This Data Processing Addendum (“DPA”) forms part of, and is subject to, the Terms of Service between Live Elements Ecosystem S.L. ("Provider" or "Service Provider") and Customer (together, the "Parties"). Capitalized terms not defined in this DPA have the meaning given in the Agreement.
Effect. This DPA takes effect on the date on which Customer first submits Customer Personal Data to Provider in connection with the Services and remains in force for so long as Provider Processes Customer Personal Data on Customer’s behalf under the Agreement.
Scope of the DPA. This DPA applies to Provider’s Processing of Customer Personal Data in providing the CMS (content hosting/delivery, content APIs, media management, search/indexing, plug-in/app ecosystem) and the Console (tenant/admin interfaces, user management, access control, configuration) but only to the extent Provider acts as a Processor on Customer’s behalf (collectively, the "Services").
For clarity, this DPA does not apply to:
This DPA does not apply to Processing where Provider acts as an independent Controller, including but not limited to Provider’s own billing and invoicing, account administration, service announcements, fraud prevention, security monitoring, product analytics for service improvement, and compliance with law. Those activities are governed by Provider’s Privacy Notice and the Agreement.
As between the Parties, Customer is the Controller (or, where Customer acts as a processor for a third-party controller, Customer is a Processor and Provider is a Subprocessor) of Customer Personal Data, and Provider is the Processor (or Subprocessor) that Processes Customer Personal Data on behalf of Customer.
Provider will Process Customer Personal Data solely to provide, secure, maintain, and support the Services; to prevent or address service, security, or technical issues; to comply with Customer’s Instructions; and as otherwise required to comply with applicable law.
Provider will not: (a) sell or share Customer Personal Data (sharing is strictly limited to Subprocessors or as otherwise permitted by the law in order to render the Services); (b) combine Customer Personal Data with other personal data except as permitted by law and necessary to provide the Services; or (c) retain, use, or disclose Customer Personal Data for any purpose other than the business purposes specified in the Agreement and this DPA or as otherwise permitted by law.
The subject matter, duration, nature and purpose of Processing, categories of Personal Data and Data Subjects are described in Annex C (Details of Processing).
Provider will Process Customer Personal Data only on Customer’s documented instructions—which include the Agreement (this DPA included), settings and documented directions in the Services/Console, and any further written instructions the Parties agree. If Provider considers an instruction may conflict with Data Protection Laws, it may promptly alert Customer and may pause that instruction until the issue is resolved.
Provider’s Processing is limited to what is necessary to: (a) provide, secure, maintain, and support the Services; (b) prevent or resolve service, support, or security issues; and (c) comply with law or a binding order. Provider may produce aggregated or de-identified metrics about Service performance and usage, provided they do not identify Customer, any Data Subject, or Customer Personal Data.
To the extent US state privacy laws apply, Provider acts as Customer’s service provider/processor and will not:
If Provider determines it can no longer meet its obligations as a processor, it will notify Customer within a reasonable timeframe. On notice, Customer may direct Provider to take reasonable steps to stop and remediate any non-compliant Processing—such as suspending the affected Processing and/or deleting impacted Customer Personal Data or other corrective actions the Parties agree to.
Provider will limit Processing to what is adequate, relevant, and necessary for the purposes above and will implement role-based, least-privilege access to Customer Personal Data.
The subject matter, nature and purpose, duration, and categories of Personal Data and Data Subjects are set out in Annex C (Details of Processing) and, where relevant, the Agreement or applicable Order Form.
The Customer is solely responsible for:
Customer agrees not to instruct Provider, whether via configuration, use of Services, or otherwise, to Process Customer Personal Data in a manner that violates Data Protection Laws or third parties’ rights. Should the Customer fail to do so, the Service Provider is in its right to suspend Services.
The Customer acknowledges and agrees that it is solely responsible for determining whether the Services comply with the Customer’s specific technical, operational, and legal requirements, including compliance with applicable Data Protection Laws, sector-specific regulations, and internal policies. Where required by applicable law, the Customer shall be solely responsible for conducting and documenting any data protection impact assessments, prior consultations with supervisory authorities, or similar assessments or reviews in connection with its use of the Services.
The Provider shall have no obligation to monitor, review, evaluate, or verify the substance, content, quality, accuracy, legality or completeness of any Customer Content, nor to assess whether such content complies with applicable laws or the Customer’s internal requirements. All responsibility for Customer Content rests exclusively with the Customer.
Customer will refrain from submitting any special categories of personal data or other sensitive data through the Services unless explicitly permitted in Annex C or the Agreement and protected by appropriate safeguards and Instructions.
Considering the state of technology, implementation costs, and the nature, scope, context, and purposes of Processing, as well as the potential risks to Data Subjects, Provider will maintain suitable technical and organizational safeguards to ensure a security level proportionate to the risk associated with Customer Personal Data.
Provider shall apply the measures outlined in Annex A (Security Measures) or the Agreement and will sustain these measures, or substantially equivalent or stronger alternatives, throughout the term. Provider may periodically update these measures to address technological advancements, provided such updates do not materially diminish the overall security of the Services.
Provider guarantees that individuals authorized by Provider to Process Customer Personal Data will be bound by appropriate confidentiality obligations (whether contractual or statutory), and access to Customer Personal Data will be strictly role-based, limited solely to the extent necessary to provide, secure, maintain, or support the Services, or as required by law or binding governmental orders.
Use of Subprocessors. Customer grants Provider a general authorization to engage Sub-processors for the Services, subject to this Section.
Current Subprocessors. The Provider shall maintain an up-to-date list of current Subprocessors and make such list available to the Customer upon request.
Notification of new Subprocessors. The Provider may appoint new Subprocessors from time to time. Where required by applicable Data Protection Laws, the Provider shall provide the Customer with reasonable advance notice of any intended changes concerning the addition or replacement of Subprocessors that will process Customer Personal Data.
Objection Right (If Required by Law) & Deemed Consent. Where applicable Data Protection Laws grant the Customer a right to object to such changes, any objection must be reasonable, made in good faith, and submitted in writing within ten (10) business days of the notice. If the Customer does not submit a written objection within such period, the Customer shall be deemed to have consented to the new or replacement Subprocessor. In the event of a valid objection, the parties shall work in good faith to resolve the matter. If resolution is not possible, either party may terminate only the affected portion of the Services without penalty.
Provider Responsibility for Subprocessors
The provider shall:
Least privilege control. Subprocessor access to Customer Personal Data will be limited to what is necessary to provide, secure, or maintain the Services and enforced via least-privilege controls.
No Liability for Customer-Appointed Third Parties. The Provider shall have no liability whatsoever for any processing of Customer Personal Data by any third party appointed or directed by the Customer, including Customer’s own vendors, integrations, or partners.
Audits. Any audit or inspection rights the Customer may have under this Agreement or applicable Data Protection Laws in respect of Subprocessors shall be exercised only through the Provider and shall be subject to the same limitations, conditions, and procedures set forth in the Audit and Information Rights section of this DPA.
If a Data Subject contacts Provider to exercise rights in relation to Customer Personal Data and identifies Customer, Provider will promptly forward the request to Customer and not respond directly (except where the law requires a response or to acknowledge receipt).
The Services include tools to help Customer handle requests. Where a request cannot reasonably be fulfilled using those tools, Provider will provide reasonable assistance on written request.
Where data portability applies, Provider will enable Customer to obtain the relevant Customer Personal Data in a structured, commonly used, machine-readable format.
To the extent permitted by Data Protection Laws, Provider may charge a reasonable fee or decline to assist where requests are manifestly unfounded, excessive, or repetitive. Provider may also require verification that the requester is the Data Subject or an authorized agent.
The Provider shall implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, consistent with the Provider’s security policies and applicable Data Protection Laws. Such measures include, without limitation:
The Customer is solely responsible for:
If a security issue or breach is caused or contributed to by the Customer, its vendors, or third parties appointed or directed by the Customer, the Customer shall bear all reasonable costs incurred by the Provider in investigating, mitigating, and remediating such issue, including reasonable attorneys’ fees.
For purposes of this Agreement, a "Security Incident" means a confirmed unauthorized access to, acquisition of, or disclosure of Customer Personal Data in the Provider’s possession or control, which results in a breach of the confidentiality, integrity, or availability of such Customer Personal Data, and which is reasonably likely to result in a risk to the rights and freedoms of natural persons under applicable Data Protection Laws.
A Security Incident does not include:
Upon confirmed detection of a Security Incident impacting Customer Personal Data, Provider will alert Customer without undue delay and, where feasible, within 72 hours of becoming aware, to help Customer meet applicable legal notification timelines.
Notices will be sent to the security-notification address configured by Customer in the Console; if none is set, Provider may use other administrator/owner contacts on the account. Customer acknowledges that not designating a security address may affect the speed of delivery.
The Provider will share available details at the time of notice, which may include, to the extent reasonably known:
Provider may supplement this information as further facts are confirmed.
The Customer shall promptly cooperate with the Provider in relation to any Security Incident, including by:
If a Security Incident is caused or contributed to by the Customer, its vendors, or third parties appointed or directed by the Customer, the Customer shall bear all reasonable costs incurred by the Provider in connection with investigation, mitigation, remediation, and any legally required notifications, including reasonable attorneys’ fees.
Provider will promptly take reasonable steps to contain, mitigate, and remedy the Security Incident, and will keep Customer reasonably informed of material developments until closure.
Notifications under this Section:
Routine or unsuccessful events that do not compromise security—such as blocked login attempts, port scans, or denial-of-service traffic that does not result in unauthorized access—do not require notice.
Upon termination or expiry of the Agreement, and subject to the terms of this Section, the Provider shall, upon the Customer’s written request, delete or return Customer Content in its possession or control, except to the extent and for the period retention is required by applicable law, regulation, or competent authority order. In such cases, the Provider shall restrict Processing solely to compliance with such requirement and shall securely delete the Customer Content once retention is no longer required.
The Provider shall have no obligation to delete or return Customer Content residing in routine backup, disaster recovery, or archival systems, provided that such copies: (a) are securely isolated, encrypted, and access-restricted; (b) are not actively Processed for any purpose other than storage or backup maintenance; and (c) will be overwritten or deleted in the ordinary course of the Provider’s standard backup lifecycle, except where retention is required by law, regulation, or competent authority order.
For the avoidance of doubt, the Provider shall have no liability for the Customer’s failure to export or retrieve Customer Content prior to termination, and the Provider shall not be required to provide assistance with data migration or export except as set forth in the section below.
Following termination or expiry of the Agreement, the Provider shall have no obligation to provide data migration, extraction, or export services, except to the extent expressly agreed in writing by the parties. Any such assistance shall be:
The Customer shall be solely responsible for designating a migration format and for ensuring compatibility with the Customer’s destination systems. The Provider shall not be responsible for data transformation, reformatting, or integration unless expressly agreed in writing.
For the avoidance of doubt, the Provider shall have no liability for:
The Provider will host Customer Personal Data primarily in the Customer’s region, being:
unless otherwise agreed in writing by the parties.
Provider may transfer Customer Personal Data to third countries as part of delivering the Services. For any transfer requiring safeguards under European Data Protection Laws, Provider will ensure an appropriate Article 46 mechanism as set out in Annex D.
Where a Subprocessor is located in a third country without an adequacy decision, Provider will enter into and maintain the applicable SCCs (and UK/Swiss addenda, as relevant) with that Subprocessor.
For Restricted Transfers subject to SCCs, Provider will conduct a transfer risk assessment appropriate to the context and implement supplementary technical, contractual, and organizational measures to ensure a level of protection essentially equivalent to that required by European Data Protection Laws. The Provider will monitor such measures for continued effectiveness for as long as the Restricted Transfer continues.
The Provider may engage Subprocessors located outside the primary hosting region, provided that such Subprocessors are bound by written agreements requiring them to protect Customer Personal Data to a standard no less protective than that required under this Agreement.
The Customer acknowledges and agrees that:
Unless expressly stated in the Agreement, the Provider does not guarantee that Customer Personal Data will remain exclusively within any specific jurisdiction or region.
Nothing in this Section obligates the Provider to provide copies of transfer risk assessments or internal compliance documentation except to the extent strictly required by applicable law.
To the extent required by applicable Data Protection Laws or the Standard Contractual Clauses (where applicable), and upon the Customer’s written request, the Provider will make available information reasonably necessary to demonstrate its compliance with this DPA. Such information may include: (i) a written statement from the Provider’s security or compliance team (a “Provider Report”); and (ii) supporting materials expressly referenced in this DPA (including, where applicable, Annex A technical and organizational measures, subprocessor list and locations, and incident response overview).
Unless applicable law or the Standard Contractual Clauses require otherwise, the Customer’s audit right shall be satisfied by a remote review of the Provider Report and relevant supporting materials, which may be conducted no more than once in any twelve (12) month period. Remote reviews may consist of desk-based questionnaires and/or conference calls with designated Provider personnel, limited to the scope necessary to verify compliance with this DPA.
The Customer may conduct an on-site audit only if: (a) required by applicable law or the Standard Contractual Clauses; or (b) expressly mandated by a competent supervisory authority, government agency, or court order.
Any on-site audit must:
Any information obtained in an audit is deemed Provider Confidential Information. The Customer must ensure that any auditor is independent, not a direct competitor of the Provider, and bound by a written nondisclosure agreement acceptable to the Provider. The Provider may redact security-sensitive information, trade secrets, and third-party confidential details before providing materials or access.
Where an audit is initiated:
the Customer shall reimburse the Provider for all reasonable internal and external costs incurred in connection with facilitating the audit.
Nothing in this Section grants the Customer any broader rights of audit or inspection than those mandated by applicable Data Protection Laws or the Standard Contractual Clauses.
If a supervisory or other public authority asks Customer about Processing of Customer Personal Data, Provider will, on request, share readily available information about the Services and their security measures and otherwise cooperate within reasonable bounds.
For any DPIA or prior consultation, Provider will supply service-level facts (e.g., data flows, transfer tools, sub-processor roster, TOMs). No bespoke legal analysis or tooling is required.
Requests clearly meant for Customer (e.g., data-subject rights) will be passed on without undue delay; Provider won’t respond directly unless the law compels it.
If Provider receives a lawful demand for Customer Personal Data, it will notify Customer (unless prohibited), seek to narrow overbroad requests where reasonable, and disclose only the minimum necessary.
Routine help is included; extraordinary or disproportionate work may be charged at reasonable, documented cost (not if caused by Provider’s breach).
The SCCs (and any UK/Swiss addenda) control over this DPA; this DPA controls over the Agreement for privacy matters; Annexes form part of this DPA.
This DPA follows the Agreement’s governing law and forum except where Data Protection Laws or transfer clauses prescribe otherwise.
Each Party’s total liability under or in connection with this DPA (including the SCCs) is limited by the caps and exclusions in the Agreement; non-excludable liabilities remain unaffected. To the maximum extent permitted by applicable law, in no event shall the Provider be liable for any indirect, incidental, special, exemplary, punitive, or consequential damages, or for any loss of profits, loss of revenue, loss of goodwill, loss of data, business interruption, or other intangible losses, even if the Provider has been advised of the possibility of such damages. These exclusions apply regardless of the cause of action or theory of liability and shall apply in addition to, and not in place of, the liability limitations set out above.
Provider may update Annexes (e.g., TOMs, sub-processors, transfer tools) without materially reducing protection; material changes will be notified. Confidentiality, security, cooperation, deletion/return, and transfer provisions survive as needed.
Overview. Live Elements Ecosystem S.L. operates an information security program designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, appropriate to risk and in line with GDPR Art. 32.
Updates. Live Elements Ecosystem may modify these measures from time to time to reflect changes in technology, risk, or Service design.
A live list is maintained at https://ecosystem.liveelements.io/documents/subprocessors-list
Customer may object within ten (10) business days on reasonable, materially grounded privacy/security grounds. If unresolved, Customer may terminate the affected Services; Provider refunds prepaid, unused fees for that portion.
Provision of the CMS and Console Services (hosting/delivery of content, media management, APIs, search/indexing, user/admin management, access control, configuration, support), including storage, retrieval, transmission, display, backup, logging, troubleshooting, and security monitoring.
To provide, secure, maintain, and support the Services under the Agreement, and to comply with Customer’s Instructions and applicable law.
For the term of the Agreement and any post-termination retention required by law (as restricted in the DPA).
Customer’s employees/contractors/admin users of the Console End-users/visitors of Customer’s websites/apps powered by the CMS Other individuals whose data Customer uploads to the CMS
Customer will not use the Services for government-issued IDs, precise geolocation, biometric templates, or financial account numbers unless expressly permitted in this Annex and protected by additional controls.
Collection (via APIs/Console), storage, organization, retrieval, transmission, display, deletion, backup/restore, logging/monitoring, and limited transformation (e.g., search indices, thumbnails) as configured by Customer.
Per “Deletion & Return of Data” and “International Transfers” sections of the DPA and Annex A (TOMs).
The authority in the EU Member State/EEA where the Customer (data exporter) is established; if none, where the Customer’s EU representative is located.
For any transfer of Customer Personal Data subject to European Data Protection Laws to a country without an adequacy decision, the Parties rely on:
For Swiss FADP transfers, the EU SCCs are deemed amended as follows:
For transfers under the SCCs/UK/Swiss addenda, Live Elements Ecosystem S.L. conducts a transfer risk assessment appropriate to context and implements supplementary technical, contractual, and organizational measures (e.g., encryption in transit/at rest, access controls, transparency reporting where permitted, narrow interpretations of lawful access) to ensure a level of protection essentially equivalent to that required by European Data Protection Laws, and monitors their effectiveness.