This document applies only when explicitly negotiated and executed with Lumeo as part of an enterprise arrangement or purchase order.
Pursuant to the written agreement between Customer and Lumeo, Inc. ("Vendor") (each a "Party" and collectively the "Parties") titled Lumeo Master Services Agreement ("the Agreement"), the Parties hereby adopt this U.S. Privacy Law Data Processing Addendum ("U.S. DPA"). This U.S. DPA prevails over any conflicting terms of the Agreement.
"Consumer" means a natural person. Where applicable, Consumer shall be interpreted consistent with the same or similar term under the U.S. Privacy Laws.
"Controller" means a person or entity that collects individuals' Personal Data and alone, or jointly with others, determines the purposes and means of the Processing of such Personal Data. Where applicable, Controller shall be interpreted consistent with the same or similar term under the U.S. Privacy Laws.
"Customer Personal Data" means Personal Data provided by Customer to, or which is collected on behalf of Customer by, Vendor to provide services to Customer pursuant to the Agreement.
"Personal Data" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable natural person. Where applicable, Personal Data shall be interpreted consistent with the same or similar term under U.S. Privacy Laws.
"Processing," "Process," and "Processed" means any operation or set of operations that are performed on Personal Data or on sets of Personal Data, whether or not by automated means. Where applicable, Processing, Process, and Processed shall be interpreted consistent with the same or similar term under the U.S. Privacy Laws.
"Processor" means "Processor," "Service Provider," or "Contractor" as those terms are defined in the U.S. Privacy Laws.
"Sale" and "Selling" have the meaning defined in the U.S. Privacy Laws.
"Share," "Shared," and "Sharing" have the meaning defined in the CCPA.
"U.S. Privacy Laws" means, collectively, all U.S. federal and state privacy laws and their implementing regulations, as amended or superseded from time to time, that apply generally to the processing of individuals' Personal Data and that do not apply solely to specific industry sectors (e.g., financial institutions), specific demographics (e.g., children), or specific classes of information (e.g., health information). U.S. Privacy Laws include, but are not limited to, the following:
In the event of a conflict in the meanings of defined terms in the U.S. Privacy Laws, the meaning from the law applicable to the state of residence of the relevant Consumer applies.
Applicability. This U.S. DPA applies only to Vendor's Processing of Customer Personal Data for the nature, purposes, and duration set forth in Appendix A.
Roles of the Parties. For the purposes of the Agreement and this U.S. DPA, Customer is the Party responsible for determining the purposes and means of Processing Customer Personal Data as the Controller and appoints Vendor as a Processor to Process Customer Personal Data on behalf of Customer for the limited and specific purposes set forth in Appendix A.
Obligations at Termination. Upon termination of the Agreement, except as set forth therein or herein, Vendor will discontinue Processing and destroy or, at Customer's election and expense, return Customer Personal Data in its or its subcontractors' and sub-processors' possession without undue delay. Vendor may retain Customer Personal Data to the extent required by law but only to the extent and for such period as required by such law and always provided that Vendor shall ensure the confidentiality of all such Customer Personal Data.
Customer shall provide any required privacy notices to Consumers and obtain Consumers' consent where required for Vendor's processing of Customer Personal Data as set forth in this U.S. DPA.
Compliance with Obligations. Vendor, its employees, agents, subcontractors, and sub-processors (a) shall comply with the obligations of the U.S. Privacy Laws, (b) shall provide the level of privacy protection required by the U.S. Privacy Laws, (c) shall provide Customer with all reasonably-requested assistance to enable Customer to fulfill its own obligations under the U.S. Privacy Laws, and (d) understand and shall comply with this U.S. DPA. Upon the reasonable request of Customer, Vendor shall make available to Customer information in Vendor's possession necessary to demonstrate Vendor's compliance with this subsection.
Compliance Assurance. Customer has the right to take reasonable and appropriate steps to ensure that Vendor uses Customer Personal Data consistent with Customer's obligations under applicable U.S. Privacy Laws and this U.S. DPA.
Compliance Monitoring. Customer has the right to monitor Vendor's compliance with this U.S. DPA through measures, including, but not limited to, ongoing manual reviews, automated scans, regular assessments, audits, or other annual technical and operational testing at least once every 12 months. Vendor shall cooperate fully with any audit initiated by Customer, provided that such audit will not unreasonably interfere with the normal conduct of Vendor's business. Unless the audit reveals a breach by Vendor of this U.S. DPA or applicable U.S. Privacy Laws, Customer shall bear the costs of the audit. Alternatively, with Customer's consent, Vendor shall arrange for a qualified and independent assessor to conduct an assessment, at least annually and at the Vendor's expense, of Vendor's policies and technical and organizational measures in support of the obligations under this U.S. DPA using an appropriate and accepted control standard or framework and assessment procedure for such assessments. Vendor shall provide a report of such assessment to Customer upon request.
Compliance Remediation. Vendor shall promptly notify Customer if it determines that it can no longer meet its obligations under applicable U.S. Privacy Laws. Upon receiving notice from Vendor in accordance with this subsection, Customer may direct Vendor to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data. Lumeo shall notify Customer within 72 hours of discovering any Security Incident involving Customer Personal Data, providing sufficient information for Customer to meet its legal obligations.
Limitations on Processing. Vendor will Process Customer Personal Data solely as instructed in the Agreement and this U.S. DPA or as otherwise required by law. Except as expressly permitted by the U.S. Privacy Laws, Vendor is prohibited from (i) Selling or Sharing Customer Personal Data, (ii) retaining, using, or disclosing Customer Personal Data for any purpose other than for the specific purpose of performing the services specified in Appendix A, (iii) retaining, using, or disclosing Customer Personal Data outside of the direct business relationship between the Parties, and (iv) combining Customer Personal Data with Personal Data obtained from, or on behalf of, sources other than Customer, except as expressly permitted under applicable U.S. Privacy Laws.
Confidentiality. Vendor shall ensure that its employees, agents, subcontractors, and sub-processors are subject to a duty of confidentiality with respect to Customer Personal Data.
Subcontractors; Sub-processors. Vendor's current subcontractors and sub-processors are available at https://trust.lumeo.com. Vendor shall notify Customer of any intended changes concerning the addition or replacement of subcontractors or sub-processors. Further, Vendor shall ensure that Vendor's subcontractors or sub-processors who Process Customer Personal Data on Vendor's behalf agree in writing to the same or equivalent restrictions and requirements that apply to Vendor in this U.S. DPA and the Agreement with respect to Customer Personal Data, as well as to comply with the applicable U.S. Privacy Laws.
Right to Object. Customer may object in writing to Vendor's appointment of a new subcontractor or sub-processor on reasonable grounds by notifying Vendor in writing within 30 calendar days of receipt of notice in accordance with Section 4.3. In the event Customer objects, the Parties shall discuss Customer's concerns in good faith with a view to achieving a commercially reasonable resolution.
The Parties shall implement and maintain no less than commercially reasonable security procedures and practices, appropriate to the nature of the information, to protect Customer Personal Data from unauthorized access, destruction, use, modification, or disclosure. Without limiting the foregoing, the Parties shall comply with the security measures set forth at Appendix B when Processing Customer Personal Data.
In the event of a Security Incident: (a) Lumeo shall investigate and remediate at its expense; (b) provide reasonable cooperation for Customer's compliance obligations; (c) maintain incident documentation.
Vendor shall provide commercially reasonable assistance to Customer for the fulfillment of Customer's obligations to respond to Consumer rights requests regarding Customer Personal Data. Due to the nature of Vendor's platform, Vendor's deletion capabilities are limited to:
Vendor cannot selectively delete or modify individual biometric features, faces, or persons from within video recordings while preserving the remainder of the recording. Customer acknowledges these technical limitations are standard for video analytics platforms.
For Consumer requests that cannot be fulfilled due to technical limitations described in Section 6.1, Vendor shall:
Where applicable, Vendor shall enable Customer to comply with any Consumer rights request made pursuant to the U.S. Privacy Laws to the extent technically feasible. Customer acknowledges that certain Consumer rights may need to be fulfilled through broader data deletion (e.g., removing entire video segments rather than individual faces).
Vendor shall not be required to delete any Customer Personal Data to comply with a Consumer's request directed by Customer if retaining such information is specifically permitted by applicable U.S. Privacy Laws; provided, however, that in such case, Vendor will promptly inform Customer of the exceptions relied upon under applicable U.S. Privacy Laws and Vendor shall not use Customer Personal Data retained for any purpose other than provided for by that exception.
The Parties acknowledge and agree that the disclosure or making available of Personal Data between the Parties does not form part of any monetary or other valuable consideration exchanged between the Parties with respect to the Agreement or this U.S. DPA.
Notwithstanding any provision to the contrary in the Agreement or this U.S. DPA, the terms of this U.S. DPA shall not apply to Vendor's Processing of Customer Personal Data that is exempt from applicable U.S. Privacy Laws.
The Parties agree to cooperate in good faith to enter into additional terms to address any modifications, amendments, or updates to applicable statutes, regulations or other laws pertaining to privacy and information security, including, where applicable, the U.S. Privacy Laws.
Except for breaches of confidentiality or gross negligence, Vendor's total liability under this DPA shall not exceed the fees paid in the 12 months preceding the incident. This limitation shall not apply to indemnification obligations required by applicable law.
| Nature and Purpose(s) of the Processing | The processing involves the ingestion, analysis, and storage of video and image data to enable video analytics functionality. This includes object detection, facial recognition, license plate recognition, and other AI-driven analysis. The platform processes personal data to: • Detect and identify individuals or objects based on customer-provided inputs (e.g., names associated with faces, license plate metadata). • Generate alerts, reports, or insights as configured by the customer. • Maintain historical records for audit, compliance, or operational review purposes, as determined by the customer. All processing is performed on behalf of the customer, in accordance with their configuration and usage of the platform. |
| Types of Customer Personal Data Subject to Processing | Depending on the customer's configuration, enablement of specific features, and use of the platform, the following types of personal data may be processed: • Biometric data: Facial images and features used for facial recognition. • Vehicle identifiers: License plate numbers. • Visual recordings: Video footage or still images that may contain identifiable individuals or property. • Metadata: Timestamps, location information, camera identifiers. • Customer-entered identifiers: Names, tags, or labels associated with detected individuals, vehicles, or other objects. • Contact information: Email addresses or other contact details associated with user accounts, alerts, or tagged individuals. • Login-related data: IP addresses, timestamps, usernames, passwords or tokens used to access the platform. • Other personal data: Any other information the customer chooses to upload, annotate, or associate with video content that could directly or indirectly identify an individual. |
| Duration of Processing | For the duration of the Agreement. |
The Parties will apply at least the following types of security measures to Customer Personal Data:
1. Physical access control. Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where Customer Personal Data are Processed, include:
2. Virtual access control. Technical and organizational measures to prevent data processing systems from being used by unauthorized persons include:
3. Data access control. Technical and organizational measures to ensure confidentiality and that persons entitled to use a data processing system gain access only to such Customer Personal Data in accordance with their access rights, and that Customer Personal Data cannot be read, copied, modified or deleted without authorization, include:
4. Disclosure control. Technical and organizational measures to ensure that Customer Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Customer Personal Data are disclosed, include:
5. Entry control. Technical and organizational measures to monitor whether Customer Personal Data have been entered, changed or removed (deleted), and by whom, from data processing systems, include:
6. Control of instructions. Technical and organizational measures to ensure that Customer Personal Data are Processed solely in accordance with the instructions of the Controller include:
7. Availability control. Technical and organizational measures to ensure the integrity, availability and resilience of the processing systems, and that Customer Personal Data are protected against accidental destruction or loss (physical/logical) include:
8. Separation control. Technical and organizational measures to ensure that Customer Personal Data collected for different purposes can be Processed separately include:
9. Testing controls. Technical and organizational measures to test, assess and evaluate the effectiveness of the technical and organizational measures implemented in order to ensure the security of the processing include:
10. IT governance. Technical and organizational measures to improve the overall management of IT and ensure that the activities associated with information and technology are aligned with the compliance efforts include: