customer’s sole and exclusive remedy for any failure to meet the Target Uptime. Service Credits are only available for Premium Support Customers. Service Credits constitute liquidated damages, are not a penalty, and are not available for any Service provided without charge.

APPENDIX B

Technical and Organizational Security Measures

Lytics will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Information uploaded to the Service, as described below. All capitalized terms not otherwise defined herein shall have the meanings as set forth in the Agreement, including the DPA.

1. Security Governance. Lytics maintains an information security program (including the adoption and enforcement of internal policies and procedures) designed to: (a) help our customers secure their data processed using Lytics’ online product against accidental or unlawful loss, access, or disclosure, (b) identify reasonably foreseeable and internal risks to security and unauthorized access to Lytics online Subscription Services, and (c) minimize security risks, including through risk assessment and regular testing. Lytics’ head of security and compliance coordinates the company’s information security program with the company’s information security team. The program is overseen by an executive management committee, which includes our CEO, President, and the heads of engineering and product.
2. Scalable and Secure Infrastructure. Lytics’ Subscription Services (SaaS) infrastructure is divided into multiple, geographically dispersed data center facilities. Each facility is designed for maximum security and availability. All locations employ industry best-practices, including badge and biometric access entry systems, redundant power sources, redundant air conditioning units and fire suppression systems. Security personnel and cameras monitor these locations 24 hours a day, 365 days a year. Only authorized personnel are allowed inside these data centers and all accesses are logged. (For a more extensive discussion of the security measures built into the cloud infrastructure and services utilized by Lytics, see Google Security Overview.) Lytics Service data collection environment is architected for high availability and designed for uninterrupted data collection, leveraging global load balancing and data centers in North America.
3. Secure Data Transmission and Storage. All Customer Data is classified as confidential. Customer Data is stored in separate logical directories and encrypted at rest using AES 256. Lytics encrypts its data exports and imports in transit using TLS 1.2. Secure FTP is used for bulk transfers. All data collected on behalf of Customer is processed and stored in the United States or European Economic Area (EEA), depending upon Customer deployment, but may transit temporarily through data collection centers situated closer to the data subjects’ respective locations for optimal performance. If in such case Personal Data would be transferred to a country outside of the EEA, the provision of the applicable Standard Contractual Clauses apply. Authentication and robust access controls ensure that Customer Data is secured against unauthorized access. No confidential information is transmitted across unsecured communication channels.
4. Disaster Recovery. Lytics maintains essential disaster avoidance, readiness and recovery planning capabilities through the use of multiple geographically dispersed data centers, redundancy throughout the Subscription Services platform architecture, offsite backup media storage, and remote access capabilities. All aspects of the Lytics platform environment are designed and built with redundancies throughout. Lytics maintains a Disaster Recovery plan and tests it annually.
5. Application Security. Lytics follows an agile development methodology, with security testing implemented throughout the entire software development lifecycle. Test areas include volume, stress, security, performance, resource usage, configuration, compatibility, installation and recovery testing. Security best practices are a mandated aspect of all development activities. Selective code review is included in the scope of testing. The internal quality assurance function also applies security checks–including testing for cross site scripting vulnerabilities–as part of their regular review.
6. Risk Management. Lytics focuses its risk management in the software development process and in the production environment, evaluating the probability and impact of all vulnerabilities and changes to protect against attacks on or disruption of the Subscription Services and attempts to compromise the privacy, confidentiality, or integrity of Customer Data. Technical measures deployed include (a) firewalls for all data entering Lytics’ internal data network from any external source; (b) virus protection programs and techniques to prevent harmful software code from affecting the Subscription Services or Customer Data, (c) regular monitoring of systems used for the Subscription Services, (d) 24×7 monitoring and alerting to notify Lytics’ Platform Operations team of anomalous events, and (e) annual penetration and vulnerability testing by reputable, third-party vendors. Lytics maintains audit information and logs for all systems.
7. Employee Hiring, Training, and Awareness. Lytics employees are required to provide specific documents verifying identity and undergo federal and state criminal background checks prior to being hired. Lytics trains all new employees about their confidentiality, privacy and information security obligations as part of their new employee training. We require all our employees and contractors to sign confidentiality agreements to protect confidential information. A compulsory annual security and privacy training requirement ensures employees refresh their knowledge and understanding. The product development staff receives further training specific to product development and deployment of secure applications. In addition, Lytics communicates with all personnel about privacy and information security through regular newsletters.
8. Lytics Platform Operations Management.
   • Change Management. Lytics maintains and follows formal change management processes. All changes to the production environment are risk assessed, logged, approved, and implemented by a dedicated team. All deploys to the production environment must be promoted through a pre-production test environment.
   • Patch Management. Lytics operates a commercial patch management solution to maintain all hardware system, OS and application level security patches.
   • Separation of Development and Operational Facilities. The Lytics Platform Operations environment is separate from Development and QA environments and from corporate IT (each of these environments reside in a separate network domain and is managed by a separate team). Access to Platform Operations resources is limited to Platform Operations personnel and authentication requires a separate set of credentials.
   • Malware. Lytics utilizes commercial anti-malware and vulnerability detection software. Updates are managed and pushed out as required. Definitions are automatically updated.
9. Audited Controls. An independent auditor has examined the controls present in the Lytics CDP system, including its infrastructure and operations to confirm that these controls are in accordance with the Service Organization Controls (SOC) 2 Type II Trust Services Principles for Security, Availability, Confidentiality, and Privacy. (A copy of the current audit report is available upon request under mutual NDA or this Agreement.) Lytics will retain an independent auditor to conduct SOC 2 Type II or equivalent audits on an annual basis. In addition, we contract with a reputable third party security firm to conduct a regular security audit (penetration test and web application vulnerability tests) of our Subscription Services platform. The primary objective of these audits is to gain independent third-party validation of Lytics security stance and provide actionable recommendations for mitigation of any risks that may be identified.
10. Securing Access.
    10.1 Data Access by Lytics Employees
    • Employees are given appropriate accounts on systems to which they are authorized to access, following the principle of “least privilege.”
    • Access to Customer Data is limited to legitimate business needs, including activities needed to support customer’s use of the Service.
    • Network accounts are mapped directly to employees using a unique identifier; generic administrative accounts are not used.
    • Lytics periodically reviews employee access to internal systems. Reviews ensure that employees access rights and access patterns are commensurate with their current positions.
    • A formal termination notification process exists, which is initiated by the Human Resources department. Upon notification by HR, all physical and system accesses are immediately revoked.
    • Lytics requires the use of strong passwords and requires employees to notify corporate IT immediately if they believe the security of their password has been compromised.

    10.2 Data Access by Customers

    • Customer end users are authorized only to see what is in their account and may have additional privilege restrictions placed on their access to the account by their account administrator.
    • Customer end users are identified with a username and password. They authenticate to the system using a password over an HTTPS secured web page.
    • Customer end user access and authorization may be limited or immediately removed by customer via user management console in the Lytics UI or upon written notice to Lytics Support (email).
    • Customer end user access is separated into administration access and user access.

APPENDIX C

Lytics Data Processing Addendum

This DPA forms part of the Lytics online Terms of Service or other written agreement entered into between Lytics, Inc. (“Lytics”) and your organization (“you” or “Customer”) that incorporates this DPA by reference (the “Agreement”), and governs the Processing of Personal Information by Lytics, acting as a Data Processor or Service Provider, in providing its Subscription Services (also referred to herein as the “Service”) pursuant to the Agreement. All capitalized terms not otherwise defined herein shall have the meanings as set forth in the Agreement.

1. Definitions
   • 1.1  “Data Subject” means any individual about whom Personal Information may be Processed under this DPA.
   • 1.2  “Data Protection Legislation” means the GDPR (as defined below), together with any national implementing laws in any Member State of the European Union or the United Kingdom or, to the extent applicable, data privacy laws of any other country, state or province, including the California Consumer Privacy Act, in each case as amended, repealed, consolidated or replaced from time to time.
   • 1.3  “GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
   • 1.4  “Personal Information” means personal data or personal information (as defined under the Data Protection Legislation) that are subject to the Data Protection Legislation and that you authorize Lytics to collect and process on your behalf in connection with Lytics’ provision of the Service under the Agreement.
   • 1.5  “Process” or “Processing” means any operation or set of operations performed on Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
   • 1.6  “Processor” means a natural or legal person, public authority, agency or other body which processes Personal Information on behalf of the controller (as such term is defined under the applicable Data Protection Legislation).
   • 1.7  “Security Incident” means known or reasonably suspected, unauthorized or unlawful access to or destruction, loss, alteration, or disclosure of Customer Data, which contains Personal Information.
   • 1.8  “Sensitive Information” means Personal Information revealing a Data Subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation.
   • 1.9  “Service Provider” means an entity that performs services on behalf of a business pursuant to the Agreement using Personal Information that the business provides it (as such term is defined under the applicable Data Protection Legislation).
   • 1.10 “Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to third countries issued by the European Commission on 4 June 2021 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council with modules three applicable to transfers from controller to processor.
2. Details of the Processing.
   • 2.1  Roles. The parties acknowledge and agree that with regard to the Processing of Personal Information pursuant to the Agreement, Customer is the controller, Lytics is the Processor and that Lytics will engage Sub-Processors (defined below) pursuant to the requirements set forth in Section 9 of this DPA. You acknowledge that Lytics is an independent controller when carrying out any activities not related solely to Lytics’ Processing of Personal Information on your behalf (such as Lytics’ management of its customer relationships and marketing program).
   • 2.2  Categories of Data Subjects. Refer to Exhibit A.2.3  Types of Personal Information. Refer to Exhibit A.
   • 2.4  Subject-Matter and Nature of the Processing. The subject-matter of Processing of Personal Information by Lytics is the provision of the Services to you that involves the Processing of Personal Information. Personal Information will be subject to those Processing activities which Lytics needs to perform in order to provide the Services pursuant to the Agreement.
   • 2.5  Purpose of the Processing. Personal Information will be Processed by Lytics for purposes of providing the Services set out within the Agreement.
   • 2.6  Duration of the Processing. Personal Information will be Processed for each Subscription Term in accordance with this Agreement.
3. Limitations on Use. Lytics will Process Personal Information solely as a Processor or Service Provider on your behalf and in accordance with the Agreement, this DPA and any other documented instructions from you (whether in written or electronic form), which includes your configuration and use of the Service, or as otherwise required by applicable law. Notwithstanding anything to the contrary in the Agreement, Lytics shall not (i) retain use Personal Information other than as provided for in the Agreement or in the Service, or as needed to perform the Service, including as may be required to prevent or address Services support, security and technical issues in compliance with the terms of this Agreement, or (ii) sell or otherwise disclose such Personal Information except as needed to render the Service. Lytics is hereby instructed to Process Personal Information to the extent necessary to enable Lytics to provide the Service in accordance with the Agreement. In case Lytics cannot process Personal Information in accordance with your instructions due to a legal requirement under any applicable law to which Lytics is subject, Lytics shall (i) promptly notify you in writing (including by e-mail) of such legal requirement before carrying out the relevant Processing, to the extent permitted by the applicable law, and (ii) cease all Processing (other than merely storing and maintaining the security of the affected Personal Information) until such time as you provide Lytics with new instructions. You will be responsible for providing or making Personal Information available to Lytics in compliance with the Data Protection Legislation, including providing any necessary notices to, and obtaining any necessary consents from, Data Subjects whose Personal Information is provided by you to Lytics for Processing pursuant to this DPA. You acknowledge that the Service is not intended or designed for the Processing of Sensitive Information, and you agree not to provide any Sensitive Information through the Service. The parties agree that you provide Personal Information to Lytics as a condition precedent to Lytics’ performance of the Service and that Personal Information is not exchanged for monetary or other valuable consideration.
4. Security. Lytics implements and maintains, and will continue to do so throughout the term of the Agreement at all times in accordance with then current good industry practice, appropriate technical and organizational measures to protect Personal Information.  See Appendix B for a description of some of these security measures. In addition, the Subscription Services have been designed, taking into account the nature of its Processing, to assist you in securing Personal Information Processed by Lytics. Lytics will assist you with conducting any legally required data protection impact assessments (including subsequent consultation with a supervisory authority), if so required by the Data Protection Legislation, taking into account the nature of Processing and the information available to Lytics. Lytics may charge a reasonable fee for any such assistance, as permitted by applicable law.
5. Confidentiality. Lytics shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Lytics shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
6. Data Subject Requests. You are responsible for handling any requests or complaints from Data Subjects with respect to their Personal Information Processed by Lytics under this DPA. Lytics will notify you promptly and in any event within ten (10) business days of receipt, unless prohibited by applicable law, if Lytics receives any such requests or complaints. The Service includes technical and organizational measures that have been designed, taking into account the nature of its Processing, to enable and assist customers in fulfilling their obligations to respond to such requests or complaints. In addition, to the extent Customer, in its use of the Subscription Service, does not have the ability to address a Data Subject Request, Lytics shall upon Customer’s request, provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Lytics is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations. To the extent legally permitted, Customer shall be responsible for any costs arising from Lytics’ provision of any extraordinary assistance required hereunder.
7. Regulatory Investigations. At your request, Lytics will assist you in the event of an investigation by a competent regulator, including a data protection regulator or similar authority, if and to the extent that such investigation relates to the Processing of Personal Information by Lytics on your behalf in accordance with this DPA. Lytics may charge a reasonable fee for such requested assistance except where such investigation arises from a breach by Lytics of the Agreement, to the extent permitted by applicable law.
8. Security Incident Notification and Management. In the event that Lytics becomes aware of a Security Incident, Lytics will notify you without undue delay and seek to do so within forty-eight (48) hours after Lytics discovers the Security Incident. In the event of such a Security Incident, Lytics shall provide you with a detailed description of the Security Incident and the Personal Information concerned, unless otherwise prohibited by law or otherwise instructed by a law enforcement or supervisory authority. Lytics will take reasonable steps to mitigate the effects of the Security Incident and to minimize any damage resulting from the Security Incident. At your request, Lytics will provide reasonable assistance and cooperation with respect to any notifications that you are legally required to send to affected Data Subjects and regulators.
9. Sub-Processors. You agree that Lytics may disclose Personal Information to its subcontractors for purposes of providing the Service (“Sub-Processors”), provided that Lytics (i) shall enter into an agreement with its Sub-Processors which comply with Data Protection Legislation, including requiring the Sub-Processors to only process Personal Information to the extent required to perform the obligations sub-contracted to them, and (ii) shall remain liable for the obligations subcontracted to, and the acts and omissions of, the Sub-Processors. Lytics’ current list of Sub-Processors is located at Lytics’ Trust Center accessible at https://www.lytics.com. Lytics will inform you of any intended changes concerning the addition or replacement of Sub-Processors by updating its Sub-Processor webpage, which you acknowledge is your responsibility to check regularly. You can subscribe to receive notifications when any changes are made to Lytics’ Sub-Processors by following the instructions on the Sub-Processor webpage. You may object to such changes on reasonable grounds of data protection within ten (10) business days after being notified of the engagement of the Sub-Processor. If you object to a new Sub-Processor, as permitted in the preceding sentence, Lytics will use reasonable efforts to make available to you a change in the Service or recommend a commercially reasonable change to your configuration or use of the Service to avoid Processing of Personal Information by the objected-to new Sub-Processor. If Lytics is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, either party may terminate the component of the Service which cannot be provided by Lytics without the use of the objected-to new Sub-Processor by providing written notice to the other party. Lytics will refund you any prepaid fees covering the remainder of the Subscription Term following the effective date of termination with respect to such terminated component of the Service, without imposing a penalty on you for such termination.
10. Data Transfers. In connection with the performance of the Agreement and to the extent Customer’s use of the Service requires an onward transfer mechanism to lawfully transfer personal data from a jurisdiction, you authorize Lytics to transfer Personal Information internationally, and in particular to locations outside of the United Kingdom and European Economic Area, such as the United States. If required to ensure Lytics’ Processing of Personal Information complies with any international transfer rules set out in Data Protection Legislation, you and Lytics hereby enter into the Standard Contractual Clauses applicable to transfers from data controllers to data processors, incorporated into this DPA by reference, as if the clauses had been set out in full and completed at Exhibit A. Any replacement to the Standard Contractual Clauses adopted in accordance with the GDPR shall supersede the Standard Contractual Clauses incorporated into this DPA automatically, and Exhibit A to this DPA shall be interpreted instead so as to give full effect to such replacement Standard Contractual Clauses.
11. Information. Lytics shall make available to you information necessary to demonstrate compliance with the obligations laid down in this DPA.  Lytics has obtained the third-party certifications and audits noted on its Trust page at https://www.lytics.com. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Lytics shall make available to Customer that is not a competitor of Lytics a copy of Lytics’ then most recent third-party audits or certifications, as applicable. Lytics shall immediately inform you if, in its opinion, an instruction infringes the Data Protection Legislation.

Lytics Data Processing DPA Exhibit A –Processing Details

This Exhibit completes the template/blank sections of the Standard Contractual Clauses, which are incorporated into this Exhibit as if they had been set out in full. This Exhibit only applies if it is required to ensure Lytics’ Processing of Personal Information on your behalf complies with Data Protection Legislation.

Standard Contractual Clauses: main body particulars:

Exporter contact details: Your contact details as set out in the Agreement.

Importer contact details: Lytics, Inc. contact details as set out in the Agreement.

Governing Law (clauses 9 & 11): The law of the country in which the data exporter’s EU representative or data subject is established/ based (as appropriate).

Annex 1 of the Standard Contractual Clauses:

A: LIST OF THE PARTIES

Data Exporter: You with your address and contact information provided in the Service Order or Agreement and the nature of your organization’s business described on your company website.

Data Importer: Lytics, Inc. (a provider of online customer data platform services delivered as software as a service which Processes Personal Information upon instruction of the data exporter in accordance with the Agreement). Our address is as provided in the agreement.

B: DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred:

Data exporter may submit Personal Information to the Service, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to Personal Information relating to the following categories of data subjects: Data exporter’s employees, contractors, representatives, agents, and other individuals whom data exporter permits to use the Service, as well as Personal Information relating to the data exporter’s customers and prospective customers.

Categories of personal data transferred:

Data exporter may submit Personal Information to the Service, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to the following Personal Information: First and Last Name, data related to the browsing of Customer websites by its customers and prospective customers, email address, location, and passwords.

Sensitive data transferred (if applicable):

Data exporter may, subject to the restrictions set out in the Agreement, submit special categories of Personal Data to the Subscription Services, the extent of which is determined and controlled by data exporter in its sole discretion, and which is for the sake of clarity Personal Data with information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. The Security Measures described in Annex II will apply to any sensitive data transferred.

The frequency of the transfer:

Transfers may occur frequently on a daily basis.

Nature of the processing:

Collection, receipt, recording, organization, structuring, storage, retrieval, consultation, copying for backup, use, transmission, dissemination or otherwise making available (including in the form of reports), alignment or combination, restriction, deletion, and destruction.

Purpose(s) of the data transfer and further processing: 

The performance of the Subscription Services pursuant to the Agreement, including deletion of the data pursuant to the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria

used to determine that period:

The period for which the personal data will be retained is stated in the Agreement.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: 

Transfers to processors are for the duration of the provision of the Subscription Services under the Agreement. One subprocessor provides a content delivery service to deliver content related to Data Subject activity on Customer websites. Another subprocessor provides underlying cloud service data processing services, including hosting the data.

C: COMPETENT SUPERVISORY AUTHORITY

Competent supervisory authority is the one in EU member state where Customer is established or, if Customer is not established in EU, the competent supervisory authority where Customer’s representative appointed pursuant to GDPR Article 27 is established.

Annex 2 of the Standard Contractual Clauses:

Description of the technical and organisational security measures implemented by the data importer In accordance with Clauses 4(d) and 5(c):
As stated in Agreement Appendix B.