Legal

Data Processing Addendum

The DPA governing Kyoso's processing of customer personal data.

Effective: April 23, 2026 (unless stated otherwise below)

THIS DATA PROCESSING ADDENDUM (“DPA”) is entered into as of the Addendum Effective Date by and between: (1) the Kyoso contracting entity who is a counterparty to the Agreement (as identified in the Order Form or otherwise determined in accordance with the terms and conditions thereof) (“Kyoso”); and (2) the entity or other person who is a counterparty to the Agreement (as defined below) into which this DPA is incorporated and forms a part (“Customer”), together the “Parties” and each a “Party”.

1. INTERPRETATION

1.1. In this DPA, the following terms shall have the meanings set out in this Section 1, unless expressly stated otherwise:

  • “Addendum Effective Date” means the effective date of the Agreement.
  • “Agreement” means the agreement under which Kyoso has agreed to provide services to Customer entered into by and between the Parties.
  • “Applicable Data Protection Laws” means the privacy, data protection and data security laws and regulations of any jurisdiction applicable to Kyoso’s Processing of Customer Personal Data under the Agreement (including, as and where applicable, the GDPR and/or the State Privacy Laws).
  • “Controller” means the natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
  • “Customer Personal Data” means any Personal Data Processed by Kyoso or its Sub-Processor on behalf of Customer to perform the Services under the Agreement.
  • “Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.
  • “Data Subject Request” means the exercise by a Data Subject of its rights in accordance with Applicable Data Protection Laws in respect of Customer Personal Data and the Processing thereof.
  • “GDPR” means, as and where applicable to Processing concerned: (i) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”); and/or (ii) the EU GDPR as it forms part of UK law (as amended from time to time) (“UK GDPR”).
  • “Personal Data” means “personal data,” “personal information,” “personally identifiable information” or similar term defined in Applicable Data Protection Laws.
  • “Personal Data Breach” means a breach of Kyoso’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data in Kyoso’s possession, custody or control. For clarity, Personal Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data (such as unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems).
  • “Personnel” means a person’s employees, agents, consultants, contractors or other staff.
  • “Process”, and grammatical inflections thereof, means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means.
  • “Processor” means a natural or legal person that Processes Personal Data on behalf of a Controller.
  • “Restricted Transfer” means the disclosure, grant of access or other transfer of Customer Personal Data to any person located in: (i) in the context of the EU GDPR, any country or territory outside the European Economic Area (“EEA”) which does not benefit from an adequacy decision from the European Commission (an “EU Restricted Transfer”); and (ii) in the context of the UK GDPR, any country or territory outside the UK, which does not benefit from an adequacy decision from the UK Government (a “UK Restricted Transfer”), which would be prohibited without a legal basis under Chapter V of the GDPR.
  • “SCCs” means the standard contractual clauses approved by the European Commission pursuant to implementing Decision (EU) 2021/914.
  • “Services” means those services and activities to be supplied to or carried out by or on behalf of Kyoso for Customer pursuant to the Agreement.
  • “State Privacy Laws” means, collectively, the comprehensive U.S. state-specific data privacy laws currently in effect and applicable to Kyoso’s Processing of Customer Personal Data under the Agreement.
  • “Sub-Processor” means any third party appointed by or on behalf of Kyoso to Process Customer Personal Data.
  • “Supervisory Authority”: (i) in the context of the EEA and the EU GDPR, shall have the meaning given to that term in the EU GDPR; and (ii) in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office.
  • “UK Transfer Addendum” means the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of the UK Mandatory Clauses included in Part 2 thereof (the “UK Mandatory Clauses”).

1.2. Unless otherwise defined in this DPA, all capitalised terms in this DPA shall have the meaning given to them in the Agreement.

2. PROCESSING OF CUSTOMER PERSONAL DATA

2.1. Details and roles. The Parties acknowledge and agree that the details of Kyoso’s Processing of Customer Personal Data (including the respective roles of the Parties relating to such Processing) are as described in Annex 1 (Data Processing Details) to the DPA.

2.2. General. Kyoso shall not Process Customer Personal Data other than: (a) on Customer’s instructions set out in the Agreement and this DPA; or (b) as required by applicable laws, provided that in such circumstances, Kyoso shall inform Customer in advance of the relevant legal requirement requiring such Processing if and to the extent Kyoso is: (i) required to do so by Applicable Data Protection Laws; and (ii) permitted to do so in the circumstances. Customer instructs and authorises Kyoso to Process Customer Personal Data for the purposes set out in the Agreement (as further described in Annex 1 (Data Processing Details) to the DPA). The Agreement is a complete expression of such instructions, and Customer’s additional instructions will be binding on Kyoso only pursuant to any written amendment to this DPA signed by both Parties. Where required by Applicable Data Protection Laws, if Kyoso receives an instruction from Customer that, in its reasonable opinion, infringes Applicable Data Protection Laws, Kyoso shall notify Customer.

3. TECHNICAL AND ORGANISATIONAL MEASURES; ASSISTANCE

3.1. Personnel. Kyoso shall take commercially reasonable steps designed to ascertain the reliability of any Kyoso Personnel who Process Customer Personal Data and shall enter into written confidentiality agreements with all Kyoso Personnel who Process Customer Personal Data that are not subject to professional or statutory obligations of confidentiality.

3.2. Security. Kyoso shall implement and maintain technical, administrative, physical, and organisational measures in relation to Customer Personal Data designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access as described from time to time in the Kyoso: Security Measures (the “Security Measures”). Kyoso may modify these Security Measures from time to time to reflect its then-current security standards and practices; provided that such modifications do not materially decrease the overall security of Services and/or relevant Customer Personal Data.

3.3. Data Subject Rights. Kyoso, taking into account the nature of the Processing of Customer Personal Data, shall provide Customer with such assistance as may be reasonably necessary and technically feasible to assist Customer in fulfilling its obligations to respond to Data Subject Requests, including access deletion, and cessation of Processing of Customer Personal Data. If Kyoso receives a Data Subject Request, Customer will be responsible for responding to any such request. Kyoso shall: (a) promptly notify Customer if it receives a Data Subject Request; and (b) not respond to any Data Subject Request, other than to advise the Data Subject to submit the request to Customer, except as required by Applicable Data Protection Laws.

3.4. DPIAs and Consultations. If and to the extent expressly required by Applicable Data Protection Laws (including, where applicable, by the GDPR), in relation to the given Processing of Customer Personal Data, Kyoso shall, taking into account the nature of the Processing and the information available to it, provide reasonable assistance to Customer with any data protection impact assessments and prior consultations with Supervisory Authorities, which are required by Applicable Data Protection Laws (including, where applicable, Article 35 or Article 36 of the GDPR), in each case solely in relation to such Processing of Customer Personal Data by Kyoso.

4. PERSONAL DATA BREACHES

4.1. Notifications. Kyoso shall notify Customer without undue delay upon Kyoso’s confirmation of a Personal Data Breach affecting Customer Personal Data. Kyoso shall provide Customer with information (insofar as such information is within Kyoso’s possession and knowledge and does not otherwise compromise the security of any Personal Data Processed by Kyoso) to allow Customer to meet its obligations under the Applicable Data Protection Laws to report the Personal Data Breach. To the extent available, this notification will include Kyoso’s then-current assessment of the following, which may be based on incomplete information: (a) the nature of the Personal Data Breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned; (b) the likely consequences of the Personal Data Breach; and (c) measures taken or proposed to be taken by Kyoso to address the Personal Data Breach, including, where applicable, measures to mitigate its possible adverse effects. Kyoso’s notification of or response to a Personal Data Breach shall not be construed as Kyoso’s acknowledgement of any fault or liability with respect to the Personal Data Breach. Nothing in this DPA or in the SCCs shall be construed to require Kyoso to violate, or delay compliance with, any legal obligation it may have with respect to a Personal Data Breach or other security incidents generally. As between the Parties, Customer is solely responsible for complying with applicable laws (including notification laws), and fulfilling any third-party notification obligations, related to any Personal Data Breaches.

4.2. Consultation with Kyoso. If Customer determines that a Personal Data Breach suffered by Kyoso or a Sub-Processor affecting Customer Personal Data must be notified to any Supervisory Authority, any other governmental authority, any Data Subject(s), the public or others under Applicable Data Protection Laws or otherwise, to the extent such notice directly or indirectly refers to or identifies Kyoso, where permitted by applicable laws, Customer agrees to: (a) notify Kyoso in advance; and (b) in good faith, consult with Kyoso and consider any clarifications or corrections Kyoso may reasonably recommend or request to any such notice, which: (i) relate to Kyoso’s involvement in or relevance to such Personal Data Breach; and (ii) are consistent with applicable laws.

5. SUB-PROCESSING

5.1. General authorisation. Customer generally authorises Kyoso to appoint Sub-Processors in accordance with this Section 5. Information about Kyoso’s Sub-Processors, including their functions and locations, is as shown from time to time at our Kyoso: Sub-Processor Page (the “Sub-Processor List”). Customer authorises Kyoso engagement of the Sub-Processors listed on the Sub-Processor List as of the Addendum Effective Date.

5.2. Notification. Kyoso shall give Customer prior written notice of the appointment of any proposed Sub-Processor, including reasonable details of the Processing to be undertaken by the Sub-Processor by updating the Sub-Processor List. Customer agrees that Customer is solely responsible for ensuring that it subscribes to such updates, and it shall do so. If, within ten (10) business days of receipt of that notice, Customer notifies Kyoso in writing of any objections to the proposed appointment (made in good faith based upon evidenced concerns that the use of that proposed Sub-Processor would cause Customer to be in material and unavoidable breach of Applicable Data Protection Laws): (a) Kyoso shall use reasonable efforts to make available a commercially reasonable change in the provision of the Services, which avoids the use of that proposed Sub-Processor; and (b) where: (i) such a change cannot be made within thirty (30) days from Kyoso’s receipt of Customer’s notice; (ii) no commercially reasonable change is available; and/or (iii) Customer declines to bear the cost of the proposed change, then either Party may terminate without penalty the Processing of Customer Personal Data and/or the Agreement with respect only to those services which cannot be provided by Kyoso without the use of the objected-to new Sub-Processor by providing written notice to the other Party. If Customer does not object to Kyoso’s appointment of a Sub-Processor during the objection period referred to in this Section 5.2, Customer shall be deemed to have approved the engagement and ongoing use of that Sub-Processor.

5.3. Kyoso Responsibilities. With respect to each Sub-Processor, Kyoso shall maintain a written contract between Kyoso and the Sub-Processor that includes terms which offer at least an equivalent level of protection for Customer Personal Data as those set out in this DPA (including the Security Measures). As between the Parties, Kyoso shall remain liable for any breach of this DPA caused by a Sub-Processor.

6. DATA TRANSFERS

6.1. Restricted Transfers by Kyoso. Customer acknowledges and agrees that Kyoso may effect Restricted Transfers to third parties under or in connection with this Agreement (including where Kyoso’s use of a Sub-Processor involving a Restricted Transfer is approved in accordance with Section 7). Kyoso agrees that it shall only make any such Restricted Transfers in compliance with its obligations under the Agreement, this DPA, Applicable Data Protection Laws and any SCCs (if and as entered into pursuant to Section 6.2), including establishing a ‘transfer mechanism’ under Chapter V of the GDPR for that Restricted Transfer.

6.2. Restricted Transfers to Kyoso.

6.2.1. Entry into SCCs. In respect of any Restricted Transfer of Customer Personal Data from Customer to Kyoso under this DPA: (a) that is an EU Restricted Transfer, the Parties hereby enter into and agree to comply with their respective obligations set out in the SCCs; and/or (b) that is a UK Restricted Transfer, the Parties hereby enter into and agree to comply with their respective obligations set out in the SCCs as varied by the UK Transfer Addendum. For the avoidance of doubt, where Lumina Video Ltd (a UK company) is the Kyoso contracting entity to the Agreement and this DPA, it is acknowledged that there shall be: (y) no such UK Restricted Transfer from Customer to Kyoso; nor (z) for so long as the United Kingdom benefits from an adequacy decision from the European Commission, no such EU Restricted Transfer from Customer to Kyoso.

6.2.2. Population of SCCs. In respect of any SCCs entered into pursuant to Section 6.2.1, the Parties agree as follows: (a) each of the Parties is hereby deemed to have signed the SCCs at the relevant signature block in Annex I to the Appendix to the SCCs; (b) as applicable: (i) Module Two of the SCCs applies to any relevant Restricted Transfer involving Processing of Customer Personal Data in respect of which Customer is a Controller in its own right; and (ii) Module Three of the SCCs applies to any relevant Restricted Transfer involving Processing of Customer Personal Data in respect of which Customer is itself a Processor; (c) as and where applicable to the relevant Module of the SCCs and the Clauses thereof: (i) in Clause 7: the ‘Docking Clause’ is not used; (ii) in Clause 9: ‘OPTION 2: GENERAL WRITTEN AUTHORISATION’ applies, and the minimum time period for advance notice of the addition or replacement of Sub-Processors shall be the advance notice period set out in Section 5.2; (iii) in Clause 11: the optional language is not used; (iv) in Clause 13: all square brackets are removed and all text therein is retained; (v) in Clause 17: ‘OPTION 1’ applies, and the Parties agree that the SCCs shall be governed by the law of: (A) Ireland in relation to any EU Restricted Transfer and (B) England and Wales in relation to any UK Restricted Transfer; and (vi) in Clause 18(b): the Parties agree that any dispute arising from the SCCs: (A) in relation to any EU Restricted Transfer, shall be resolved by the courts of Ireland; and (B) in relation to any UK Restricted Transfer, shall be resolved by the courts of England and Wales; and (d) in respect of the Annexes to the Appendix to the SCCs: (i) Annex I is populated with the corresponding information detailed in Annex 1 (Data Processing Details) to the DPA; and (ii) Annex II is populated with reference to the information contained in and determined by Section 3.2 of the DPA (including the Security Measures).

6.2.3. Population of UK Transfer Addendum. Where relevant in accordance with Section 6.2.1(b), the SCCs apply to any UK Restricted Transfers as varied by the UK Transfer Addendum in the following manner: (i) ’Part 1 to the UK Transfer Addendum’: (A) Tables 1, 2 and 3 to the UK Transfer Addendum are deemed populated with the corresponding details set out in Annex 1 (Data Processing Details) to the DPA and Section 6.2.2; and (B) Table 4 to the UK Transfer Addendum is completed by the box labelled ‘Data Importer’ being deemed to have been ticked; and (ii) ‘Part 2 to the UK Transfer Addendum’: the Parties agree to be bound by the UK Mandatory Clauses and that the SCCs shall apply to any UK Restricted Transfers as varied in accordance with those Mandatory Clauses.

6.2.4. Operational Clarifications. In relation to any SCCs entered into pursuant to Section 6.2.1, the Parties agree as follows: (a) when complying with its transparency obligations under Clause 8.3 of the SCCs, Customer shall not provide or otherwise make available, and shall take all appropriate steps to protect, Kyoso’s and its licensors’ trade secrets, business secrets, confidential information and/or other commercially sensitive information; (b) where applicable, for the purposes of Clause 10(a) of Module Three of the SCCs, Customer acknowledges and agrees that there are no circumstances in which it would be appropriate for Kyoso to notify any third-party Controller of any Data Subject Request and that any such notification shall be the sole responsibility of Customer; (c) for the purposes of Clause 15.1(a) of the SCCs, except to the extent prohibited by applicable law and/or the relevant public authority, as between the Parties, Customer agrees that it shall be solely responsible for making any notifications to relevant Data Subject(s) if and as required; (d) the terms and conditions of Section 5 apply in relation to Kyoso’s appointment and use of Sub-Processors under the SCCs; (d) any approval by Customer of Kyoso’s appointment of a Sub-Processor that is given expressly or deemed given pursuant to Section 5 constitutes Customer’s documented instructions to effect disclosures and onward transfers to any relevant Sub-Processors if and as required under Clause 8.8 of the SCCs; (e) the audits described in Clauses 8.9(c) and 8.9(d) of the SCCs shall be subject to any relevant terms and conditions detailed in Section 6; (f) certification of deletion of Customer Personal Data as described in Clauses 8.5 and 16(d) of the SCCs shall be provided only upon Customer’s written request; (g) in relation to any UK Restricted Transfer to which they apply, where the context permits and requires, any reference in the DPA to the SCCs, shall be read as a reference to those SCCs as varied by Section 6.2.3; and (h) in respect of any given Restricted Transfer, if requested of Customer by a Supervisory Authority, Data Subject or further Controller (where applicable) – on specific written request; accompanied by suitable supporting evidence of the relevant request – Kyoso shall provide Customer with an executed version of the relevant set(s) of SCCs responsive to the request made of Customer (amended and populated in accordance with relevant provisions of this DPA in respect of the relevant Restricted Transfer) for countersignature by Customer, onward provision to the relevant requestor and/or storage to evidence Customer’s compliance with Applicable Data Protection Laws.

7. AUDITS

7.1. Information provision and audits. Kyoso shall make available to Customer, upon reasonable request by Customer or its designee, such information as Kyoso (acting reasonably) considers appropriate in the circumstances to demonstrate its compliance with this DPA. Subject to Sections 7.2 to 7.4, in the event that Customer (acting reasonably) is able to provide documentary evidence that such information is not sufficient in the circumstances to demonstrate Kyoso’s compliance with this DPA, Kyoso shall allow for and contribute to audits by Customer or an auditor mandated by Customer in relation to the Processing of Customer Personal Data by Kyoso.

7.2. Customer responsibilities. Customer shall give Kyoso reasonable notice of any audit to be conducted under Section 7.1 (which shall in no event be less than fourteen (14) days’ notice, unless a shorter notice period is specifically required under Applicable Data Protection Laws relevant to the audit concerned) and shall use its best efforts (and ensure that each of its mandated auditors uses its best efforts) to avoid causing any destruction, damage, injury or disruption to Kyoso’s premises, equipment, Personnel, data, and business (including any interference with the confidentiality or security of the data of Kyoso’s other customers or the availability of Kyoso’s services to such other customers).

7.3. Audit plans. Prior to conducting any audit, Customer must submit a detailed proposed audit plan providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Kyoso will review the proposed audit plan and provide Customer with any feedback, concerns or questions (for example, any request for information that could compromise Kyoso security, privacy, employment or other relevant policies). Kyoso will work cooperatively with Customer to agree on a final audit plan.

7.4. Limitations. Kyoso need not give access to its premises for the purposes of any audit under this Section 7: (a) where a third-party audit report or certification (e.g., SOC 2 Type 2, ISO 2700x, NIST or similar audit report or certification) is provided in lieu of such access (acceptance of which for this purpose not to be unreasonably withheld, delayed or conditioned by Customer); (b) to any individual unless they produce reasonable evidence of their identity; (c) to any auditor whom Kyoso has not approved in advance (acting reasonably); (d) to any individual who has not entered into a non-disclosure agreement with Kyoso on terms acceptable to Kyoso (acting reasonably); (e) outside normal business hours at those premises; or (f) on more than one occasion in any calendar year during the term of the Agreement, except for any audits which Customer is required to carry out under Applicable Data Protection Laws or by a Supervisory Authority. Nothing in this DPA shall require Kyoso to furnish more information about its Sub-Processors in connection with such audits than such Sub-Processors make generally available to their customers. Nothing in this Section 7 shall be construed to obligate Kyoso to breach any duty of confidentiality.

8. RETURN AND DELETION

8.1. General. Upon expiration or earlier termination of the Agreement, Kyoso shall return and/or delete all Customer Personal Data in Kyoso’s care, custody or control in accordance Customer’s instructions as to the post-termination return and deletion of Customer Personal Data expressed in the Agreement. To the extent that deletion of any Customer Personal Data contained in any back-ups’ maintained by or on behalf of Kyoso is not technically feasible within the timeframe set out in Customer’s instructions, Kyoso shall (a) securely delete such Customer Personal Data in accordance with any relevant scheduled back-up deletion routines (e.g., those contained within Kyoso’s relevant business continuity and disaster recovery procedures); and (b) pending such deletion, put such Customer Personal Data beyond use.

8.2. Permitted retention. Notwithstanding the foregoing, Kyoso may retain Customer Personal Data where required by applicable laws, provided that Kyoso shall (a) maintain the confidentiality of all such Customer Personal Data and (b) Process the Customer Personal Data only as necessary for the purpose(s) and duration specified in the applicable law requiring such retention.

9. CUSTOMER’S RESPONSIBILITIES

9.1. Security. Customer agrees that, without limiting Kyoso’s obligations under Section 3.2 (Security), Customer is solely responsible for its use of the Services, including (a) making appropriate use of the Services to maintain a level of security appropriate to the risk in respect of the Customer Personal Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Services; (c) securing Customer’s systems and devices that Kyoso uses to provide the Services; and (d) backing up Customer Personal Data.

9.2. Compliance. Customer shall ensure: (a) that there is, and will be throughout the term of the Agreement, a valid legal basis for the Processing by Kyoso of Customer Personal Data in accordance with this DPA and the Agreement (including, any and all instructions issued by Customer from time to time in respect of such Processing) for the purposes of all Applicable Data Protection Laws (including Article 6, Article 9(2) and/or Article 10 of the GDPR (where applicable)); and (b) that all Data Subjects have (i) been presented with all required notices and statements (including as required by Article 12-14 of the GDPR (where applicable)); and (ii) provided all required consents, in each case (i) and (ii) relating to the Processing by Kyoso of Customer Personal Data.

9.3. Restricted Data. Customer shall not provide or otherwise make available to Kyoso any data or information that contains any (a) Social Security numbers or other government-issued identification numbers; (b) health insurance information, Protected Health Information subject to the Health Insurance Portability and Accountability Act (HIPAA), or other information regarding an individual’s health, medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; (c) genetic, neural, or biological data; (d) data relating to a person’s racial or ethnic origin, religious or philosophical beliefs, political opinions, sexuality or sexual orientation, status as transgender or non-binary, citizenship, citizenship or immigration status, union membership, or status as a victim of crime; (e) passwords to any online accounts; (f) credentials to any financial accounts; (g) tax return data; (h) any payment card information subject to the Payment Card Industry Data Security Standard; (i) Personal Data of children under 16 years of age; or (j) any other information that falls within any Special Categories of Personal Data (as defined in the GDPR) and/or data relating to criminal convictions and offences or related security measures.

10. VARIOUS

10.1. Incorporation and Application. This DPA shall be incorporated into and form part of the Agreement with effect on and from the Addendum Effective Date. This DPA: (a) applies only if and to the extent Applicable Data Protection Laws govern Kyoso’s Processing of Customer Personal Data in performance of the Service(s) as a ‘processor’, ‘service provider’ or similar role defined under Applicable Data Protection Laws; and (b) does not apply to Kyoso’s Processing of any Personal Data for its own business/customer relationship administration purposes, its own marketing or service analytics, its own information and systems security purposes supporting the operation of the Services, nor its own legal, regulatory or compliance purposes.

10.2. State Privacy Laws. Annex 2 (State Privacy Laws Annex) applies if and to the extent Kyoso’s Processing of Customer Personal Data on behalf of Customer under the Agreement is subject to the State Privacy Laws.

10.3. Costs. Except to the extent prohibited by Applicable Data Protection Laws, Customer shall compensate Kyoso at Kyoso’s then-current professional services rates for, and reimburse any costs reasonably incurred by Kyoso in the course of providing, cooperation, information, or assistance requested by Customer pursuant to Sections 3.3 (Data Subject Rights), 3.4 (DPIAs and Consultations) and 7 (Audits) of this DPA (provided that Kyoso shall bear its own costs in the event that any audit or inspection conducted in accordance with that Section 7 reveals any material non-compliance by Kyoso with this DPA and/or Applicable Data Protection Laws), in each case, beyond providing self-service features included as part of, or in connection with, the Services.

10.4. LIABILITY. THE TOTAL AGGREGATE LIABILITY OF EITHER PARTY TOWARDS THE OTHER PARTY, HOWSOEVER ARISING, UNDER OR IN CONNECTION WITH THIS DPA AND THE SCCS (IF AND AS THEY APPLY) WILL UNDER NO CIRCUMSTANCES EXCEED ANY LIMITATIONS OR CAPS ON, AND SHALL BE SUBJECT TO ANY EXCLUSIONS OF, LIABILITY AND LOSS AGREED BY THE PARTIES IN THE AGREEMENT; PROVIDED THAT, NOTHING IN THIS SECTION 10.4 WILL AFFECT ANY PERSON’S LIABILITY TO DATA SUBJECTS UNDER THE THIRD-PARTY BENEFICIARY PROVISIONS OF THE SCCS (IF AND AS THEY APPLY).

10.5. Required Updates. Each Party shall act in good faith to agree variations to this DPA that are reasonably necessary to address the requirements of Applicable Data Protection Laws from time to time (including to apply a new transfer mechanism to comply with relevant requirements of the GDPR).

10.6. Prevail. This DPA shall be incorporated into and form part of the Agreement with effect on and from the Addendum Effective Date. In the event of any conflict or inconsistency between: (a) this DPA and the Agreement, this DPA shall prevail; or (b) any SCCs entered into pursuant to Section 6 and this DPA and/or the Agreement, the SCCs shall prevail in respect of the Restricted Transfer to which they apply.

Annex 1 — Data Processing Details

Kyoso Details

Name:The Kyoso contracting entity who is a counterparty to the Agreement (as determined in accordance with the terms and conditions thereof), which may be either:
  • Lumina Video Ltd (trading as ‘Kyoso’)
  • Lumina Platform US, Inc.
Address:
  • Lumina Video Ltd (trading as ‘Kyoso’): a company incorporated and registered in England and Wales with company number 15589804 whose registered office is at 46 Trinity House 46 Trinity House, 375 Kensington High Street, London, England, W14 8QA.
  • Lumina Platform US, Inc: a Delaware corporation with its principal place of business at 800 North State Street, Suite 304, Dover, Delaware 19901, United States.
Contact Details for Data Protection:
Kyoso Activities:Kyoso is a platform that offers a virtual creative team powered by generative AI to design, generate, and market audiovisual branding and promotional content.
Role:Processor

Customer Details

Name:The entity who is a counterparty to the Agreement
Address:Customer’s address is the address shown in the Order Form; or if no such address is contained within the Order Form, Customer’s principal business trading address
Contact Details for Data Protection:As set forth in the Order Form or elsewhere in the Agreement between Customer and Kyoso. Customer agrees that it is solely responsible for ensuring that such contact details are valid and up to date, and direct relevant communications to the appropriate individual within its organisation
Customer Activities:Customer’s activities relevant to this DPA are the use and receipt of the Services as part of its ongoing business operations under and in accordance with the Agreement
Role:
  • Controller – in respect of any Processing of Customer Personal Data in respect of which Customer is a Controller in its own right; and
  • Processor – in respect of any Processing of Customer Personal Data in respect of which Customer is itself acting as a Processor on behalf of any other person.

Details Of Processing

Categories of Data Subjects:Any Data Subjects whose Personal Data is comprised within Customer Content, which will be as determined by Customer and its Authorised Users through its and their use of the Services.
Categories of Personal Data:Any Personal Data comprised within Customer Content, which will be as determined by Customer and its Authorised Users through its and their use of the Services (including as a result of the integration and configuration of any Connected Applications, as well as the content of Inputs) – which may include individuals’ names, images and likeness of Data Subjects included in Customer Content submitted to the Platform.
Sensitive Categories of Data, and associated additional restrictions/safeguards:Categories of sensitive data:
  • General. Any sensitive data comprised within Customer Content, which will be as determined by Customer and/or Authorised Users through its and their use of the Kyoso Platform (including as a result of the integration and configuration of any Connected Applications).
  • Additional safeguards. N/A – Kyoso provides uniform standards of information and data security across the board to all relevant systems and data types in the manner determined by and set out in Section 3 of the DPA and Kyoso: Security Measures.
Frequency of transfer:Ongoing – as initiated by Customer in and through its use, or use on its behalf, of the Services
Nature of the Processing:Processing operations required in order to provide the Services in accordance with the Agreement, which may include collection, recording, organisation, structuring, storage, consultation, redaction, analysis, use, alignment or combination, restriction, erasure and / or destruction.
Purpose of the Processing:Processing necessary to provide the Services.
Duration of Processing / Retention Period:For the period determined in accordance with the Agreement and DPA, including Section 8 of the DPA
Transfers to Sub-Processors:Transfers to Sub-Processors are as, and for the purposes, described from time to time in the Sub-Processor List.
Competent Supervisory Authority:If and where applicable, having regard to Section 6 of the DPA:
  • EU Restricted Transfers: the competent Supervisory Authority shall be determined as follows: (i) where Customer is established in an EU Member State: the competent Supervisory Authority shall be the Supervisory Authority of that EU Member State in which Customer is established; and (ii) where Customer is not established in an EU Member State, Article 3(2) of the GDPR applies and Customer has appointed an EU Representative under Article 27 of the GDPR: the competent Supervisory Authority shall be the Supervisory Authority of the EU Member State in which Customer’s EU Representative relevant to the Processing hereunder is based (from time-to-time), which Customer shall notify to Kyoso in writing.
  • UK Restricted Transfers: the UK Information Commissioner’s Office.

Annex 2 — State Privacy Laws Annex

1. For purposes of this Annex 2, the terms “business,” “commercial purpose,” “sell,” “share” and “service provider” shall have the respective meanings given thereto in the State Privacy Laws, and “personal information” shall mean Personal Data that constitutes personal information governed by the State Privacy Laws.

2. It is the parties’ intent that with respect to any personal information, Kyoso is a service provider. Kyoso (a) acknowledges that personal information is disclosed by Customer only for limited and specified purposes described in the Agreement; (b) shall comply with applicable obligations under the State Privacy Laws and shall provide the same level of privacy protection to personal information as is required by the State Privacy Laws; (c) agrees that Customer has the right to take reasonable and appropriate steps to help to ensure that Kyoso’s use of personal information is consistent with Customer’s obligations under the State Privacy Laws; (d) shall notify Customer in writing of any determination made by Kyoso that it can no longer meet its obligations under the State Privacy Laws; and (e) agrees that Customer has the right, upon notice, including pursuant to the preceding clause, to take reasonable and appropriate steps to stop and remediate unauthorised use of personal information.

3. Kyoso shall not (a) sell or share any personal information; (b) retain, use or disclose any personal information for any purpose other than for the specific purpose of providing the Services, including retaining, using, or disclosing the personal information for a commercial purpose other than the provision of the Services, or as otherwise permitted by the State Privacy Laws; (c) retain, use or disclose the personal information outside of the direct business relationship between Kyoso and Customer; or (d) combine personal information received pursuant to the Agreement with personal information (i) received from or on behalf of another person, or (ii) or collected from Kyoso’s own interaction with any Consumer to whom such personal information pertains, except as and to the extent necessary as a part of Kyoso’s provision of the Services. Kyoso hereby certifies that it understands its obligations under this Section 2 and will comply with them.

4. Giving Customer notice of Sub-Processor engagements in accordance with Section 5 of the DPA shall satisfy Kyoso’s obligation under the State Privacy Laws to give notice of and an opportunity to object to such engagements.

5. Kyoso agrees that Customer may conduct audits, in accordance with Section 7 of the DPA, to help ensure that Kyoso’s use of personal information is consistent with Kyoso’s obligations under the State Privacy Laws.

6. The parties acknowledge that Kyoso’s retention, use and disclosure of personal information authorised by Customer’s instructions documented in the DPA are integral to Kyoso’s provision of the Services and the business relationship between the parties.

Subprocessors

The third-party companies that process customer data on Kyoso's behalf.

Security Measures

Technical, administrative, and organizational measures Kyoso applies to protect customer data.

On this page

1. INTERPRETATION2. PROCESSING OF CUSTOMER PERSONAL DATA3. TECHNICAL AND ORGANISATIONAL MEASURES; ASSISTANCE4. PERSONAL DATA BREACHES5. SUB-PROCESSING6. DATA TRANSFERS7. AUDITS8. RETURN AND DELETION9. CUSTOMER’S RESPONSIBILITIES10. VARIOUSAnnex 1 — Data Processing DetailsKyoso DetailsCustomer DetailsDetails Of ProcessingAnnex 2 — State Privacy Laws Annex