This Personal Data Processing Addendum (the “DPA”) is subject to the terms of the Lamina Marketplace Platform Agreement or Lamina Limited Access Platform Agreement (the “Master Agreement”), as applicable, between Lamina, LLC (“Lamina”) and the Party identified as “Customer” in such Master Agreement and is incorporated into such Master Agreement. This DPA reflects the Parties’ agreement with respect to the Processing of Personal Data (defined below) by Lamina on behalf of Customer in connection with access to and use of the Lamina Platform (as defined below) pursuant to the Master Agreement. Interpretations and defined terms set forth in the Master Agreement apply to the interpretation of this DPA unless otherwise expressly indicated herein.

1. Definitions and Interpretation

The following definitions and rules of interpretation apply in this DPA. 

“Affiliate” has the meaning set forth in the Master Agreement.

"Business Purpose" means the Lamina Services described in the Master Agreement or any other purpose specifically identified in Appendix A.

"Data Subject" means an individual Person who is the subject of the Personal Data.

“Lamina Platform” has the meaning set forth in the Master Agreement.

"Personal Data" means any information that Customer or any Customer Authorized User provides to Lamina or the Lamina Platform under or in association with the subject matter of the Master Agreement that (a) identifies or relates to an individual Person who can reasonably be identified directly or indirectly from that data alone or in combination with other information in Lamina's possession or control (including on the Lamina Platform) or that Lamina is likely to have access to, or (b) the relevant Privacy and Data Protection Requirements otherwise define as protected personal data or information.

"Processing”, “Processes”, or “Process" means any activity that involves the use of Personal Data or that the relevant Privacy and Data Protection Requirements may otherwise include in the definition of the terms Processing, Processes, or Process, which includes obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data including organizing, amending, retrieving, using, disclosing, erasing, or destroying the data. Processing, Processes, and Process also include transferring Personal Data to third parties.

"Privacy and Data Protection Requirements" means all Laws relating to the Processing, protection, or privacy of Personal Data, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction.

"Security Event" means any actual or reasonably suspected accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to Personal Data. “Security Event” does not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful login attempts, pings, port scans, denial of services attacks, and other network attacks on firewalls or networked systems. 

“Sub-Processor” means a Subcontractor engaged by Lamina to Process Personal Data on behalf of, and under the instructions of, Customer in connection with the provision of the Lamina Services under the Master Agreement.

2. Roles of the Parties and Processing Purposes

2.1 Customer is the “business” or “controller,” and Lamina is the “processor” or “service provider” (as those terms are defined under the Privacy and Data Protection Requirements), with respect to Personal Data. Customer is responsible for its compliance obligations under the Privacy and Data Protection Requirements, including providing any required notices and obtaining any required consents, and for the Processing instructions it gives to Lamina. Notwithstanding the foregoing, this DPA does not apply to instances where Lamina acts as an independent “business” or “controller” with respect to Personal Data, such as data Lamina collects from Customer for billing purposes.
2.2 Appendix A describes the general Personal Data categories and related types of Data Subjects that Lamina may Process to fulfill the Business Purposes of the Master Agreement. Customer discloses Personal Data to Lamina only for the limited and specified Business Purposes, and Lamina will not use the Personal Data for any other purpose.

3. Lamina's Obligations

3.1 Lamina may only Process, retain, use, or disclose Personal Data as is reasonably necessary for the Business Purposes in accordance with the Customer's instructions, including as set forth in this DPA, the Master Agreement, and any applicable order form, or as Privacy and Data Protection Requirements permit. Lamina may not Process, retain, use, or disclose the Personal Data in a way that does not comply with this DPA or the Privacy and Data Protection Requirements or for any other purpose other than the Business Purposes, including by combining or updating the Personal Data with personal information obtained from any source other than through the Master Agreement unless the Privacy and Data Protection Requirements permit such combination or update. Lamina may not use Personal Data to conduct internal research or development activities. Lamina will promptly notify Customer if, in its opinion, Customer's instructions with respect to Personal Data do not comply with the Privacy and Data Protection Requirements.

3.2 Lamina will promptly comply with Customer’s request or instruction requiring Lamina to amend, transfer, or delete the Personal Data or to stop, mitigate, or remedy any unauthorized Processing.

3.3 Lamina will maintain the confidentiality of all Personal Data and will not “sell” or “share” (as defined under the Privacy and Data Protection Requirements) the Personal Data or disclose it to third parties without specific authorization from Customer or as expressly permitted in this DPA, unless required by Law. If a Law requires Lamina to Process or disclose Personal Data, Lamina must first inform Customer of the legal requirement and give Customer an opportunity to object or challenge the requirement, unless the Law prohibits such notice.

3.4 Lamina will reasonably assist Customer with meeting Customer's compliance obligations under the Privacy and Data Protection Requirements, accounting for the nature of Lamina's Processing and the information available to Lamina.

3.5 Lamina will promptly notify the Customer of its inability to meet the obligations under applicable Privacy and Data Protection Requirements that may adversely affect Lamina's performance of the Master Agreement or this DPA. 

3.6 Lamina is under no duty to investigate the completeness, accuracy, or sufficiency of any specific Customer instructions or the Personal Data other than as required under the Privacy and Data Protection Requirements.

4. Lamina's Employees

4.1 Lamina will limit its employees’ access to Personal Data to:

(a) only those of Lamina’s employees who require access to the Personal Data in order for Lamina to meet its obligations under this DPA and the Master Agreement; and
(b) and in the case of (a), such employees will only be allowed to access the part or parts of the Personal Data that those employees require for the performance of their duties on behalf of Lamina.

4.2 Lamina will ensure that its employees:

(a) do not access, copy, or use Personal Data in violation of Section

4.1 of this DPA or the Master Agreement;

(b) keep the Personal Data confidential in full compliance with the Master Agreement and this DPA; and
(b) and are properly trained and assessed with respect to their obligations with respect to the Personal Data, including compliance with Privacy and Data Protection Requirements.

4.3 Lamina will take reasonable steps to ensure the reliability, integrity, and trustworthiness of, and conduct background checks consistent with Laws on, all Lamina’s employees (and as otherwise provided in the Master Agreement) with access to the Personal Data.  Lamina is responsible for the performance of, and all acts and omissions by, its employees with respect to this DPA, the Master Agreement, and the Privacy and Data Protection Requirements.

5. Security
Lamina will comply with the Master Agreement and the Data Security Schedule with respect to all Personal Data. 

6. Security Events 

6.1 Lamina will, within 48 hours of discovery, notify Customer if it becomes aware of any Security Event.

6.2 Promptly following any Security Event, Lamina will take reasonable steps to contain, investigate, remedy, and mitigate the Security Event and to keep Customer informed of all material developments as they occur in connection therewith. Lamina will reasonably co-operate with Customer in Customer's handling of the matter and will provide all information reasonably required by Customer for it to comply with any Laws or requirements under applicable Privacy and Data Protection Requirements. To the extent a Security Event is caused by Customer or a Customer Authorized User, Lamina will do all of the foregoing based on Customer’s reasonable requests and to the extent Lamina is in a position to do so.

6.3 Lamina will not inform any third party of a Security Event without first obtaining Customer's prior written consent, except when such notification is required by Law. 

6.4 Except as set forth above, Customer has the sole right to determine:

(a) whether to provide notice of the Security Events to any Data Subjects, regulators, law enforcement agencies, or others, as required by Law or in Customer's discretion, including the contents and delivery method of the notice; and
(b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.

7. Sub-Processors

7.1 Subject to the terms and conditions set forth in this DPA and the Master Agreement, Customer authorizes Lamina to use and disclose Personal Data to Sub-Processors engaged by Lamina solely for the Business Purposes. Affiliates of Lamina may be engaged as Sub-Processors. Lamina may not engage a Sub-Processor unless such Sub-Processor is subject to an agreement with Lamina that contains data protection terms not less protective as those provided for by this DPA and the Master Agreement with respect to the protection of Personal Data. Lamina is liable for any breach of its obligations under this DPA or the Master Agreement that is caused by an act, error, or omission of its Sub-Processors to the same extent as if it performed the act, error, or omission.

7.2 The current list of Sub-Processors that may be engaged in Processing Personal Data is listed at https://www.laminafs.com/subprocessors. Lamina will provide Customer with prior notice, via email, of the addition or replacement of Sub-Processors before authorizing any new Sub-Processor(s) to Process Personal Data in connection with the Master Agreement. Such email will be sent either to the Designated Contacts (as defined in the Lamina Support Services and Availability Terms incorporated into the Master Agreement) or, if applicable, to the user who accepted the terms and conditions of the Lamina Limited Access Platform Agreement on behalf of Customer (collectively, the “Privacy Contact(s)”). Customer must notify Supplier within 10 business days of receipt of Lamina’s notice of a new Sub-Processor if it objects to the addition or replacement of a Sub-Processor; if Customer does not object, then the Sub-Processor is deemed accepted by Customer. Customer’s objection should be sent to support@laminafs.com and include the grounds for its objection. If Customer objects to Supplier's appointment of a Sub-Processor on reasonable grounds relating to the protection of Personal Data, and Supplier is unable to address such objection to Customer’s reasonable satisfaction within a reasonable period of time, not to exceed thirty (30) days (such as by using reasonable efforts to make available a change in the configuration of Customer’s access to the Lamina Systems), then Customer may suspend or terminate the applicable Order Addendum(s) without penalty by providing written notice to Lamina. Lamina will refund to Customer within 30 days all prepaid fees covering the remainder of the term of such Order Addendum(s) following the effective date of termination.

8. Data Subject Requests, Complaints, and Third Party Rights

8.1 Lamina will notify Customer promptly if it receives a request from a Data Subject to exercise any rights the individual may have regarding their Personal Data, such as access, correction, deletion, or to opt-out of or limit certain activities like sales, disclosures, or other Processing actions.

8.2 Lamina will give Customer reasonable co-operation and assistance in responding to any Data Subject request, accounting for the nature of the Processing and information available to Lamina. 

9. Term and Termination

9.1 This DPA is in full force and effect so long as: 

(a) the Master Agreement remains in effect; or 
(b) Lamina retains any Personal Data related to the Master Agreement in its possession, custody, or control.

9.2 Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Master Agreement to protect Personal Data remains in full force and effect. 

9.3 In the event that Lamina receives any regulatory inquiry or correspondence regarding Personal Data or in which Customer is named (an “Inquiry”), Lamina will, to the extent not prohibited by Law or any regulatory authority:

(a) Notify Customer of such Inquiry in writing within three (3) calendar days of receiving such Inquiry;
(b) Provide Customer with all copies of documents and correspondence relating to the Inquiry without undue delay after receipt or delivery of such documents or correspondence;
(c) Provide Customer with a written certification at the conclusion of the Inquiry that all actions required by Law or the Privacy and Data Security Requirements have been properly taken as required in response to such Inquiry;
(d) Not disclose any Confidential Information of Customer or any affiliated party to the applicable authority without Customer’s prior written consent.

10. Data Destruction

10.1 On termination of the Master Agreement for any reason or expiration of its Term, Lamina will securely destroy and not retain all or any Personal Data in its possession, custody, or control, except to the extent required by Law or as required by its internal backup policies and procedures, provided that such backup copies are deleted in the normal course of business and the retained Personal Data is not accessed by Lamina or any other party prior to its deletion without Customer’s prior written consent. 

10.2 As further described in the Master Agreement, if the Lamina Platform is utilized for sub-participation of a Loan Agreement, the Customer Authorized Participating Institution will be treated as the Lamina Subscriber Institution with respect to the separate deal site created on the Lamina Platform for such sub-participation and any Personal Data posted to the separate deal site will be controlled by such Customer Authorized Participating Institution as provided in the Lamina Subscription Agreement entered into by such Customer Authorized Participating Institution.  

11. Audit

11.1 Upon Customer’s written request, and no more than once per 12-month period except as otherwise set forth in the Master Agreement or the Data Security Schedule, Lamina will make existing third-party audit reports relevant to this DPA and/or the Personal Data available to the Customer for review, including Lamina's then-latest Service Organization Controls (SOC) 2 Type 2 audit report. Lamina will also provide other information reasonably requested by Customer as may be necessary to demonstrate compliance with this DPA and the Master Agreement. 

11.2 Where the information available pursuant to Section 11.1 does not suffice to demonstrate compliance with this DPA and the Master Agreement, or in the event of a Security Event, or pursuant to requirement under Laws or applicable Privacy and Data Protection Requirements, Customer may schedule an audit with Lamina, which may be conducted by Customer or a third-party auditor acting on Customer’s behalf, to acquire the necessary information. Such audits will be limited to the Lamina Systems. Nothing in the Master Agreement or DPA gives Customer the right to access the information of other Lamina customers. 

11.3 Customer will treat audit reports and information provided pursuant to Section 11 as Lamina's Confidential Information under the Master Agreement. Lamina reserves the right to require execution of a reasonable confidentiality agreement between it and any third parties engaged by Customer in connection with exercise of Customer’s rights under this Section.

12. Notice

12.1 Any notice or other communication given to a Party under or in connection with this DPA must be in writing and delivered as required in the Master Agreement, with a courtesy copy to (email is sufficient for such copy):
For Customer: Customer’s Privacy Contacts.
For Lamina: support@laminafs.com.

12.2 Section 12.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any method of dispute resolution. 

13. Interpretation. 

13.1 The appendices to this DPA form a part of it as if set out in full in the body of this DPA. Any reference to this DPA includes the appendices.

13.2 In the case of conflict or ambiguity between:

(a) any provision contained in the body of this DPA and any provision contained in the appendices, the provision in the body of this DPA prevails;
(b) the terms of any accompanying invoice or other documents annexed to this DPA and any provision contained in the appendices, the provision contained in the appendices prevails; and
(c) any of the provisions of this DPA and the provisions of the Master Agreement, the terms of the Master Agreement specify which provision prevails. Notwithstanding anything to the contrary, the limitations on liability set forth in the Master Agreement apply to this DPA.

APPENDIX A

Personal Data Processing Purposes and Details