Data Processing Agreement

1.    Definitions: 

        In this DPA, the following terms shall have the following meanings:

        a) controller, processor, data subject, personal data, processing (and process) and special categories of personal data have the meanings given in Applicable Data             Protection Law

        b) Applicable Data Protection Law means the EU General Data Protection Regulation (Regulation 2016/679) (the GDPR) and any applicable national laws made             under the GDPR

        c) Customer has the same meaning as ‘you’ in the Lightyear Terms of Service.

2.    Relationship of the parties 
        The Customer (the controller) appoints Lightyear as a processor to process the customer data only on the controller’s documented instructions for the purposes         described in the Agreement or as otherwise agreed in writing by the parties (the Permitted Purpose). Each party must comply with the obligations that apply to it         under Applicable Data Protection Law.

3.    Purpose Limitation

        Lightyear shall process the Customer Data as a processor only as necessary to perform its obligations under the Agreement and strictly in accordance with the         documented instructions of Customer (the “Permitted Purpose”), except where otherwise required by any EU (or any EU Member State) law applicable to         Customer. In no event shall Lightyear process the Customer Data for its own purposes or those of any third party, save that Lightyear may de-identify and         aggregate data Customer Data (“Aggregated Data”) and may process Aggregated Data to maintain and improve the Services.

4.    International transfers

        Lightyear shall not transfer the Data outside of the European Economic Area (EEA) unless it has taken such measures as are necessary to ensure the transfer is in         compliance with Applicable Data Protection Law. Such measures may include (without limitation) transferring the Data to a recipient in a country that the European         Commission has decided provides adequate protection for personal data or to a recipient that has executed standard contractual clauses adopted or approved by         the European Commission.

5.    Confidentiality of processing 

        Lightyear shall ensure that any person it authorises to process the Data (an Authorised Person) will protect the Data in accordance with Lightyear’s confidentiality         obligations under the Agreement.

6.    Security

        Lightyear shall implement appropriate technical and organisational measures to protect the Customer Data from a Security Incident. Such measures shall have         regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and         severity for the rights and freedoms of natural persons.

7.    Subprocessing

        The Customer consents to Lightyear engaging third-party subprocessors to process the Data for the Permitted Purpose provided that:

        (i) Lightyear maintains an up-to-date list of its subprocessors, which is available on its website at the Lightyear Subprocessors page, which it will update with             details of any change in subprocessors at least 30 days prior to the change;

        (ii) Lightyear imposes data protection terms on any subprocessor it appoints that require it to protect the Data to the standard required by Applicable Data             Protection Law; and

        (iii) Lightyear remains liable for any breach of this Addendum that is caused by an act, error or omission of its subprocessor. The Customer may object to                            Lightyear’s appointment or replacement of a subprocessor prior to its appointment or replacement, provided such objection is based on reasonable grounds             relating to data protection. In such an event, Lightyear will either not appoint or replace the subprocessor or, if Lightyear determines at its sole discretion that this             is not reasonably possible, the Customer may suspend or terminate the Agreement without penalty (without prejudice to any fees incurred by the Customer up to             and including the date of suspension or termination).

8.    Cooperation and data subjects' rights

        Lightyear will provide reasonable and timely assistance to the Customer (at the Customer’s expense) to enable the Customer to respond to:

            (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law; and

            (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data. If             any such request, correspondence, enquiry or complaint is made directly to Lightyear,Lightyear will promptly inform the Customer, providing full details.

9.    Data Protection Impact Assessment 

        If Lightyear believes or becomes aware that its processing of the Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it         will inform the Customer and provide reasonable cooperation to the Customer in connection with any data protection impact assessment that may be required         under Applicable Data Protection Law. 

10.    Security incidents 

        If it becomes aware of a confirmed Security Incident, Lightyear will inform the Customer without undue delay and will provide reasonable information and         cooperation to the Customer so that they can fulfil any data breach reporting obligations they may have under (and in accordance with the timescales required by)         Applicable Data Protection Law. Lightyear will further take reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident         and keep the Customer informed of all material developments in connection with the Security Incident.

11.    Deletion or return of Data 

        Lightyear will retain the Data for a period of 8 year. On expiry of this period or on the Customer’s earlier request,Lightyear will delete or return the Data in a manner         and form decided by Lightyear, acting reasonably.  This requirement will not apply to the extent that Lightyear is required by applicable law to retain some or all of         the Data, or to Data it has archived on back-up systems, which Data Lightyear shall securely isolate and protect from any further processing.

12.    Audit 

        The Customer acknowledges that Lightyear is regularly audited against ISO27001:2013 standards by an independent third-party auditor. Upon the Customer’s         request, and subject to the confidentiality obligations set out in the Agreement, Lightyear will make available to the Customer (provided that they or their         independent, third-party auditor are not a competitor of Lightyear) a copy of lightyear ISO27001:2013 report in the same manner and form that Lightyear makes it         generally available to customers.