Luware Data Processing Agreement

Subject

1.1  The Parties have entered into the Luware Cloud Terms of Use (“Terms of Use”) due to Customer ordering, accessing or using the Services. To the extent the Services may relate to Luware’s processing of Customer Personal Data on behalf of Customer, the Parties wish to extend the Terms of Use to ensure their continuous compliance with the applicable Data Protection Laws.

1.2 This Data Processing Agreement (“DPA”) forms an integral part of the Terms of Use and shall terminate upon termination or expiration of the Terms of Use for whatever reason. The terms set forth in this DPA amend, supplement and supersede the Terms of Use in respect of provisions relating to Luware’s processing of Customer Personal Data. All terms and conditions of the Terms of Use not otherwise amended and supplemented herein remain unchanged and in full force and effect.

1.3 Any capitalized terms used in this DPA not otherwise defined hereunder shall have the same meaning as defined in the Terms of Use. In the event of a conflict between provisions of this DPA and the Terms of Use, this DPA shall prevail.

1.4 Luware may modify this DPA from time to time. Unless otherwise specified by Luware, changes become effective for Customer upon renewal of the then-current Subscription Term or entry into a new Service order after the updated version of this DPA goes into effect. Luware will use reasonable efforts to notify Customer of the changes through communications via Customer’s account, email or other means.

General Provisions

2.1  Customer as the Data Controller of Customer Content and Customer Personal Data is responsible for its compliance with the applicable Data Protection Laws and shall keep records of its processing activities according to Art. 30 (1) GDPR.

2.2  The Parties agree that Luware and its Approved Third Parties may process Customer Personal Data in accordance with the provisions of this DPA. Luware shall comply with and procure that its Approved Third Parties comply with, the obligations imposed under the applicable Data Protection Laws in relation to the Customer Personal Data processed hereunder.

2.3 Luware shall process Customer Personal Data on behalf of Customer solely for the purposes of performing the Services under the Terms of Use. Luware will process Customer Personal Data in accordance with Customer’s instructions. The Terms of Use, including this DPA, Documentation and Luware Privacy Policy shall contain Customer’s initial instructions to Luware with regards to the processing under this DPA. Customer may communicate any change in its initial instructions to Luware by way of written notification. For the avoidance of doubt, any instructions that would lead to processing outside the scope of the Terms of Use, including this DPA, Documentation and Privacy Policy require a prior agreement between the Parties.

2.4  Luware shall immediately notify Customer if it considers, in its opinion acting reasonably, that it is required by law to act other than in accordance with the instructions of Customer pursuant to clause 2.3 of this DPA. Luware is not obliged to adhere to these instructions until the instruction is either confirmed or corrected by Customer. Instructions that are unlawful shall not be followed. Luware shall not be liable for any losses arising from or in connection with any processing made in accordance with such instructions.

2.5 Except in relation to the deletion and/or return of Customer Personal Data following expiry or termination of this DPA, the right of Luware and its Approved Third Parties to process Customer Personal Data under this DPA ends automatically with termination of the Terms of Use for whatever reason, unless required otherwise by the applicable Data Protection Laws.

data Processing aCTIVITIES

3.1  Customer understands that Luware and its Approved Third Parties will process Customer Personal Data in accordance with the applicable Data Protection Laws, the Terms of Use, this DPA, the Documentation and the Luware Privacy Policy, as amended from time to time.

3.2  Customer Personal Data is processed to perform the contractual obligations as set out in the Terms of Use, specifically the following processing activities:

Support and Maintenance Services: Luware may provide support and maintenance services to Customer in connection with the Terms of Use. Support and maintenance may be provided either in the context of Software or cloud-based Services (as may be applicable). When providing support and maintenance, Luware may be required to access or receive Customer Personal Data.

Professional Services: If Customer requires professional services as part of a Service offering, then Luware may be required by Customer to process Customer Personal Data as part of such an engagement.

Cloud-based Services: If Customer subscribes to cloud-based Services then Customer will upload Customer Content, including Customer Personal Data to that cloud-based Service in order to properly use the Service. Details of the processing practices with regards to the cloud-based Services of Luware can be found in the Luware Nimbus and Luware Recording Whitepapers.

Luware Affiliates defined as Approved Third Parties under this DPA may in particular provide technical support, project related services, back-office systems, data transfer and storage as well as backup and disaster recovery services.

3.3  Data Protection Officer for Luware. Email compliance@luware.com to the attention of the DPO of the Luware Group (Luware AG, Pfingstweidstrasse 102, 8005 Zurich, Switzerland).

3.4  Luware shall maintain the written log of its processing activities up to date.

PlAce of Processing

4.1 The processing under this DPA takes place in an EEA member state, Switzerland or the United Kingdom. Any transfer of Customer Personal Data to a third country which does not have a valid adequacy decision of the European Commission according to Art. 45 (3) GDPR is only permitted if approved by Customer and if at least one of the following conditions is met to ensure appropriate protection of the Customer Personal Data in that third country:

Appropriate safeguards with binding corporate rules, Art. 46 (2) lit. b and Art. 47 GDPR

Standard data protection clauses (SCC), Art. 46 (2) lit. c and d GDPR

Approved code of conduct, Art. 46 (2) lit. e and Art. 40 GDPR

Approved certification mechanism, Art. 46 (2) lit. f and Art. 42 GDPR

Other measures agreed between Customer and Luware, Art. 46 (2) lit. a, (3) lit. a and b GDPR; and/or

Exception according to Art. 49 GDPR

4.2 Where there is international transfer of Customer Personal Data to countries which do not ensure an adequate level of data protection in accordance with Art. 45 (3) GDPR, the Parties or Luware and its Approved Third Parties, as the case may be, enter into EU Standard Contractual Clauses with the Swiss and UK Addendum (“SCC”) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals. Luware shall perform a risk assessment before such a transfer.

Approved third partIES

5.1  Luware may appoint third parties and disclose Customer Personal Data to such third parties only insofar as this is necessary to fulfill its obligations under the Terms of Use or as necessary to comply with applicable mandatory law. Luware will give Customer the opportunity to object to the engagement of new third parties on reasonable grounds relating to the protection of Personal Data within 30 days of notifying Customer. If Customer does notify Luware of such an objection in writing, the Parties will discuss Customer’s concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached within 15 days, Luware will, at its sole discretion, either not appoint the new third party, or permit Customer to terminate the affected Subscription Service in accordance with the termination clause 11.2 of the Terms of Use without liability to either Party (but without prejudice to any fees incurred by Customer prior to termination). All Fees payable upon the effective date of termination shall become immediately due for payment.

5.2  Luware shall procure a legally binding agreement with the third party which shall be on terms that are similar to the terms of this DPA. Luware shall regularly monitor that its Approved Third Parties abide to such agreement and the applicable Data Protection Laws.

5.3  Luware shall remain responsible for the acts and omissions of its Approved Third Parties in connection with this DPA. Luware shall, without undue delay, notify Customer in the event that it becomes aware of any Data Breach by any of its Approved Third Parties in connection with this DPA.

5.4 Approved Third Parties. Directly involved in the provision of the Services under the Terms of Use are Luware’s Affiliates Luware AG; Luware UK Limited, Luware Poland Sp. z o.o (https://luware.com/en/imprint/); Verint Systems UK Limited, 241 Brooklands Road, Weybridge, Surrey KT13 0RH, United Kingdom, (reg. 02602824) and its Affiliates (if Verint products/services are ordered); Microsoft Ireland Operations Ltd. These providers shall be Approved Third Parties under this DPA.

5.5 24/7 Premium Support. Luware’s 24/7 support is provided by employees in Canada (Vancouver) (adequacy decision by the EU Commission) together with employees employed by Luware as well as all listed affiliates under clause 5.4. These employees are subject to Luware’s group-wide processes and policies including relevant background checks.

Data Processing

6.1  Luware ensures that its internal organization is set up in a way that enables it to comply with the applicable Data Protection Laws and good industry practice. It ensures that the technical and organizational measures taken provide appropriate protection regarding the confidentiality, integrity, availability and capacity of the respective systems. The state-of-the-art technique, costs of implementation, purpose, scope, type of Personal Data and method of processing as well as the risks of varying likelihood and severity for the rights and freedom of the Data Subject shall be taken into account when choosing the appropriate technical and organizational measures. Luware reviews its measures taken on a regular basis.

6.2  Luware shall ensure an audit of its technical and organizational security measures is carried out regularly in compliance with applicable Data Protection Laws and good industry practice.

6.3 Luware shall not modify, delete or rectify Customer Personal Data unless authorized by Customer or to the extent required for the proper performance of the Services under the Terms of Use. Luware shall not make copies of Customer Personal Data without the prior consent of Customer. Back-up copies are permitted provided they are necessary for the proper performance of the Services or required according to the applicable laws.

6.4 Luware shall procure that only these employees, contractors and agents and those employees, contractors and agents of its Approved Third Parties that need to have access to Customer Personal Data for the performance of the Services are granted such access. It shall take reasonable measures to ensure the reliability and integrity of these employees, contractors and agents and shall procure that appropriate contractually binding confidentiality undertakings have been entered into between itself and such parties. The confidentiality undertakings shall survive the termination of this DPA for whatever reason.

6.5 Luware shall, and shall procure that its Approved Third Parties, transfer Customer Personal Data only in accordance with this DPA as is strictly necessary for the performance of the Services hereunder, where authorized or instructed by Customer or where required by the applicable Data Protection Laws. In the latter case, Luware shall inform Customer before such a transfer is made, and in any case immediately after such disclosure, unless prohibited by the applicable Data Protection Laws.

6.6 Upon written request, Luware shall make available to Customer information reasonably requested by it to demonstrate Luware’s compliance with the obligations set out in this DPA and the applicable Data Protection Laws, in accordance with the following process:

(i) Upon Customer’s reasonable request, Luware shall provide the relevant and necessary material, documentation and information in relation to Luware’s technical and organizational security measures used to protect Customer Personal Data in relation to the Services in order to demonstrate compliance with applicable Data Protection Laws and this DPA.

(ii) If, following completion of the actions set out under clause 6.6 (i) of this DPA, Customer reasonably believes that Luware is non-compliant with the applicable Data Protection Laws or this DPA, Customer may request that Luware make available, either by webinar or in a face-to-face review, extracts of the relevant information necessary to further demonstrate its compliance. Customer wishing undertaking such review shall give Luware reasonable notice thereof by contacting Luware’s Data Protection Officer (compliance@luware.com to the attention of the General Counsel of the Luware Group with the subject line “Customer Audit Request”) of any review to be conducted under this section.

(iii) In the event that Customer reasonably believes that its findings following the steps set out under clause 6.6 (ii) do not enable it to comply materially with its obligations mandated under the applicable Data Protection Laws in relation to its appointment of Luware, then Customer may give Luware no less than thirty (30) days’ prior written notice of its intention to undertake an audit which may include inspections of Luware’s premises to be conducted by an independent auditor mandated by Customer (not being a competitor of Luware). Such audit shall (a) be subject to confidentiality obligations agreed between Customer and Luware, (b) be undertaken solely to the extent mandated by, and may not be further restricted under the applicable Data Protection Laws, (c) not require Luware to compromise the confidentiality of security aspects of its systems and/or data processing facilities (including that of its Approved Third Parties), and (d) not be undertaken where it would place Luware in breach of its confidentiality obligations towards customers, vendors and/or partners, or (d) generally or otherwise cause Luware to breach laws applicable to it. The appointed auditor shall avoid causing any damage, injury or disruption to Luware’s premises, equipment, personnel or business in the course of such audit. To the extent that such audit performed exceeds one (1) business day, Luware reserves the right to charge Customer for each additional day at its then-current daily rates.

(iv) If following such an audit, Customer reasonably determines that Luware is non-compliant with the applicable Data Protection Laws then Customer shall provide details thereof in writing to Luware upon receipt of which Luware shall provide its response and to the extent required, a draft remediation plan for the mutual agreement of the Parties (such agreement not to be unreasonably withheld or delayed; the mutually agreed plan being the “Remediation Plan”). Where the Parties are unable to reach agreement on the Remediation Plan, or if an agreement is reached, Luware materially fails to implement the Remediation Plan by the agreed dates which in either case is not cured within forty-five (45) days following Customer’s notice or another period as mutually agreed between the Parties, Customer may terminate the Services in part or in whole which relate to the non-compliant Processing and the remaining Services shall otherwise continue unaffected by such termination.

6.7 The rights of Customer under clause 6.6 of this DPA may only be exercised once per calendar year unless Customer reasonably believes Luware to be in material breach of its obligations under this DPA or the applicable Data Protection Laws.

Assistance, breach notification and Deletion

7.1 Luware shall provide any reasonably necessary cooperation or assistance requested by Customer in connection with steps that Customer takes to comply with the applicable Data Protection Laws insofar as they directly relate to the Services. This includes assisting Customer with regulatory requirements and managing and responding to requests or complaints from Data Subjects, authorities and/or other third parties with respect to their rights under the applicable Data Protection Laws.

7.2  Where a Data Protection Impact Assessment (“DPIA”) is required under the applicable Data Protection Laws for the processing of Personal Data, Luware shall provide Customer, upon request, with reasonable cooperation and assistance needed to fulfill Customer’s obligation to carry out a DPIA related to Customer’s use of the Services, to the extent that Customer does not otherwise have access to the relevant information and such information is available to Luware.

7.3 Data Subject Request. Luware shall promptly notify Customer if it or one of its Approved Third Party receive a request by a Data Subject and shall (i) not disclose any Personal Data in response to any such request without the prior written consent of Customer, (ii) promptly provide Customer with reasonable co-operation and assistance to any such request by the Data Subject, and (iii) provide Customer with any information reasonably requested by it.

7.4 Authority Request. If Luware is obliged by law to disclose Customer Personal Data to a law enforcement agency or other third party, Luware shall give Customer reasonable notice of the access request prior to granting such access, to allow Customer to seek a protective order or other appropriate remedy. Where such notice is legally prohibited, Luware shall take reasonable measures to limit the disclosure of Customer Personal Data.

7.5 Customer shall pay Luware reasonable charges mutually agreed between the Parties for providing the assistance under clauses 7.1, 7.2, 7.3 and 7.4 of this DPA, to the extent that such assistance is not reasonably able to be accommodated within the normal provision of the Services.

7.6 Data Breach Notification. Luware shall, without undue delay, provide Customer with all information in Luware’s possession concerning a Data Breach in connection with the Terms of Use or this DPA. Following such notification and, within such timescale to be agreed between the Parties (acting reasonably and in good faith), both Parties shall support each other to (i) implement any measures necessary to restore the integrity of compromised Customer Personal Data, and (ii) make any necessary notifications to the relevant authorities, affected Data Subjects and other relevant third parties.

7.7 Return and Deletion. Upon termination or expiration of this DPA for whatever reason, Luware will make Customer Personal Data available for export for thirty (30) days from the effective date of termination or expiration (“Export Period”). For Customer Personal Data that is retained by Luware and is exportable, and provided that Customer has paid all applicable Fees, Customer may contact Luware via support@luware.com within the Export Period and have Customer Personal Data exported by Luware, subject to the applicable professional services fees. After the expiration of the Export Period, Luware will delete available Customer Personal Data except as necessary to comply with Luware’s legal obligations, resolve disputes, and enforce this DPA. Once deleted, Customer Content cannot be recovered.

Final provisions

8.1 Neither Party may assign any of its rights or obligations under this DPA, without the prior written consent of the other Party (not to be unreasonably withheld). Either Party may however assign this DPA to a successor of all or substantially all of the business of such Party whether by merger, acquisition, corporate reorganization, or sale of substantially all of its assets without the other Party’s consent. This DPA shall be binding upon and inure to the benefit of the Parties’ successors.

8.2 If individual clauses of this DPA are either fully or partially unlawful, invalid, or for any other reason unenforceable, the validity of the remaining clauses of this DPA shall not be affected. The Parties are obliged to cooperate in good faith to replace such invalid clauses with clauses which the Parties would have intended at the time of concluding this DPA and which come as close as possible to the invalid clause.

8.3  Neither Party will be liable to the other for any delay or failure to perform any obligation under this DPA if the delay or failure results from any cause beyond that Party’s reasonable control, including but not limited to, acts of God, acts of government, acts of terror or civil unrest, internet failures, or acts undertaken by third parties not under the performing Party’s control, including, without limitation, denial of service attacks (“Force Majeure Event”). In the event that a Force Majeure Event continues for a period of thirty (30) consecutive days, the other Party may terminate this DPA on written notice to the non-performing Party.

8.4  This DPA shall terminate upon termination or expiration of the Terms of Use for whatever reason. Each Party’s right of extraordinary and immediate termination according to statutory provisions shall not be affected. Notwithstanding the foregoing, this DPA shall survive the termination or expiry of the Terms of Use to the extent that Luware continues to process Customer Personal Data.

8.5  This DPA shall be governed by and be construed in accordance with the laws of Germany under the explicit exclusion of the UN Convention on Contracts for the International Sale of Goods. Place of jurisdiction is Stuttgart subject to mandatory legal provisions.

Annex 1: Details of Processing Activities

This Annex 1 describes the subject, the duration of the processing, the nature and purpose of the processing operations, the types of personal data and categories of data subjects that are governed by the provisions of this DPA, of which it forms an integral part.

Subject-matter

Process of Personal Data for the provision of Services in accordance with the Luware Cloud Terms of Use.

Duration of the processing

We will process Personal Data for the term of the Luware Cloud Terms of Use or written individual Agreement in a Luware offer, unless otherwise agreed in writing.

Nature and purpose of the processing

Personal Data will be Processed only as described in the Luware Cloud Terms of Use, the Luware Nimbus Whitepaper and the Luware Recording Whitepaper.

Types of personal data

Depending on the products and services used by the Customer, personal data from the following categories may be included:

Basic personal data (for example first name, last name, e-mail address, phone number)

Authentication data (for example audit trail)

Call details (for example Start/End time of the call, technical call details, caller’s phone number or SIP address, Azure user location/department)

User states (for example O365 ID of the Office 365 User, user state type such as offline, off duty, selectable)

Conversation context (additional information to the caller phone number)

Simplified session logs (for example called service, caller phone number)

Configuration data (Costumer configuration data of the Nimbus system)

Call recordings (for example audio recording of the conversation, video recording of the conversation)

Voicemail records (voice messages left from a caller on a Nimbus service)

Categories of data subjects

Customer’s representatives

Service users

End-users

Approved Third Parties

Subject

1.1  The Parties have entered into the Luware Cloud Terms of Use (“Terms of Use”) due to Customer ordering, accessing or using the Services. To the extent the Services may relate to Luware’s processing of Customer Personal Data on behalf of Customer, the Parties wish to extend the Terms of Use to ensure their continuous compliance with the applicable Data Protection Laws.

1.2 This Data Processing Agreement (“DPA”) forms an integral part of the Terms of Use and shall terminate upon termination or expiration of the Terms of Use for whatever reason. The terms set forth in this DPA amend, supplement and supersede the Terms of Use in respect of provisions relating to Luware’s processing of Customer Personal Data. All terms and conditions of the Terms of Use not otherwise amended and supplemented herein remain unchanged and in full force and effect.

1.3 Any capitalized terms used in this DPA not otherwise defined hereunder shall have the same meaning as defined in the Terms of Use. In the event of a conflict between provisions of this DPA and the Terms of Use, this DPA shall prevail.

1.4 Luware may modify this DPA from time to time. Unless otherwise specified by Luware, changes become effective for Customer upon renewal of the then-current Subscription Term or entry into a new Service order after the updated version of this DPA goes into effect. Luware will use reasonable efforts to notify Customer of the changes through communications via Customer’s account, email or other means.

General Provisions

2.1  Customer, as the Data Controller of Customer Content and Customer Personal Data, is responsible for its compliance with the applicable Data Protection Laws and shall keep records of its processing activities according to Art. 30 (1) GDPR respectively Art. 12 (1) FADP.

2.2  The Parties agree that Luware and its Approved Third Parties may process Customer Personal Data in accordance with the provisions of this DPA. Luware shall comply with and procure that its Approved Third Parties comply with the obligations imposed under the applicable Data Protection Laws in relation to the Customer Personal Data processed hereunder.

2.3 Luware shall process Customer Personal Data on behalf of Customer solely for the purposes of performing the Services under the Terms of Use. Luware will process Customer Personal Data in accordance with Customer’s instructions. The Terms of Use, including this DPA, Documentation and Luware Privacy Policy shall contain Customer’s initial instructions to Luware with regards to the processing under this DPA. Customer may communicate any change in its initial instructions to Luware by way of written notification. For the avoidance of doubt, any instructions that would lead to processing outside the scope of the Terms of Use, including this DPA, Documentation and Privacy Policy require a prior agreement between the Parties.

2.4  Luware shall immediately notify Customer if it considers, in its opinion acting reasonably, that it is required by law to act other than in accordance with the instructions of Customer pursuant to clause 2.3 of this DPA. Luware is not obliged to adhere to these instructions until the instruction is either confirmed or corrected by Customer. Instructions that are unlawful shall not be followed. Luware shall not be liable for any losses arising from or in connection with any processing made in accordance with such instructions.

2.5 Except in relation to the deletion and/or return of Customer Personal Data following expiry or termination of this DPA, the right of Luware and its Approved Third Parties to process Customer Personal Data under this DPA ends automatically with termination of the Terms of Use for whatever reason, unless required otherwise by the applicable Data Protection Laws.

data Processing aCTIVITIES

3.1  Customer understands that Luware and its Approved Third Parties will process Customer Personal Data in accordance with the applicable Data Protection Laws, the Terms of Use, this DPA, the Documentation and the Luware Privacy Policy, as amended from time to time.

3.2  Customer Personal Data is processed to perform the contractual obligations as set out in the Terms of Use, specifically the following processing activities:

Support and Maintenance Services: Luware may provide support and maintenance services to Customer in connection with the Terms of Use. Support and maintenance may be provided either in the context of Software or cloud-based Services (as may be applicable). When providing support and maintenance, Luware may be required to access or receive Customer Personal Data.

Professional Services: If Customer requires professional services as part of a Service offering, then Luware may be required by Customer to process Customer Personal Data as part of such an engagement.

Cloud-based Services: If Customer subscribes to cloud-based Services then Customer will upload Customer Content, including Customer Personal Data to that cloud-based Service in order to properly use the Service. Details of the processing practices with regards to the cloud-based Services of Luware can be found in the Luware Nimbus and Luware Recording Whitepapers.

Luware Affiliates defined as Approved Third Parties under this DPA may in particular provide technical support, project related services, back-office systems, data transfer and storage as well as backup and disaster recovery services.

3.3  Data Protection Officer for Luware. Email compliance@luware.com to the attention of the DPO of the Luware Group (Luware AG, Pfingstweidstrasse 102, 8005 Zurich, Switzerland).

3.4  Luware shall maintain the written log of its processing activities up to date.

PlAce of Processing

4.1 The processing under this DPA takes place in an EEA member state, Switzerland or the United Kingdom. Any transfer of Customer Personal Data to a third country which does not have a valid adequacy decision of the European Commission according to Art. 45 (3) GDPR respectively of the Federal Council according to Art. 16 (1) FADP is only permitted if approved by Customer and if at least one of the conditions in Art. 46 (2) or Art. 49 GDPR respectively Art. 16 (2) or Art. 17 FADP is met to ensure appropriate protection of the Customer Personal Data in that third country.

4.2 Where there is international transfer of Customer Personal Data to countries which do not ensure an adequate level of data protection in accordance with Art. 45 (3) GDPR respectively Art. 16 (1) FADP, the Parties or Luware and its Approved Third Parties, as the case may be, enter into EU Standard Contractual Clauses with the Swiss and UK Addendum (“SCC”) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals. Luware shall perform a risk assessment before such a transfer.

Approved third partIES

5.1  Luware may appoint third parties and disclose Customer Personal Data to such third parties only insofar as this is necessary to fulfill its obligations under the Terms of Use or as necessary to comply with applicable mandatory law. Luware will give Customer the opportunity to object to the engagement of new third parties on reasonable grounds relating to the protection of Personal Data within 30 days of notifying Customer. If Customer does notify Luware of such an objection in writing, the Parties will discuss Customer’s concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached within 15 days, Luware will, at its sole discretion, either not appoint the new third party, or permit Customer to terminate the affected Subscription Service in accordance with the termination clause 11.2 of the Terms of Use without liability to either Party (but without prejudice to any fees incurred by Customer prior to termination). All Fees payable upon the effective date of termination shall become immediately due for payment.

5.2  Luware shall procure a legally binding agreement with the third party which shall be on terms that are similar to the terms of this DPA. Luware shall regularly monitor that its Approved Third Parties abide to such agreement and the applicable Data Protection Laws.

5.3  Luware shall remain responsible for the acts and omissions of its Approved Third Parties in connection with this DPA. Luware shall, without undue delay, notify Customer in the event that it becomes aware of any Data Breach by any of its Approved Third Parties in connection with this DPA.

5.4 Approved Third Parties. Directly involved in the provision of the Services under the Terms of Use are Luware’s Affiliates Luware Deutschland GmbH; Luware UK Limited, Luware Poland Sp. z o.o (https://luware.com/en/imprint/); Verint Systems UK Limited, 241 Brooklands Road, Weybridge, Surrey KT13 0RH, United Kingdom, (reg. 02602824) and its Affiliates (if Verint products/services are ordered); Microsoft Ireland Operations Ltd. These providers shall be Approved Third Parties under this DPA.

5.5 24/7 Premium Support. Luware’s 24/7 support is provided by employees in Canada (Vancouver) (adequacy decision by the EU Commission) together with employees employed by Luware as well as all listed affiliates under clause 5.4. These employees are subject to Luware’s group-wide processes and policies including relevant background checks.

Data Processing

6.1  Luware ensures that its internal organization is set up in a way that enables it to comply with the applicable Data Protection Laws and good industry practice. Luware ensures that the technical and organizational measures taken provide appropriate protection regarding the confidentiality, integrity, availability and capacity of the respective systems. The state-of-the-art technique, costs of implementation, purpose, scope, type of Personal Data and method of processing as well as the risks of varying likelihood and severity for the rights and freedom of the Data Subject shall be taken into account when choosing the appropriate technical and organizational measures. Luware reviews its measures taken on a regular basis.

6.2  Luware shall ensure an audit of its technical and organizational security measures is carried out regularly in compliance with applicable Data Protection Laws and good industry practice.

6.3 Luware shall not modify, delete or rectify Customer Personal Data unless authorized by Customer or to the extent required for the proper performance of the Services under the Terms of Use. Luware shall not make copies of Customer Personal Data without the prior consent of Customer. Back-up copies are permitted provided they are necessary for the proper performance of the Services or required according to the applicable laws.

6.4 Luware shall procure that only these employees, contractors and agents and those employees, contractors and agents of its Approved Third Parties that need to have access to Customer Personal Data for the performance of the Services are granted such access. It shall take reasonable measures to ensure the reliability and integrity of these employees, contractors and agents and shall procure that appropriate contractually binding confidentiality undertakings have been entered into between itself and such parties. The confidentiality undertakings shall survive the termination of this DPA for whatever reason.

6.5 Luware shall, and shall procure that its Approved Third Parties, transfer Customer Personal Data only in accordance with this DPA as is strictly necessary for the performance of the Services hereunder, where authorized or instructed by Customer or where required by the applicable Data Protection Laws. In the latter case, Luware shall inform Customer before such a transfer is made, and in any case immediately after such disclosure, unless prohibited by the applicable Data Protection Laws.

6.6 Upon written request, Luware shall make available to Customer information reasonably requested by it to demonstrate Luware’s compliance with the obligations set out in this DPA and the applicable Data Protection Laws, in accordance with the following process:

(i) Upon Customer’s reasonable request, Luware shall provide the relevant and necessary material, documentation and information in relation to Luware’s technical and organizational security measures used to protect Customer Personal Data in relation to the Services in order to demonstrate compliance with applicable Data Protection Laws and this DPA.

(ii) If, following completion of the actions set out under clause 6.6 (i) of this DPA, Customer reasonably believes that Luware is non-compliant with the applicable Data Protection Laws or this DPA, Customer may request that Luware make available, either by webinar or in a face-to-face review, extracts of the relevant information necessary to further demonstrate its compliance. Customer wishing undertaking such review shall give Luware reasonable notice thereof by contacting Luware’s Data Protection Officer (compliance@luware.com to the attention of the General Counsel of the Luware Group with the subject line “Customer Audit Request”) of any review to be conducted under this section.

(iii) In the event that Customer reasonably believes that its findings following the steps set out under clause 6.6 (ii) do not enable it to comply materially with its obligations mandated under the applicable Data Protection Laws in relation to its appointment of Luware, then Customer may give Luware no less than thirty (30) days’ prior written notice of its intention to undertake an audit which may include inspections of Luware’s premises to be conducted by an independent auditor mandated by Customer (not being a competitor of Luware). Such audit shall (a) be subject to confidentiality obligations agreed between Customer and Luware, (b) be undertaken solely to the extent mandated by, and may not be further restricted under the applicable Data Protection Laws, (c) not require Luware to compromise the confidentiality of security aspects of its systems and/or data processing facilities (including that of its Approved Third Parties), and (d) not be undertaken where it would place Luware in breach of its confidentiality obligations towards customers, vendors and/or partners, or (d) generally or otherwise cause Luware to breach laws applicable to it. The appointed auditor shall avoid causing any damage, injury or disruption to Luware’s premises, equipment, personnel or business in the course of such audit. To the extent that such audit performed exceeds one (1) business day, Luware reserves the right to charge Customer for each additional day at its then-current daily rates.

(iv) If following such an audit, Customer reasonably determines that Luware is non-compliant with the applicable Data Protection Laws then Customer shall provide details thereof in writing to Luware upon receipt of which Luware shall provide its response and to the extent required, a draft remediation plan for the mutual agreement of the Parties (such agreement not to be unreasonably withheld or delayed; the mutually agreed plan being the “Remediation Plan”). Where the Parties are unable to reach agreement on the Remediation Plan, or if an agreement is reached, Luware materially fails to implement the Remediation Plan by the agreed dates which in either case is not cured within forty-five (45) days following Customer’s notice or another period as mutually agreed between the Parties, Customer may terminate the Services in part or in whole which relate to the non-compliant processing and the remaining Services shall otherwise continue unaffected by such termination.

6.7 The rights of Customer under clause 6.6 of this DPA may only be exercised once per calendar year unless Customer reasonably believes Luware to be in material breach of its obligations under this DPA or the applicable Data Protection Laws.

Assistance, breach notification and Deletion

7.1 Luware shall provide any reasonably necessary cooperation or assistance requested by Customer in connection with steps that Customer takes to comply with the applicable Data Protection Laws insofar as they directly relate to the Services. This includes assisting Customer with regulatory requirements and managing and responding to requests or complaints from Data Subjects, authorities and/or other third parties with respect to their rights under the applicable Data Protection Laws.

7.2  Where a Data Protection Impact Assessment (“DPIA”) is required under the applicable Data Protection Laws for the processing of Personal Data, Luware shall provide Customer, upon request, with reasonable cooperation and assistance needed to fulfill Customer’s obligation to carry out a DPIA related to Customer’s use of the Services, to the extent that Customer does not otherwise have access to the relevant information and such information is available to Luware.

7.3 Data Subject Request. Luware shall promptly notify Customer if it or one of its Approved Third Party receive a request by a Data Subject and shall (i) not disclose any Personal Data in response to any such request without the prior written consent of Customer, (ii) promptly provide Customer with reasonable co-operation and assistance to any such request by the Data Subject, and (iii) provide Customer with any information reasonably requested by it.

7.4 Authority Request. If Luware is obliged by law to disclose Customer Personal Data to a law enforcement agency or other third party, Luware shall give Customer reasonable notice of the access request prior to granting such access, to allow Customer to seek a protective order or other appropriate remedy. Where such notice is legally prohibited, Luware shall take reasonable measures to limit the disclosure of Customer Personal Data.

7.5 Customer shall pay Luware reasonable charges mutually agreed between the Parties for providing the assistance under clauses 7.1, 7.2, 7.3 and 7.4 of this DPA, to the extent that such assistance is not reasonably able to be accommodated within the normal provision of the Services.

7.6 Data Breach Notification. Luware shall, without undue delay provide Customer with all information in Luware’s possession concerning a Data Breach in connection with the Terms of Use or this DPA. Following such notification and, within such timescale to be agreed between the Parties (acting reasonably and in good faith), both Parties shall support each other to (i) implement any measures necessary to restore the integrity of compromised Customer Personal Data, and (ii) make any necessary notifications to the relevant authorities, affected Data Subjects and other relevant third parties.

7.7 Return and Deletion. Upon termination or expiration of this DPA for whatever reason, Luware will make Customer Personal Data available for export for thirty (30) days from the effective date of termination or expiration (“Export Period”). For Customer Personal Data that is retained by Luware and is exportable, and provided that Customer has paid all applicable Fees, Customer may contact Luware via support@luware.com within the Export Period and have Customer Personal Data exported by Luware, subject to the applicable professional services fees. After the expiration of the Export Period, Luware will delete available Customer Personal Data except as necessary to comply with Luware’s legal obligations, resolve disputes, and enforce this DPA. Once deleted, Customer Content cannot be recovered.

Final provisions

8.1 Neither Party may assign any of its rights or obligations under this DPA, without the prior written consent of the other Party (not to be unreasonably withheld). Either Party may however assign this DPA to a successor of all or substantially all of the business of such Party whether by merger, acquisition, corporate reorganization, or sale of substantially all of its assets without the other Party’s consent. This DPA shall be binding upon and inure to the benefit of the Parties’ successors.

8.2 If individual clauses of this DPA are either fully or partially unlawful, invalid, or for any other reason unenforceable, the validity of the remaining clauses of this DPA shall not be affected. The Parties are obliged to cooperate in good faith to replace such invalid clauses with clauses which the Parties would have intended at the time of concluding this DPA and which come as close as possible to the invalid clause.

8.3  Neither Party will be liable to the other for any delay or failure to perform any obligation under this DPA if the delay or failure results from any cause beyond that Party’s reasonable control, including but not limited to, acts of God, acts of government, acts of terror or civil unrest, internet failures, or acts undertaken by third parties not under the performing Party’s control, including, without limitation, denial of service attacks (“Force Majeure Event”). In the event that a Force Majeure Event continues for a period of thirty (30) consecutive days, the other Party may terminate this DPA on written notice to the non-performing Party.

8.4  This DPA shall terminate upon termination or expiration of the Terms of Use for whatever reason. Each Party’s right of extraordinary and immediate termination according to statutory provisions shall not be affected. Notwithstanding the foregoing, this DPA shall survive the termination or expiry of the Terms of Use to the extent that Luware continues to process Customer Personal Data.

8.5  This DPA shall be governed by and be construed in accordance with the laws of Switzerland under the explicit exclusion of the UN Convention on Contracts for the International Sale of Goods. Place of jurisdiction is Zurich subject to mandatory legal provisions.

Annex 1: Details of Processing Activities

This Annex 1 describes the subject, the duration of the processing, the nature and purpose of the processing operations, the types of personal data and categories of data subjects that are governed by the provisions of this DPA, of which it forms an integral part.

Subject-matter

Process of Personal Data for the provision of Services in accordance with the Luware Cloud Terms of Use.

Duration of the processing

We will process Personal Data for the term of the Luware Cloud Terms of Use or written individual Agreement in a Luware offer, unless otherwise agreed in writing.

Nature and purpose of the processing

Personal Data will be processed only as described in the Luware Cloud Terms of Use, the Luware Nimbus Whitepaper and the Luware Recording Whitepaper.

Types of personal data

Depending on the products and services used by the Customer, personal data from the following categories may be included:

Basic personal data (for example first name, last name, e-mail address, phone number)

Authentication data (for example audit trail)

Call details (for example Start/End time of the call, technical call details, caller’s phone number or SIP address, Azure user location/department)

User states (for example O365 ID of the Office 365 User, user state type such as offline, off duty, selectable)

Conversation context (additional information to the caller phone number)

Simplified session logs (for example called service, caller phone number)

Configuration data (Costumer configuration data of the Nimbus system)

Call recordings (for example audio recording of the conversation, video recording of the conversation)

Voicemail records (voice messages left from a caller on a Nimbus service)

Categories of data subjects

Customer’s representatives

Service users

End-users

Approved Third Parties

Subject

1.1  The Parties have entered into the Luware Cloud Terms of Use (“Terms of Use”) due to Customer ordering, accessing or using the Services. To the extent the Services may relate to Luware’s processing of Customer Personal Data on behalf of Customer, the Parties wish to extend the Terms of Use to ensure their continuous compliance with the applicable Data Protection Laws.

1.2 This Data Processing Agreement (“DPA”) forms an integral part of the Terms of Use and shall terminate upon termination or expiration of the Terms of Use for whatever reason. The terms set forth in this DPA amend, supplement and supersede the Terms of Use in respect of provisions relating to Luware’s processing of Customer Personal Data. All terms and conditions of the Terms of Use not otherwise amended and supplemented herein remain unchanged and in full force and effect.

1.3 Any capitalized terms used in this DPA not otherwise defined hereunder shall have the same meaning as defined in the Terms of Use. In the event of a conflict between provisions of this DPA and the Terms of Use, this DPA shall prevail.

1.4 Luware may modify this DPA from time to time. Unless otherwise specified by Luware, changes become effective for Customer upon renewal of the then-current Subscription Term or entry into a new Service order after the updated version of this DPA goes into effect. Luware will use reasonable efforts to notify Customer of the changes through communications via Customer’s account, email or other means.

General Provisions

2.1  Customer as the Data Controller of Customer Content and Customer Personal Data is responsible for its compliance with the applicable Data Protection Laws and shall keep records of its processing activities according to Art. 30 (1) GDPR respectively UK GDPR.

2.2  The Parties agree that Luware and its Approved Third Parties may process Customer Personal Data in accordance with the provisions of this DPA. Luware shall comply with and procure that its’ Approved Third Parties comply with, the obligations imposed under the applicable Data Protection Laws in relation to the Customer Personal Data processed hereunder.

2.3 Luware shall process Customer Personal Data on behalf of Customer solely for the purposes of performing the Services under the Terms of Use. Luware will process Customer Personal Data in accordance with Customer’s instructions. The Terms of Use, including this DPA, Documentation and Luware Privacy Policy shall contain Customer’s initial instructions to Luware with regards to the processing under this DPA. Customer may communicate any change in its initial instructions to Luware by way of written notification. For the avoidance of doubt, any instructions that would lead to processing outside the scope of the Terms of Use, including this DPA, Documentation and Privacy Policy require a prior agreement between the Parties.

2.4  Luware shall immediately notify Customer if it considers, in its opinion acting reasonably, that it is required by law to act other than in accordance with the instructions of Customer pursuant to clause 2.3 of this DPA. Luware is not obliged to adhere to these instructions until the instruction is either confirmed or corrected by Customer. Instructions that are unlawful shall not be followed. Luware shall not be liable for any losses arising from or in connection with any processing made in accordance with such instructions.

2.5 Except in relation to the deletion and/or return of Customer Personal Data following expiry or termination of this DPA, the right of Luware and its Approved Third Parties to process Customer Personal Data under this DPA ends automatically with termination of the Terms of Use for whatever reason, unless required otherwise by the applicable Data Protection Laws.

data Processing aCTIVITIES

3.1  Customer understands that Luware and its Approved Third Parties will process Customer Personal Data in accordance with the applicable Data Protection Laws, the Terms of Use, this DPA, the Documentation and the Luware Privacy Policy, as amended from time to time.

3.2  Customer Personal Data is processed to perform the contractual obligations as set out in the Terms of Use, specifically the following processing activities:

Support and Maintenance Services: Luware may provide support and maintenance services to Customer in connection with the Terms of Use. Support and maintenance may be provided either in the context of Software or cloud-based Services (as may be applicable). When providing support and maintenance, Luware may be required to access or receive Customer Personal Data.

Professional Services: If Customer requires professional services as part of a Service offering, then Luware may be required by Customer to process Customer Personal Data as part of such an engagement.

Cloud-based Services: If Customer subscribes to cloud-based Services then Customer will upload Customer Content, including Customer Personal Data to that cloud-based Service in order to properly use the Service. Details of the processing practices with regards to the cloud-based Services of Luware can be found in the Luware Nimbus and Luware Recording Whitepapers.

Luware Affiliates defined as Approved Third Parties under this DPA may in particular provide technical support, project related services, back-office systems, data transfer and storage as well as backup and disaster recovery services.

3.3  Data Protection Officer for Luware. Email compliance@luware.com to the attention of the DPO of the Luware Group (Luware AG, Pfingstweidstrasse 102, 8005 Zurich, Switzerland).

3.4  Luware shall maintain the written log of its processing activities up to date.

PlAce of Processing

4.1 The processing under this DPA takes place in an EEA member state, Switzerland or the United Kingdom. Any transfer of Customer Personal Data to a third country which does not have a valid adequacy decision of the European Commission according to Art. 45 (3) GDPR respectively of the Secretary of State Art. 45 (1) UK GDPR and Section 17A of the UK Data Protection Act 2018 is only permitted if approved by Customer and if at least one of the following conditions is met to ensure appropriate protection of the Customer Personal Data in that third country:

Appropriate safeguards with binding corporate rules, Art. 46 (2) lit. b and Art. 47 GDPR resp. UK GDPR;

Standard data protection clauses (SCC), Art. 46 (2) lit. c and d GDPR resp. UK GDPR

Approved code of conduct, Art. 46 (2) lit. e and Art. 40 GDPR resp. UK GDPR

Approved certification mechanism, Art. 46 (2) lit. f and Art. 42 GDPR resp. UK GDPR

Other measures agreed between Customer and Luware, Art. 46 (2) lit. a, (3) lit. a and b GDPR resp. UK GDPR; and/or

Exception according to Art. 49 GDPR resp. UK GDPR

4.2 Where there is international transfer of Customer Personal Data to countries which do not ensure an adequate level of data protection in accordance with Art. 45 (3) GDPR respectively Art. Art. 45 (1) UK GDPR and Section 17A of the 2018 Data Protection Act, the Parties or Luware and its Approved Third Parties, as the case may be, enter into EU Standard Contractual Clauses with the Swiss and UK Addendum(“SCC”) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals. Luware shall perform a risk assessment before such a transfer.

Approved third partIES

5.1  Luware may appoint third parties and disclose Customer Personal Data to such third parties only insofar as this is necessary to fulfill its obligations under the Terms of Use or as necessary to comply with applicable mandatory law. Luware will give Customer the opportunity to object to the engagement of new third parties on reasonable grounds relating to the protection of Personal Data within 30 days of notifying Customer. If Customer does notify Luware of such an objection in writing, the Parties will discuss Customer’s concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached within 15 days, Luware will, at its sole discretion, either not appoint the new third party, or permit Customer to terminate the affected Subscription Service in accordance with the termination clause 11.2 of the Terms of Use without liability to either Party (but without prejudice to any fees incurred by Customer prior to termination). All Fees payable upon the effective date of termination shall become immediately due for payment. 

5.2  Luware shall procure a legally binding agreement with the third party which shall be on terms that are similar to the terms of this DPA. Luware shall regularly monitor that its Approved Third Parties abide to such agreement and the applicable Data Protection Laws.  

5.3  Luware shall remain responsible for the acts and omissions of its Approved Third Parties in connection with this DPA. Luware shall, without undue delay, notify Customer in the event that it becomes aware of any Data Breach by any of its Approved Third Parties in connection with this DPA.

5.4 Approved Third Parties. Directly involved in the provision of the Services under the Terms of Use are Luware’s Affiliates Luware Deutschland GmbH; Luware AG, Luware Poland Sp. z o.o (https://luware.com/en/imprint/); Verint Systems UK Limited, 241 Brooklands Road, Weybridge, Surrey KT13 0RH, United Kingdom, (reg. 02602824) and its Affiliates (if Verint products/services are ordered); Microsoft Ireland Operations Ltd. These providers shall be Approved Third Parties under this DPA.

5.5 24/7 Premium Support. Luware’s 24/7 support is provided by employees in Canada (Vancouver) (adequacy decision by the EU Commission) together with employees employed by Luware as well as all listed affiliates under clause 5.4. These employees are subject to Luware’s group-wide processes and policies including relevant background checks.   

Data Processing

6.1  Luware ensures that its internal organization is set up in a way that enables it to comply with the applicable Data Protection Laws and good industry practice. It ensures that the technical and organizational measures taken provide appropriate protection regarding the confidentiality, integrity, availability and capacity of the respective systems. The state-of-the-art technique, costs of implementation, purpose, scope, type of Personal Data and method of processing as well as the risks of varying likelihood and severity for the rights and freedom of the Data Subject shall be taken into account when choosing the appropriate technical and organizational measures. Luware reviews its measures taken on a regular basis.

6.2  Luware shall ensure an audit of its technical and organizational security measures is carried out regularly in compliance with applicable Data Protection Laws and good industry practice.

6.3 Luware shall not modify, delete or rectify Customer Personal Data unless authorized by Customer or to the extent required for the proper performance of the Services under the Terms of Use. Luware shall not make copies of Customer Personal Data without the prior consent of Customer. Back-up copies are permitted provided they are necessary for the proper performance of the Services or required according to the applicable laws.

6.4 Luware shall procure that only these employees, contractors and agents and those employees, contractors and agents of its Approved Third Parties that need to have access to Customer Personal Data for the performance of the Services are granted such access. It shall take reasonable measures to ensure the reliability and integrity of these employees, contractors and agents and shall procure that appropriate contractually binding confidentiality undertakings have been entered into between itself and such parties. The confidentiality undertakings shall survive the termination of this DPA for whatever reason.

6.5 Luware shall, and shall procure that its Approved Third Parties, transfer Customer Personal Data only in accordance with this DPA as is strictly necessary for the performance of the Services hereunder, where authorized or instructed by Customer or where required by the applicable Data Protection Laws. In the latter case, Luware shall inform Customer before such a transfer is made, and in any case immediately after such disclosure, unless prohibited by the applicable Data Protection Laws.

6.6 Upon written request, Luware shall make available to Customer information reasonably requested by it to demonstrate Luware’s compliance with the obligations set out in this DPA and the applicable Data Protection Laws, in accordance with the following process:

(i) Upon Customer’s reasonable request, Luware shall provide the relevant and necessary material, documentation and information in relation to Luware’s technical and organizational security measures used to protect Customer Personal Data in relation to the Services in order to demonstrate compliance with applicable Data Protection Laws and this DPA.

(ii) If, following completion of the actions set out under clause 6.6 (i) of this DPA, Customer reasonably believes that Luware is non-compliant with the applicable Data Protection Laws or this DPA, Customer may request that Luware make available, either by webinar or in a face-to-face review, extracts of the relevant information necessary to further demonstrate its compliance. Customer wishing undertaking such review shall give Luware reasonable notice thereof by contacting Luware’s Data Protection Officer (compliance@luware.com to the attention of the General Counsel of the Luware Group with the subject line “Customer Audit Request”) of any review to be conducted under this section.

(iii) In the event that Customer reasonably believes that its findings following the steps set out under clause 6.6 (ii) do not enable it to comply materially with its obligations mandated under the applicable Data Protection Laws in relation to its appointment of Luware, then Customer may give Luware no less than thirty (30) days’ prior written notice of its intention to undertake an audit which may include inspections of Luware’s premises to be conducted by an independent auditor mandated by Customer (not being a competitor of Luware). Such audit shall (a) be subject to confidentiality obligations agreed between Customer and Luware, (b) be undertaken solely to the extent mandated by, and may not be further restricted under the applicable Data Protection Laws, (c) not require Luware to compromise the confidentiality of security aspects of its systems and/or data processing facilities (including that of its Approved Third Parties), and (d) not be undertaken where it would place Luware in breach of its confidentiality obligations towards customers, vendors and/or partners, or (d) generally or otherwise cause Luware to breach laws applicable to it. The appointed auditor shall avoid causing any damage, injury or disruption to Luware’s premises, equipment, personnel or business in the course of such audit. To the extent that such audit performed exceeds one (1) business day, Luware reserves the right to charge Customer for each additional day at its then-current daily rates.

(iv) If following such an audit, Customer reasonably determines that Luware is non-compliant with the applicable Data Protection Laws then Customer shall provide details thereof in writing to Luware upon receipt of which Luware shall provide its response and to the extent required, a draft remediation plan for the mutual agreement of the Parties (such agreement not to be unreasonably withheld or delayed; the mutually agreed plan being the “Remediation Plan”). Where the Parties are unable to reach agreement on the Remediation Plan, or if an agreement is reached, Luware materially fails to implement the Remediation Plan by the agreed dates which in either case is not cured within forty-five (45) days following Customer’s notice or another period as mutually agreed between the Parties, Customer may terminate the Services in part or in whole which relate to the non-compliant processing and the remaining Services shall otherwise continue unaffected by such termination.

6.7 The rights of Customer under clause 6.6 of this DPA may only be exercised once per calendar year unless Customer reasonably believes Luware to be in material breach of its obligations under this DPA or the applicable Data Protection Laws.

Assistance, breach notification and Deletion

7.1 Luware shall provide any reasonably necessary cooperation or assistance requested by Customer in connection with steps that Customer takes to comply with the applicable Data Protection Laws insofar as they directly relate to the Services. This includes assisting Customer with regulatory requirements and managing and responding to requests or complaints from Data Subjects, authorities and/or other third parties with respect to their rights under the applicable Data Protection Laws.

7.2  Where a Data Protection Impact Assessment (“DPIA”) is required under the applicable Data Protection Laws for the processing of Personal Data, Luware shall provide Customer, upon request, with reasonable cooperation and assistance needed to fulfill Customer’s obligation to carry out a DPIA related to Customer’s use of the Services, to the extent that Customer does not otherwise have access to the relevant information and such information is available to Luware.

7.3 Data Subject Request. Luware shall promptly notify Customer if it or one of its Approved Third Party receive a request by a Data Subject and shall (i) not disclose any Personal Data in response to any such request without the prior written consent of Customer, (ii) promptly provide Customer with reasonable co-operation and assistance to any such request by the Data Subject, and (iii) provide Customer with any information reasonably requested by it.

7.4 Authority Request. If Luware is obliged by law to disclose Customer Personal Data to a law enforcement agency or other third party, Luware shall give Customer reasonable notice of the access request prior to granting such access, to allow Customer to seek a protective order or other appropriate remedy. Where such notice is legally prohibited, Luware shall take reasonable measures to limit the disclosure of Customer Personal Data.

7.5 Customer shall pay Luware reasonable charges mutually agreed between the Parties for providing the assistance under clauses 7.1, 7.2, 7.3 and 7.4 of this DPA, to the extent that such assistance is not reasonably able to be accommodated within the normal provision of the Services.

7.6 Data Breach Notification. Luware shall, without undue delay provide Customer, with all information in Luware’s possession concerning a Data Breach in connection with the Terms of Use or this DPA. Following such notification and, within such timescale to be agreed between the Parties (acting reasonably and in good faith), both Parties shall support each other to (i) implement any measures necessary to restore the integrity of compromised Customer Personal Data, and (ii) make any necessary notifications to the relevant authorities, affected Data Subjects and other relevant third parties.

7.7 Return and Deletion. Upon termination or expiration of this DPA for whatever reason, Luware will make Customer Personal Data available for export for thirty (30) days from the effective date of termination or expiration (“Export Period”). For Customer Personal Data that is retained by Luware and is exportable, and provided that Customer has paid all applicable Fees, Customer may contact Luware via support@luware.com within the Export Period and have Customer Personal Data exported by Luware, subject to the applicable professional services fees. After the expiration of the Export Period, Luware will delete available Customer Personal Data except as necessary to comply with Luware’s legal obligations, resolve disputes, and enforce this DPA. Once deleted, Customer Content cannot be recovered.

Final provisions

8.1 Neither Party may assign any of its rights or obligations under this DPA, without the prior written consent of the other Party (not to be unreasonably withheld). Either Party may however assign this DPA to a successor of all or substantially all of the business of such Party whether by merger, acquisition, corporate reorganization, or sale of substantially all of its assets without the other Party’s consent. This DPA shall be binding upon and inure to the benefit of the Parties’ successors.

8.2 If individual clauses of this DPA are either fully or partially unlawful, invalid, or for any other reason unenforceable, the validity of the remaining clauses of this DPA shall not be affected. The Parties are obliged to cooperate in good faith to replace such invalid clauses with clauses which the Parties would have intended at the time of concluding this DPA and which come as close as possible to the invalid clause.

8.3  Neither Party will be liable to the other for any delay or failure to perform any obligation under this DPA if the delay or failure results from any cause beyond that Party’s reasonable control, including but not limited to, acts of God, acts of government, acts of terror or civil unrest, internet failures, or acts undertaken by third parties not under the performing Party’s control, including, without limitation, denial of service attacks (“Force Majeure Event”). In the event that a Force Majeure Event continues for a period of thirty (30) consecutive days, the other Party may terminate this DPA on written notice to the non-performing Party.

8.4  This DPA shall terminate upon termination or expiration of the Terms of Use for whatever reason. Each Party’s right of extraordinary and immediate termination according to statutory provisions shall not be affected. Notwithstanding the foregoing, this DPA shall survive the termination or expiry of the Terms of Use to the extent that Luware continues to process Customer Personal Data.

8.5  This DPA shall be governed by the substantive laws of England and Wales without further reference to its conflicts of law rules and to the exclusion of all and any international conventions and treaties, such as the Vienna Convention on the International Sale of Goods. Any dispute arising out of or with respect to this DPA shall be subject to the jurisdiction of the English courts.

Annex 1: Details of Processing Activities 

This Annex 1 describes the subject, the duration of the processing, the nature and purpose of the processing operations, the types of personal data and categories of data subjects that are governed by the provisions of this DPA, of which it forms an integral part.

Subject-matter 

Process of Personal Data for the provision of Services in accordance with the Luware Cloud Terms of Use. 

Duration of the processing 

We will process Personal Data for the term of the Luware Cloud Terms of Use or written individual Agreement in a Luware offer, unless otherwise agreed in writing. 

Nature and purpose of the processing 

Personal Data will be processed only as described in the Luware Cloud Terms of Use, the Luware Nimbus Whitepaper and the Luware Recording Whitepaper. 

Types of personal data 

Depending on the products and services used by the Customer, personal data from the following categories may be included: 

Basic personal data (for example first name, last name, e-mail address, phone number) 

Authentication data (for example audit trail) 

Call details (for example Start/End time of the call, technical call details, caller’s phone number or SIP address, Azure user location/department) 

User states (for example O365 ID of the Office 365 User, user state type such as offline, off duty, selectable) 

Conversation context (additional information to the caller phone number) 

Simplified session logs (for example called service, caller phone number) 

Configuration data (Costumer configuration data of the Nimbus system) 

Call recordings (for example audio recording of the conversation, video recording of the conversation) 

Voicemail records (voice messages left from a caller on a Nimbus service) 

Categories of data subjects 

Customer’s representatives 

Service users 

End-users 

Approved Third Parties