67% of manufacturing professionals see a growing skills gap in 2025...
DOWNLOAD THE SKILLS REPORT

      Data Processing Addendum

      This Data Processing Addendum (this “DPA”) is made as of the date of the last signature below (the “Effective Date”) and supplements the Cloud Subscription Services Agreement or similar services agreement entered into by and between the customer named therein(“Customer”) and L2L LLC (“L2L”) on or prior to the date hereof (the “Agreement”). Customer enters into this DPA on behalf of itself, affiliates, and assignees. This DPA incorporates the defined terms from the Agreement, and any terms not defined in this DPA shall have the meaning set forth in the Agreement.  In the event of a conflict between this DPA and the Agreement, the terms and conditions of this DPA shall take precedence. For the avoidance of doubt, any non-conflicting terms in the Agreement shall continue to apply and be applicable to this DPA.  

      • Definitions

      1. Authorized Person” means an employee, contractor, subcontractor, and/or Permitted Affiliate of L2L who has a need to know or otherwise access Customer Personal Data to enable L2L to perform its obligations under this DPA and/or the Agreement.

      2. Authorized Sub-Processor” means the Sub-Processor engaged by L2L that has a need to know or otherwise access Personal Data to enable L2L to perform its obligations under this DPA and/or the Agreement and that has been previously approved by Customer in accordance with Section 4 of this DPA, and who is bound in writing by a data processing agreement pursuant to which their duties and obligations to protect Personal Data are in accordance with the terms hereof.

      3.   “Customer Personal Data” means any “personal information”, “personal data” or other similar term as defined under Data Protection Laws that is contained within the data provided to or accessed by L2L by or on behalf of Customer or Customers’ employees in connection with the Services.

      4. Data Protection Law(s)” means any applicable federal, state or foreign law(s), rule(s) or regulation(s) concerning privacy, data protection, confidentiality, information security, availability or processing of Personal Data and as applicable to this DPA, the Agreement, or the Processing, which expressly include the California Consumer Privacy Act and implementing regulations ("CCPA”), the California Privacy Rights Act of 2020 ("CPRA”), the Data Protection Act 2018 of the United Kingdom (“UK GDPR”), the Swiss Federal Act on Data Protection (1992) or the Swiss Federal Data Protection Act of 25 September 2020 when in full force and effect, as applicable, and its corresponding ordinances ("Swiss DPA”); the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”) and related data protection and privacy laws of the member states of the European Economic Area, the Asia-Pacific Economic Cooperation (“APEC”) Cross-Border Privacy Rules (“CBPR”) System, each as applicable and as amended, repealed, consolidated or replaced from time to time.

      5. “Data Subject Request” means a request from a Data Subject exercising his or her rights under Data Protection Laws that relates to Customer Personal Data and identifies Customer.

      6. Permitted Affiliate” means any Affiliate of Customer, which is permitted to use the Services pursuant to the Agreement but has not signed its own Order Form or separate agreement with L2L.    

      7.  “Personal Data” means any personal and/or personally identifiable information relating to an individual and as defined by applicable Data Protection Laws.  

      8. Personal Data Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transferred, retained, and/or otherwise processed by L2L and/or it Sub-Processors in connection with the delivery of the Services. A Personal Data Breach does not include a system security incident that does not compromise the security of Customer Personal Data and/or unsuccessful attempts or activities that do not compromise the security of any Customer Personal Data. 

      9. Services” means the services and/or products to be provided by L2L to Customer under the Agreement.

      10. Standard Contractual Clauses” means (i) where the GDPR or Swiss DPA applies, the standard contractual clauses for the transfer of Personal Data to third countries approved by the European Commission’s decision 2021/914/EC of June 4, 2021, as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj (the “EU SCCs”); (ii) where the UK GDPR applies, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, as currently set out at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf, and as revised under Section 18 of the International Data Transfer Addendum (the “UK Addendum”)

      11. Sub-Processor” means a third-party who has a need to know or otherwise access Customer’s Personal Data to enable L2L to perform its obligations under this DPA or the Agreement, and who is either (1) listed in Exhibit A or (2) subsequently authorized under Section 4 of this DPA.

      12. Supervisory Authority” means any other court, tribunal, or governmental or quasi-governmental entity or agency that has jurisdiction, under Data Protection Law, over the Agreement or DPA, the Personal Data or Processing, and/or L2L or Customer, including the United States Department of Commerce and the data protection authorities of the nations of the European Economic Area, United Kingdom, and Switzerland.

      The terms "controller", "data subject", "processor" "processing" and "supervisory authority" shall have the meaning given to them in European Data Protection Law and "process", "processes" and "processed" shall be interpreted accordingly under applicable Data Protection Law. The terms "business", “commercial purpose”, "consumer", “cross-context behavioral advertising,” “personal information”, “sale,” (including any derivative thereof), "service provider," “share” (including any derivative thereof) and “third party” shall have the meaning given to them in the CCPA. 

      • Applicability of this DPA

      Scope: This DPA applies only to the extent that either party collects, uses, accesses, processes on behalf of the other party, transfers, and/or retains Personal Data that is subject to Data Protection Laws and/or security standards in connection with the Agreement.

      Role of the Parties: The parties agree that in connection with the Services: Customer is the controller and/or business (in accordance with applicable Data Protection Laws) of Customer Personal Data and L2L shall process Customer Personal Data as a processor and/or service provider (in accordance with applicable Data Protection Laws) on behalf of Customer.

      • Processing of Data

      1. This section applies to the extent that L2L processes Customer Personal Data solely on behalf of the Customer as part of the delivery of the Services as further described in Annex 1 of this DPA.

      2. L2L agrees to process Customer Personal Data only as described in this DPA, the Agreement, and in accordance with Customer’s lawful instructions, and under applicable Data Protection Laws. By entering into this DPA, Customer instructs L2L to process Customer Personal Data as described in Annex 1 of this DPA. 

      3. L2L shall only process Customer Personal Data (i) for the limited and specified purposes described in Annex 1; (ii) in compliance with the terms and conditions set forth in this DPA and in accordance with Customer’s lawful instructions; and (iii) in compliance with all applicable Data Protection Laws. Customer hereby instructs L2L to process Customer Personal Data in accordance with the foregoing and as part of any processing initiated by the Customer in its use of the Services. If L2L is unable to process Customer Personal Data pursuant to the Customer’s instructions due to legal requirements under applicable Data Protection Laws, L2L shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. L2L shall also promptly inform the Customer if, in its opinion, Customer’s instructions infringe on any applicable Data Protection Laws. In such case, L2L will cease all processing of the affected Customer Personal Data until such time as the Customer issues new Instructions.

      4. Following completion of the Services, at Customer’s choice, L2L shall delete Customer Personal Data, unless further storage of such Personal Data is required or authorized by applicable law. If destruction is impracticable or prohibited by law, rule or regulation, L2L shall take measures to block such Personal Data from any further processing (except to the extent necessary for its continued hosting or processing required by law, rule or regulation) and shall continue to appropriately protect the Personal Data remaining in its possession, custody, or control in accordance with the Agreement and this DPA. If Customer and L2L have entered into Standard Contractual Clauses as described in Section 6 (Transfers of Personal Data), the parties agree that the certification of deletion of Personal Data that is described in Clause 12(1) of the UK SCCs and Clause 8.1(d) and Clause 8.5 of the EU SCCs (as applicable) shall be provided by L2L to Customer only upon Customer’s request. 

      • Authorized Sub-Processors

      1. Customer acknowledges and agrees that L2L may (1) engage its affiliates and the Authorized Sub-Processors listed in Exhibit A to this DPA to access and process Customer Personal Data in connection with the Services; and (2) from time to time engage additional third parties for the purpose of providing the Services, including without limitation the processing of Customer Personal Data. By entering this DPA, Customer provides general written authorization to L2L to engage Sub-processors as necessary to perform the Services, subject to Section 4(b) below.

      2. A list of L2L’s current Authorized Sub-Processors (the “List”) will be made available to Customer, available at https://app.drata.com/trust/9cbbb9fe-0c38-11ee-865f-029d78a187d9, or through another means made available to Customer.  Such List may be updated by L2L from time to time.  L2L may provide a mechanism to subscribe to notifications of new Authorized Sub-Processors and Customer agrees to subscribe to such notifications where available.  At least ten (10) days before enabling any third party other than existing Authorized Sub-Processor to access or participate in the processing of Customer Personal Data, L2L will notify Customer via email. Customer may object to such an engagement by informing L2L within ten (10) days of receipt of the aforementioned notice by Customer, provided such objection is in writing and based on reasonable grounds relating to data protection. Customer acknowledges that certain Sub-processors are essential to providing the Services and that objecting to the use of a Sub-processor may prevent L2L from offering some or all of the Services to Customer.

      3. If Customer reasonably objects to an engagement in accordance with Section 4(b), and L2L cannot provide a commercially reasonable alternative within a reasonable period of time, Customer may discontinue the use of the affected Services by providing written notice to L2L.  

      4. If Customer does not object to the engagement of a new Sub-processor in accordance with Section 4(b) within ten (10) days of notice by L2L, that third party will be deemed approved as an Approved Sub-Processor for the purposes of this DPA.

      5. L2L will enter into a written agreement with the Authorized Sub-Processor imposing on the Authorized Sub-Processor data protection obligations comparable to those imposed on L2L under this DPA with respect to the protection of Customer Personal Data.  In the case where an Authorized Sub-Processor fails to fulfill its data protection obligations under such agreement, L2L will remain liable to Customer for the performance of the Authorized Sub-Processor’s acts and omissions under such agreement.

      6. If Customer and L2L have entered into Standard Contractual Clauses as described in Section 6 (Transfers of Personal Data), (i) the above authorizations will constitute Customer’s prior written consent to the subcontracting by L2L of the processing of Customer Personal Data if such consent is required under the Standard Contractual Clauses, and (ii) the parties agree that the copies of the agreements with Authorized Sub-Processors that must be provided by L2L to Customer pursuant to Clause 5(j) of the UK SCCs or Clause 9(c) of the EU SCCs may have commercial information, or information unrelated to the Standard Contractual Clauses or their equivalent, removed by L2L beforehand, and that such copies will be provided by L2L only upon request by Customer.

      1. Security of Data

      1. L2L represents and warrants that it shall maintain all Customer Personal Data in confidence, using a degree of care and technical and organizational security measures that meet or exceed applicable industry standards and that ensure a level of security appropriate to the risks of accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure or access of Customer Personal Data presented by the processing, which include, but are not limited to, those set forth in Exhibit B hereto (the “Technical and Organizational Measures”).

      2. Upon termination or expiration of this Agreement, and upon the Customer’s written request made within thirty (30) days of such termination or expiration, L2L shall provide the Customer with a complete copy of Customer’s data (including the Customer Personal Data) in a commonly used machine-readable format. Such data shall be transferred to an AWS S3 bucket provisioned and paid for by the Customer, and the Customer shall provide L2L with the necessary access credentials and instructions to perform the transfer.  Following successful transfer of the Customer’s data, or if no request for data return is made within the thirty (30)-day period, L2L shall securely delete all of Customer’s data including Customer Personal Data from its systems in accordance with its data retention and deletion policies, unless retention is required by applicable law or regulation. The Customer is solely responsible for provisioning and maintaining the AWS S3 bucket and any associated costs, including data storage, transfer fees, and access controls. L2L shall not be liable for any issues arising from the configuration, security, or availability of the Customer’s S3 bucket.  The data provided shall include raw Customer data as stored in L2L’s systems at the time of termination but shall exclude any system logs, metadata, or derived data generated by L2L’s services unless otherwise agreed in writing.  After completion of the data transfer and subsequent data deletion, L2L shall have no further obligations to retain, maintain, or provide access to Customer’s data including Customer Personal Data.

      1. Authorized Persons

      1. L2L shall perform appropriate screening of all Authorized Persons, including without limitation, background checks in accordance with applicable laws, and shall ensure the reliability and appropriate training of all Authorized Persons.

      2. L2L represents and warrants that it has executed confidentiality agreements with each Authorized Person that prevents them from disclosing or otherwise processing, both during and after their engagement by L2L, any Customer Personal Data except in accordance with their obligations in connection with the Services.

      3. L2L shall be fully responsible for the acts and omissions of Authorized Persons and any other of its subcontractors, independent contractors, and other service providers to the same extent that L2L would itself be liable under this DPA had it conducted such acts or omissions.

      1. Personal Data Breach

      1. L2L shall notify the Customer without undue delay (but in no case later than 72 hours) after becoming aware of a Personal Data Breach. L2L shall provide sufficient information to enable the Customer to comply with its obligations under applicable Data Protection Laws with respect to such Personal Data Breach, including any obligation to report or notify such Personal Data Breach to Supervisory Authorities and/or Data Subjects, as applicable. To the extent available and practical, such report will include (i) a description of the nature of the Personal Data Breach; (ii) the categories and approximate number of Data Subjects and Personal Data sets affected or alleged to be affected; (iii) the likely consequences of the Personal Data Breach; and (iv) any measures that have been or may be taken to address and mitigate the Personal Data Breach. 

      2.  L2L shall promptly take any steps it deems necessary and reasonable under its Technical and Organizational Measures to mitigate the effect of any Personal Data Breach and prevent any further Personal Data Breach or recurrence thereof, at L2L’s own expense and in accordance with applicable Data Protection Laws, to the extent such remediation is under L2L’s reasonable control.

      3. L2L shall not publicly disclose any information regarding the Customer in any Personal Data Breach without the Customer’s prior written consent, except to the extent L2L and any relevant Authorized Sub-Processor are explicitly compelled to do so by applicable Data Protection Laws, or to applicable Supervisory Authorities and/or Data Subjects.

      4. In the event of a Personal Data Breach, L2L shall, taking into account the nature of the processing and the information available to L2L, provide Customer with reasonable cooperation and assistance necessary for Customer to comply with its obligations under the GDPR with respect to notifying (i) the relevant Supervisory Authority,(ii) Data Subjects affected by such Personal Data Breach, and (iii) any other steps necessary to comply with applicable Data Protection Laws.

      1. The obligations described in this Section 7 shall not apply in the event that a Personal Data Breach results from the actions or omissions of Customer. L2L’s obligation to report or respond to a Personal Data Breach will not be construed as an acknowledgement by L2L of any fault or liability with respect to the Personal Data Breach.

      1. Data Subject Requests

      If L2L receives a Data Subject Request, L2L will (a) advise the Data Subject to submit the request to Customer directly, and (b) promptly notify Customer of the request. Where required by Data Protection Laws, L2L will, on Customer’s request and taking into account the nature of Customer Personal Data processed, provide reasonable assistance to Customer in fulfilling the Data Subject Request to the extent Customer is unable through its use of the Services to address a particular Data Subject Request on its own. To the extent permitted by applicable law, Customer will be responsible for any costs arising from L2L’s assistance. 

      • Transfers of Personal Data

      1. GDPR. Any transfer of Personal Data made subject to this DPA from member states of the European Union, Iceland, Liechtenstein, or Norway to any countries which do not ensure an adequate level of data protection within the meaning of the laws and regulations of these countries shall, to the extent such transfer is subject to such laws and regulations, be undertaken by L2L through the EU SCCs, which are automatically incorporated by reference and form an integral part of this DPA, as follows:

      1. where Customer is a Controller and L2L is a Processor under the Agreement, Module Two (Controller to Processor) of the EU SCCs will apply; or where Customer is a Processor and L2L is a Sub-Processor under the Agreement, Module Three (Processor to Processor) of the EU SCCs will apply;
      2. Clause 7, the optional docking clause will apply;
      3. Clause 9, Option 2 will apply, and the time period for prior notice is ten (10) days;
      4. Clause 11, the optional language will not apply;
      5. Clause 13, the supervisory authority with responsibility for ensuring compliance by the Data Exporter with Regulation (EU) 2016/679 as regards the data transfers shall be the supervisory authority of Ireland;
      6. Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
      7. Clause 18(b), disputes shall be resolved before the courts of Ireland;
      8. Annex I of the EU SCCs shall be deemed completed with the information set out in Annex 1 to this DPA; and
      9. Annex II of the EU SCCs shall be deemed completed with the information set out in Annex 1 to this DPA.

      1. UK GDPR. With respect to transfer to which the UK GDPR applies, the Parties agree to Process such Personal Data in compliance with the UK Addendum, which is automatically incorporated by reference and form an integral part of the DPA, as follows:

      1. the EU SCCs as implemented under Section 7(a) of this DPA shall be deemed amended as specified by Part 2 of the UK Amendment;
      2. Tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed respectively with the information set out in Annex 1 of this DPA (as applicable); and 
      3. Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting “Importer” and “Exporter.”

      1. Swiss DPA. With respect to transfer to which the Swiss DPA applies, the Parties agree to Process such Personal Data in compliance with the EU SCCs as implemented under Section 9(a) of this DPA with the following modifications:

      1. references to "Regulation (EU) 2016/679" shall be interpreted as reference to the Swiss DPA;

      2. references to "Regulation (EU) 2016/679" shall be replaced with the equivalent article or section of the Swiss DPA; 

      3. references to the "competent supervisory authority" and "competent courts" shall be replaced with references to the "Swiss Federal Data Protection and Information Commissioner" and "applicable courts of Switzerland" for transfers from Switzerland; 

      4. Clause 17, the EU SCCs shall be governed by the laws of Switzerland; and

      5. Clause 18(b), disputes shall be resolved before the applicable courts of Switzerland.

      1. CCPA and CPRA. To the extent the Processing of Personal Data is subject to CCPA or CPRA:

      1. L2L is a “service provider” and Customer is a “business”, each as defined under the CCPA and CPRA;
      2. L2L shall not (i) “sell” any Personal Data, as defined under the CCPA and CPRA; (ii) retain, use, or disclose Personal Data (1) for any purpose other than for the sole purpose of providing the Services to Customer under the Agreement; (2) for a commercial purpose (as defined in CCPA and CPRA); or (3) outside of the direct business relationship between Customer and L2L; and
      3. Customer certifies that it understands and acknowledges the foregoing responsibilities and other requirements under the CCPA and CPRA.

      1. L2L represents and warrants that (i) no Authorized Sub-Processor will be permitted to undertake or receive a Restricted Transfer before executing the Standard Contractual Clauses; and (ii) every Restricted Transfer made by L2L, or any Authorized Sub-Processor shall be undertaken in accordance with the Standard Contractual Clauses.

      1. Compliance Audits

      1. Customer may audit L2L’s compliance with its obligations under this DPA up to once per year. In addition, to the extent required by Applicable Data Protection Laws, including where mandated by Customer’s regulatory or governmental authority, Customer or an auditor appointed by Customer may perform more frequent audits (including inspections).  L2L will contribute to such audits by providing Customer or other mutually agreed upon auditor with the information and assistance reasonably necessary to conduct the audit, including any relevant records of Processing activities applicable to the Services.

      2. Such audits are limited to L2L’s processing of Customer Personal Data subject to Data Protection Laws, not any other aspect of L2L’s business or information systems or other customers.

      3. If a third party is to conduct the audit, L2L may object to the auditor if the auditor is, in L2L’s reasonable opinion, not suitably qualified or independent, a competitor of L2L, or otherwise manifestly unsuitable.  Such objection by L2L will require Customer to appoint another auditor or conduct the audit itself.

      4.  To request an audit, Customer must submit a detailed proposed audit plan to L2L least thirty (30) days in advance of the proposed audit date.  The proposed audit plan must describe the proposed scope, duration, and start date of the audit.  L2L will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise L2L security, privacy, employment or other relevant policies). L2L will work cooperatively with Customer to agree on a final audit plan. The audit plan, and anything produced in response to it (including any derivative work product such as notes of interviews), will be considered Confidential Information, and will remain Confidential Information in perpetuity or the longest time allowable by applicable law after termination of the Agreement. Such materials and derivative work product will not be disclosed to anyone without the prior written permission of L2L unless such disclosure is required by applicable law. If disclosure is required by applicable law, Customer will give L2L prompt written notice of that requirement and an opportunity to obtain a protective order to prohibit or restrict such disclosure except to the extent such notice is prohibited by applicable law or order of a court or governmental agency.

      5. On Customer’s request, and subject to the confidentiality provisions of the Agreement, L2L will make available to Customer copies of, or extracts from, L2L’s audit reports related to the security of the Services, including, for example, its SOC 2 Type 2 report, (the “Audit Reports”). If the requested audit scope is addressed in the Audit Reports or similar audit report performed by a qualified third party auditor within twelve (12) months of Customer’s audit request and L2L confirms there are no known material changes in the controls audited, Customer agrees to accept those findings in lieu of requesting an audit of the controls covered by the report.

      6. The audit must be conducted during regular business hours at the applicable facility, subject to the agreed final audit plan and L2L’s health and safety or other relevant policies, and may not unreasonably interfere with L2L business activities.

      7. Customer will promptly notify L2L of any non-compliance discovered during the course of an audit and provide L2L any audit reports generated in connection with any audit under this Section 10, unless prohibited by applicable law or otherwise instructed by a regulatory or governmental authority.  Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this DPA.  The audit reports are Confidential Information of the parties under the terms of the Agreement.

      8. Any audits are at Customer’s expense.  Customer shall reimburse L2L for any time expended by L2L in connection with any audits or inspections under this Section 9 at L2L’s then-current professional services rates, which shall be made available to Customer upon request.  Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit.

      9. The parties agree that this Section 10 shall satisfy L2L’s obligations under Data Protection Laws, including the audit requirements of the Standard Contractual Clauses applied to Data Importer under Clause 5(f) and to any Subprocessors under Clause 11 and Clause 12(2). 

      1.  Miscellaneous 

      1. This DPA may be amended or modified only by a writing signed by both Parties. L2L and Customer acknowledge and agree that they each may disclose this DPA to third parties (including regulators) for purposes of demonstrating compliance with Data Protection Laws.

      2. This DPA shall remain in full force and effect until such time as the Agreement is terminated in accordance with its term or expires, provided that the provisions of this DPA shall survive the termination or expiration of the Agreement for so long as L2L or its Authorized Sub-Processors process any Personal Data on behalf of Customer.

      3. The total combined liability of either party towards the other party, whether in contract, tort or any other theory of liability, under or in connection with the Agreement, this DPA, and the Standard Contractual Clauses if applicable (to the extent legally permitted) combined will be limited to limitations on liability or other liability caps agreed to by the parties in the Agreement; provided, however, that nothing contained herein will affect any party’s liability to data subjects under the third party beneficiary provisions of the Standard Contractual Clauses to the extent limitation of such rights is prohibited by the Data Protection Laws, where applicable.

      4. This DPA shall be governed by the law of the same jurisdiction as the Agreement, except where and to the extent that Data Protection Laws require that the DPA be governed by the law of another jurisdiction.

      5. Any notice sent by Customer to L2L for the subject matters under this DPA shall be sent to [________].

      6. If there is any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail with respect to Personal Data that is subject to GDPR or UK GDPR.



      Annex 1 – Description of Processing/Transfer


      Annex 1(A): List of Parties


      This Annex includes certain details of the Processing of Customer Personal Data by L2L as required by Article 28(3) GDPR and Appendix 1 of the UK SCCs.

      Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

      Name: The Customer listed in the applicable Order Form with L2L

      Address: The Customer’s address listed in the applicable Order Form with L2L

      Contact person’s name, position and contact details: As listed in the applicable Order Form with L2L

      Role (controller/processor): Controller as to Customer Personal Data.


      Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]

      Name: L2L LLC 

      Address:  L2L LLC 150 Isidor Ct, Sparks, NV 89441, USA 

      Contact person’s name, position and contact details: [________________] 

      Activities relevant to the data transferred under these Clauses: Delivery of Services to Data Exporter

      Role (controller/processor): Processor as to Annex 1 Module 2. 

      Annex 1(B): Description of the Transfer

      MODULE 2: CONTROLLER TO PROCESSOR PROCESSING

      Subject matter and duration of the Processing of Customer Personal Data:

      Service Provider’s provision of the Services to Customer pursuant to the Agreement.

      The term of the Agreement plus the period from the expiry of the term until deletion of all Personal Data by Service Provider in accordance with the DPA

      The nature and purpose of the Processing of Customer Personal Data:

      Processing: (i) to provide the Service in accordance with the Agreement; and (ii) initiated by Customer and its Users in its use of the Services; and (iii) to comply with other reasonable instructions provided by Customer (e.g., via email or support tickets) that are consistent with the terms of the Agreement (individually and collectively, the "Purpose").

      The types of Customer Personal Data to be Processed:

      Customer’s Personal Data 

      The categories of Data Subject to whom Customer Personal Data relates:

      Customer Employee Personnel Information 

      The obligations and rights of the Customer:

      Personal Data transferred will be transferred and processed for the purposes described above and contemplated by this DPA. 

      Nature of the Processing

      Processing includes Storing, Using, and Accessing the Personal Data mentioned herein

      Purposes of Processing

      The purpose of the processing is to provide the Services to Customer, in accordance with the Agreement and any Order Form and to maintain the security and functionality of the Services.

      Duration of Processing and Retention (or the criteria to determine such period)

      The processing will continue ongoing for the period during which the Services are being provided to Customer, in accordance with the Agreement and any Order Form

      Frequency of the transfer

      Continuous

      Sensitive Data or Special Categories of Data:

      None

       

      Annex 1(C): Competent Supervisory Authority

      The supervisory authority shall be the supervisory authority of the Data Exporter, as determined in accordance with Clause 13.

      Annex 2 – Technical and Organizational Measures

      L2L uses reasonable and appropriate technical and organizational measures as set forth in the Agreement and described in further detail at (L2L SOC 2 2025 Audit report: https://app.drata.com/trust/9cbbb9fe-0c38-11ee-865f-029d78a187d9).

       

      Exhibit A: List of Authorized Sub-Processors

       

      Subprocessors
      L2L may use the following Subprocessors to host Customer Data or provide other infrastructure that helps with delivery of its Services:

       

      A current list of subprocessors is provided in on the L2L Trust Center website https://app.drata.com/trust/9cbbb9fe-0c38-11ee-865f-029d78a187d9

       



      Exhibit B

      Description of the Technical and Organizational Security Measures implemented by the Data Importer

      L2L uses reasonable and appropriate technical and organizational measures as set forth in the Agreement and described in further detail at (L2L SOC 2 2025 Audit report: https://app.drata.com/trust/9cbbb9fe-0c38-11ee-865f-029d78a187d9).