Lightup Data Processing Addendum (DPA)
v1.1 DPA Effective Date: AUGUST 16, 2023
This Data Processing Addendum (the “DPA”), is incorporated into and forms part of the terms and conditions of the Lightup Terms of Service or other agreement under which Lightup Data, Inc. (“Lightup”) provides services to Customer pursuant to an agreement (the “Agreement”) executed between the party identified therein as the “Customer” and Lightup. All capitalized terms used in this DPA but not defined herein shall have the meaning set forth in the Agreement. To the extent of any conflict or inconsistency between this DPA and the remaining terms of the Agreement, this DPA will govern.
This DPA sets out the terms that apply when Customer Personal Data is Processed by Lightup under the Agreement. The purpose of the DPA is to ensure such Processing is conducted in accordance with Applicable Privacy Law and respects the rights of individuals whose Customer Personal Data are Processed under the Agreement. This DPA applies only to Lightup-hosted accounts. It does not apply to on-premises or other Customer-hosted instances of Lightup Products.
Now, therefore, the Parties agree as follows:
“Applicable Privacy Law(s)” means all worldwide data protection and privacy laws and regulations applicable to the Personal Data in question, including, where applicable:
“EU Data Protection Law”: Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”) and the EU e-Privacy Directive (Directive 2002/58/EC), each as implemented and transposed into local law by any EU member states.
“Swiss DPA”: the Swiss Federal Act on Data Protection 1992 (including as amended or superseded).
“UK Data Protection Law”: the UK Data Protection Act and GDPR as incorporated into UK law by the Data Protection Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (each as amended, superseded, or replaced).
“US Data Protection Law”: the California Privacy Rights Act (“CPRA”); Colorado Privacy Act; Connecticut Personal Data Privacy and Online Monitoring Act; Indiana Consumer Data Protection Act (effective 1 Jan. 2026); Iowa Consumer Data Protection Act (effective 1 Jan. 2025; Montana Consumer Data Privacy Act (effective 1 Jan. 2024); Oregon Consumer Privacy Act; Tennessee Information Protection Act (effective 1 July 2025); Texas Data Privacy and Security Act (effective 1 July 2024); Utah Consumer Privacy Act; Virginia Consumer Data Protection Act; and all applicable comprehensive state data protection laws and regulations that are or are not yet in effect as of the Effective Date; in each case as may be amended or superseded from time to time.
Applicable Law excludes those laws applicable to Excluded Data as defined in the Agreement.
“Controller” means a “controller” or “business,” as such terms or analogous variations thereof are defined under Applicable Privacy Laws, that, alone or jointly with others, determines the purposes for and means of Processing.
“EEA” means the European Economic Area, which constitutes the member states of the European Union and Norway, Iceland and Liechtenstein, as well as, for the purposes of this DPA, Switzerland and the United Kingdom.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.
“Personal Data” means any information, including opinions, relating to an identified or identifiable natural person. “Customer Personal Data” shall mean Personal Data that are provided by or on behalf of Customer to the Lightup Products and Services.
“Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making such data available, alignment or combination, restriction, erasure or destruction.
“Processor” means a “service provider” or “processor,” as such terms or analogous variations thereof are defined under Applicable Privacy Laws, that Process personal data or information on behalf of another company.
“Standard Contractual Clauses” or “SCCs” means: (i) where EU Data Protection Law or the Swiss DPA applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”); and (ii) where UK Data Protection Law applies, standard data protection clauses adopted pursuant to or permitted under UK Data Protection Law (“UK SCCs”).
“Subprocessor” means any third party engaged by Lightup for the Processing of Customer Personal Data in connection with the Lightup Products and Services and may include Lightup’s affiliates and subsidiaries.
2. Applicability; Roles of the Parties
This DPA applies only to the extent Lightup Processes Personal Data of End Users that is subject to Applicable Privacy Laws. Customer is (or represents that it is acting with full authority on behalf of) the Controller and Lightup is the Processor with respect to the Customer Personal Data Processed under the Agreement. In some circumstances, Customer may be a Processor, in which case Customer appoints Lightup as Customer’s subprocessor, which shall not change the obligations of either Customer or Lightup under this DPA.
3. Customer’s Instructions to Lightup
3.1 Purpose Limitation. Lightup will not Process Customer Personal Data for any purpose other than for the specific purposes set forth in this DPA, unless obligated to do otherwise by Applicable Privacy Law. In such case, Lightup will inform Customer of that legal requirement before the Processing unless legally prohibited from doing so. Lightup shall only Process Customer Personal Data for the following purposes: (i) Processing as reasonably required to provide the Lightup Products and Services and perform Lightup’s obligations under the Agreement and this DPA, and as otherwise agreed by the Parties; (ii) Processing initiated by Customer and its users in their use of the Lightup Products and Services; (iii) Processing to comply with other reasonable instructions provided by Customer (e.g., via email or support tickets) that are consistent with the terms of the Agreement and Applicable Privacy Laws; and (iv) as otherwise required by Applicable Privacy Law. Further details regarding Lightup’s Processing operations are set forth in Annex A.
3.2 Lawful Instructions. Customer shall, in its use of the Lightup Products and Services, Process Customer Personal Data in accordance with the requirements of Applicable Privacy Law, including any applicable requirement to provide notice to data subjects of the use of Lightup as Processor. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Customer Personal Data. Customer will not instruct Lightup to Process Personal Data in violation of Applicable Privacy Law. Lightup has no obligation to monitor the compliance of Customer’s use of the Lightup Products and Services with Applicable Privacy Law, though Lightup will immediately inform Customer if, in Lightup’s opinion, an instruction from Customer infringes Applicable Privacy Law. The Agreement and this DPA, along with Customer’s configuration and use of the Lightup Products and Services, are Customer’s complete and final instructions to Lightup in relation to the Processing of Customer Personal Data, including for purposes of the Standard Contractual Clauses, and any Processing required outside of the scope of these instructions (inclusive of the rights and obligations set forth under the Agreement) will require prior written agreement of the Parties.
3.3 CPRA Requirements. With respect to Customer Personal Data to which the CPRA applies (capitalized terms used in this section having the meanings provided in CPRA):
(a) Lightup shall act as a Service Provider to Customer and shall collect, access, maintain, use, process, and transfer Customer Personal Data solely for the purpose of performing Lightup’s obligations under this Agreement for or on behalf of Customer and for no commercial purpose other than the performance of such obligations.
(b) Lightup shall not Sell or Share, disclose, release, transfer, make available or otherwise communicate any Customer Personal Data to another business or third party without Customer’s prior written consent unless and to the extent that such disclosure is made to a Subcontractor for a business purpose, provided that Lightup has entered into a written agreement with Subcontractor which imposes substantively the same obligations on the Subcontractor with regard to their processing of Customer Personal Data as are imposed on Lightup under this DPA and the Agreement. Notwithstanding the foregoing, nothing in this DPA shall restrict Lightup’s ability to disclose Customer Personal Data to comply with applicable laws; provided that if such disclosure is required, Lightup will promptly notify Customer of the request for disclosure unless such notification is prohibited by applicable law or a legally binding order.
4.1 Subprocessors. Customer acknowledges and agrees that Lightup’s affiliates and certain third parties may be retained as Subprocessors to Process Customer Personal Data on Lightup’s behalf (under this DPA as well as under the Standard Contractual Clauses, if they apply) in order to provide the Lightup Products and Services. Lightup’s third-party Subprocessors as of the DPA Effective Date are listed at https://lightup.ai/subprocessors (the “Subprocessor List”). Prior to a Subprocessor’s Processing of Customer Personal Data, Lightup will impose contractual obligations on the Subprocessor substantially the same as those imposed on Lightup under this DPA. Lightup remains liable for its Subprocessors’ performance under this DPA to the same extent Lightup is liable for its own performance hereunder.
4.2 Notification. Lightup will update the website above with any intended changes concerning the addition or replacement of other Subprocessors, thereby giving Customer the opportunity to object to such changes. That website includes a self-enrollment system where Customer can add an email address to receive notices of subprocessor changes. The subprocessor agreements to be provided under Clause 5(j) of the Standard Contractual Clauses may have all commercial information or provisions unrelated to the Standard Contractual Clauses redacted prior to sharing with Customer, and Customer agrees that such copies will be provided only upon written request.
4.3 Right to Object. Customer may reasonably object to Lightup’s use of a new Subprocessor by notifying Lightup promptly in writing within ten (10) business days after receipt of Lightup’s notice. In its objection, Customer shall explain its reasonable grounds for objection. In the event Customer objects to a new Subprocessor, Lightup will use commercially reasonable efforts to make available to Customer a change in the Lightup Products and Services or recommend a commercially reasonable change to Customer’s configuration or use of the Lightup Products and Services to avoid Processing of Customer Personal Data by the objected-to new Subprocessor without unreasonably burdening Customer. If Lightup is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may terminate Customer’s subscription to the Service.
4.4 Emergency Replacement. Lightup may replace a Subprocessor if the need for the change is urgent and necessary to provide the Lightup Products and Services. In such instance, Lightup shall notify Customer of the replacement as soon as reasonably practicable, and Customer shall retain the right to object to the replacement Subprocessor pursuant to Section 4.3 above.
5. Assistance & Cooperation
5.1 Security. Lightup will provide reasonable assistance to Customer regarding Customer’s compliance with its security obligations under Applicable Privacy Law relevant to Lightup’s role in Processing the Customer Personal Data, taking into account the nature of Processing and the information available to Lightup, by implementing technical and organizational measures set forth in the Agreement, without prejudice to Lightup’s right to make future replacements or updates to the measures that do not lower the level of protection of Customer Personal Data. Lightup will ensure that the persons Lightup authorizes to Process the Customer Personal Data are subject to written confidentiality agreements or are under an appropriate statutory obligation of confidentiality no less protective than the confidentiality obligations set forth in the Agreement.
5.2 Personal Data Breach Notification & Response. Lightup will comply with the Personal Data Breach-related obligations directly applicable to it under Applicable Privacy Law. Taking into account the nature of Processing and the information available to Lightup, Lightup will assist Customer by informing it of a confirmed Personal Data Breach without undue delay. Lightup will notify Customer at the email address provided in the signature block of this DPA for purposes of Personal Data Breach notifications. Any such notification is not an acknowledgement of fault or responsibility. To the extent available, this notification will include Lightup’s then-current assessment of the following, which may be based on incomplete information:
(a) the nature of the Personal Data Breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Customer Personal Data records concerned;
(b) the likely consequences of the Personal Data Breach; and
(c) measures taken or proposed to be taken by Lightup to address the Personal Data Breach, including, where applicable, measures to mitigate its possible adverse effects.
Lightup will not assess the contents of Customer Data in order to identify information subject to any specific legal requirements. Customer is solely responsible for complying with legal requirements for incident notification applicable to Customer and fulfilling any third-party notification obligations related to any Customer Data Incident(s). Nothing in this DPA or in the Standard Contractual Clauses shall be construed to require Lightup to violate, or delay compliance with, any legal obligation it may have with respect to a Personal Data Breach or other security incidents generally.
6. Responding to Data Subjects
To the extent legally permitted, Lightup shall promptly notify Customer if Lightup receives any requests from a data subject seeking to exercise any rights afforded to them under Applicable Privacy Law regarding their Customer Personal Data, which may include: access, rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, objection to the Processing, or to not be subject to an automated individual decision making (each, a “Data Subject Request”). To the extent Customer, in its use of the Lightup Products and Services, does not have the ability to address a Data Subject Request, Lightup shall, upon Customer’s request, provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Lightup is legally permitted to do so and the response to such Data Subject Request is required under Applicable Privacy Law. To the extent legally permitted, Customer shall be responsible for any costs arising from Lightup’s provision of such assistance.
7. DPIAs & Consultation with Supervisory Authorities
Taking into account the nature of the Processing and the information available to Lightup, Lightup will provide reasonable assistance to and cooperation with Customer for Customer’s performance of any legally required data protection impact assessment of the Processing or proposed Processing of the Customer Personal Data involving Lightup, and in consultation with supervisory authorities as required, by providing Customer with any publicly available documentation for the Lightup Products and Services or by complying with the Audits section below. Additional support for data protection impact assessments or relations with regulators may be available and would require mutual agreement on fees, the scope of Lightup’s involvement, and any other terms that the Parties deem appropriate.
8. Data Transfers
8.1 Customer authorizes Lightup and its Subprocessors to make international transfers of the Customer Personal Data in accordance with this DPA so long as Applicable Privacy Law for such transfers is respected.
8.2 For transfers of Customer Personal Data under this DPA from the EEA to countries which do not ensure an adequate level of data protection within the meaning of Applicable Privacy Law of the foregoing territories, to the extent such transfers are subject to such Applicable Privacy Law, the Standard Contractual Clauses shall apply. In case of conflict between the Standard Contractual Clauses and this DPA, the Standard Contractual Clauses will prevail.
8.3 The Standard Contractual Clauses will be deemed completed as follows:
(a) The “exporter” is the Customer, and the exporter’s contact information is set forth below.
(b) The “importer” is Lightup, and Lightup’s contact information is set forth below.
(c) Appendices 1 and 2 of the Standard Contractual Clauses are set forth in Annex A below.
By entering into this DPA, the Parties are deemed to be signing the Standard Contractual Clauses and its applicable Appendices.
8.4 EU SCCs. Personal Data from the European Union will be governed by the EU SCCs, completed as follows:
(a) Module Two will apply to the extent that Customer is a controller of the Personal Data, and Module Three will apply to the extent that Customer is a processor of the Personal Data on behalf of a third-party controller;
(b) in Clause 7, the optional docking clause will not apply;
(c) in Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes will be as set out in Clause 9 of this Addendum;
(d) in Clause 11, the optional language will not apply;
(e) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Republic of Ireland law;
(f) in Clause 18(b), disputes will be resolved before the courts of the Republic of Ireland;
(g) Annex I will be deemed completed with the information set out in Annex I to this DPA;
(h) Annex II will be deemed completed with the information set out in Annex II to this DPA; and
(i) Annex III will be deemed completed with the information set out in Annex III to this DPA.
8.5 UK SCCs. Personal Data transfers from the United Kingdom will be governed by the UK SCCs and the UK International Data Transfer Addendum (the “IDTA”), completed as follows.
(a) In Part 1 of the IDTA, the information required by Tables 1 – 3 is provided in the Agreement and this DPA.
(b) The IDTA’s Mandatory Clauses are incorporated by reference into this DPA in accordance with Alternative Part 2 of the template IDTA.
(c) References to the EU, member states and GDPR are amended mutatis mutandis to refer to the United Kingdom and UK Data Protection Law.
(d) In Clause 17 of the Standard Contractual Clauses (Governing Law), the laws of England and Wales shall govern, and in Clause 18 (Choice of forum and jurisdiction), the courts in London, England shall have jurisdiction. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts in the UK.
8.6 Swiss SCCs. Personal Data transfers from Switzerland will be governed by the EU SCCs amended as follows:
(a) references to ‘Regulation (EU) 2016/679’ in the EU SCCs will be deemed to refer to the Swiss DPA;
(b) references to specific articles of ‘Regulation (EU) 2016/679’ will be deemed replaced with the equivalent article or section of the Swiss DPA,
(c) references to ‘EU’, ‘Union’, and ‘Member State’ will be deemed replaced with ‘Switzerland’,
(d) references to the ‘competent supervisory authority’ and ‘competent courts’ are replaced with the ‘Swiss Federal Data Protection Information Commissioner’ and ‘applicable courts of Switzerland’ (as applicable),
(e) In Clause 17, the EU SCCs will be governed by the laws of Switzerland, and
(f) Clause 18(b), disputes will be resolved before the competent courts of Switzerland.
8.7 If any provision of the Agreement (including this Addendum) contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses will prevail.
Lightup shall allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer subject to the following conditions: so long as the Agreement remains in effect and at Customer’s sole expense, Customer may request that Lightup provide it with documentation, data, and records (“Records”) no more than once annually relating to Lightup’s compliance with this DPA (an “Audit”). To the extent Customer uses a third-party representative to conduct the Audit, Customer shall ensure that such third-party representative is bound by obligations of confidentiality no less protective than those contained in this Agreement. Customer shall provide Lightup with fourteen (14) days prior written notice of its intention to conduct an Audit. Customer shall conduct its Audit in a manner that will result in minimal disruption to Lightup’s business operations and shall not be entitled to receive data or information of other clients of Lightup or any other Confidential Information of Lightup that is not directly relevant for the authorized purposes of the Audit. If any material non-compliance is identified by an Audit, Lightup shall take prompt action to correct such non-compliance. For the avoidance of doubt, this provision does not grant Customer any right to conduct an on-site audit of Lightup’s premises. Customer shall reimburse Lightup for any time expended for an Audit at Lightup’s then-current rates, which shall be made available to Customer upon request.
10. Return or Destruction of Personal Data
At the end of the applicable term of the Agreement, within a reasonable time following Customer’s written request, Lightup shall securely destroy or return Customer Personal Data to Customer. Notwithstanding the foregoing, this provision will not require Lightup to delete Customer Personal Data from archival and back-up files except as provided by Lightup’s internal data deletion practices and as required by Applicable Privacy Law.
Notwithstanding anything to the contrary in the Agreement or this DPA, the liability of each Party and each Party’s affiliates under this DPA or the Standard Contractual Clauses shall be subject to any aggregate limitations on liability set out in the Agreement, except as prohibited by Applicable Privacy Law.
Except as provided by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict in connection with the Processing of Customer Personal Data. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement.
This Annex forms part of the Standard Contractual Clauses.
LIST OF PARTIES
Controller(s) / Data exporter(s): [Identity and contact details of the controller(s) /data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
|Name:||As provided by the Customer|
|Address:||As provided by the Customer|
|Contact person’s name, job title, and contact details:||As provided by the Customer|
|Activities relevant to the data transferred under these Clauses:||Lightup will process Customer Personal Data in order to provide its data quality management service to Customer|
Processor(s) / Data importer(s): [Identity and contact details of the processor(s) /data importer(s), including any contact person with responsibility for data protection]
|Name:||Lightup Data, Inc.|
|Address:||800 W El Camino Real, Suite #180
Mountain View, CA 94040
|Contact person’s name, job title, and contact details:||Attn: legal
|Activities relevant to the data transferred under these Clauses:||Lightup will process Customer Personal Data in order to provide its data quality management service to Customer|
B. DESCRIPTION OF TRANSFER
|Categories of data subjects whose Personal Data is transferred:||Customer’s employees and consultants who use Lightup Products and Services.
Individuals whose Personal Data is stored in Customer’s data sources and processed by Lightup.
|Categories of Personal Data transferred:||Lightup may have access to Personal Data of Customer’s employees and consultants who use Lightup Products and Services.
The types of Customer Personal Data stored in Customer’s data sources are determined and controlled by Customer in its sole discretion, and may include, but are not limited to, identification and contact data (name, address, title, contact details), employment details (employer, job title, geographic location, area of responsibility), and/or information technology information (e.g., IP addresses, usage data, cookies data, location data). The Lightup Products and Services do not impose a technical restriction on the categories of Personal Data Customer may provide but the Agreement prohibits Customer from uploading special categories of data.
|Sensitive data transferred (if applicable) and applied restrictions or safeguards||N/A|
|The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis):||Ongoing during the term of Customer agreement|
|Nature of the processing:||The data processing activities carried out by Lightup under the Agreement|
|Purpose(s) of the data transfer and further processing:||Lightup will process Customer Personal Data in order to provide its data quality management service to Customer.|
|The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:||During the term of Customer’s agreement, and for a limited period after termination, so that Customer may export its data from Lightup’s systems.|
|For transfers to (sub-) processors, also specify subject matter, nature, and duration of the processing:||As outlined in Annex 3 below|
C. COMPETENT SUPERVISORY AUTHORITY
|Identify the competent supervisory authority/ies in accordance (e.g., in accordance with Clause 13 SCCs)||Irish Supervisory Authority (DPC)|
Annex 2 Subprocessor List (as of the DPA Effective Date)
As identified at https://lightup.ai/subprocessors
Annex 3 Technical and Organizational Security Measures
Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Lightup has established formal access management processes for the request, review, approval, and provisioning of all personnel who have a legitimate business need to access Lightup’s critical resources and if necessary, Customer Data.
Lightup stores Customer Data, as well as required operational and engineering data necessary to operate the Lightup Products and Services, in a minimal amount of locations necessary.
Lightup utilizes encryptions standards such as TLS 1.2 and AES-256 to encrypt all data in transit and at rest over public internet connections.
Lightup maintains a Security Incident Response Plan, which details procedures to be followed in the event of (1) actual unauthorized access to or use of Customer Data, including but not limited to disclosure, theft, or manipulation of data that has the potential to cause harm to Lightup’s systems or data, or (2) a Personal Data Breach.
Security Threats & Mitigation
Lightup has policies and processes in place designed to ensure risks to Lightup’s systems resulting from exploitation of published technical vulnerabilities are reduced and mitigated. This includes, but is not limited to the following:
Regular internal risk assessments to identify and prioritize potential risks to the business
Use of reputable outside sources for security vulnerability information, such as:
Vendor and security mailing lists / forums
Participation in security webinars and industry meetups
For any newly identified vulnerabilities, a risk ranking is assigned using a rating scale based on established criteria, which may include the following:
CVSS based scoring
Classification by the vendor
Type of system (i.e., public-facing, security systems, databases, other systems that store/process customer data)
Other independent or internal determination
Deployment and management of antivirus software on all systems commonly affected by malicious software
Installation of vendor supplied security patches and specialized secure configurations
Monitoring of Lightup’s infrastructure and the Lightup Products and Services utilizing a variety of intrusion detection methods
Customer Data and decommissioned media used to store Customer Data are disposed of utilizing one of the following three methods:
Overwriting: The software process that replaces the data previously stored on magnetic storage media with a predetermined set of meaningless data, rendering the data unrecoverable.
Degaussing: Exposing the media to strong magnetic fields to destroy its contents.
Physical Destruction: This includes shredding and any other method of physical destruction, including extremes of physical force or temperature.
Logging & Analysis
For applications and systems that access, process, store, and/or transmit Customer Data, Lightup generates audit logs detailing use, access, disclosure, theft, manipulation, and reproduction. The audit logs are generated and reviewed on a daily basis. Logs are maintained for at least one (1) year.
Education & Awareness
Prior to being granted access to any Lightup equipment hosting Customer Data, all authorized personnel must undergo appropriate security training. Security training is then repeated annually. Such security training includes, but may not be limited to: acceptable use, social engineering, personnel security, data protection, incident response.
Lightup shall conduct periodic reviews, at minimum annually, of any system storing Customer Data to evaluate the security risks of such systems and will prioritize any detected vulnerabilities for remediation based on the nature and severity of the identified issue.
Lightup shall have established and documented access termination procedures for existing staff with access to Customer Data.