Last Updated SEPTEMBER 2024

This ClientLab Data Processing Agreement is between Avatar First EOOD trading as ClientLab (“ClientLab”) and the party executing this agreement as Customer (“Customer”). This DPA reflects the parties’ agreement with respect to the Processing of Personal Data by ClientLab on behalf of Customer in connection with the services provided under the contemporaneously-executed Terms of Service agreement between the parties (“Agreement”).

This DPA is part of the Agreement and is effective upon execution or another time as specified in the Agreement, an Order, or an executed amendment to the Agreement. In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency, and it will supersede any previous DPA.

1. Definitions

a. CCPA means California Civil Code Sec. 1798.100 et seq. as amended (also known as the California Consumer Privacy Act of 2018), including the California Privacy Rights Act amendments to the CCPA.

b. California Personal Information means Personal Data that is subject to the protection of the CCPA.

c. Business Purpose, Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Process, and Processing shall have the meaning given to them in the Data Protection Laws.

d. Customer Personal Data means any information relating to an identified or identifiable individual where (i) such information is contained within Customer Data provided under the Agreement; and (ii) is protected as personal data, personal information, or personally identifiable information under applicable Data Protection Laws.

e. Data Protection Laws means all applicable worldwide legislation relating to data protection and privacy which applies to the respective party in the role of Processing Personal Data in question under the Agreement, including without limitation, the European Data Protection Laws, the CCPA, and other US laws; in each case as amended, repealed, consolidated, or replaced from time to time.

f. Europe means the European Union, the European Economic Area and/or their member states, Switzerland, and the United Kingdom.

g. European Data means Personal Data that is subject to the protection of European Data Protection Laws.h. European Data Protection Laws means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data, the GDPR; (ii) Directive 2002/58/EC concerning the Processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); or (iii) GDPR as it forms part of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"); and (iv) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance ("Swiss DPA"); in each case, as may be amended, superseded, or replaced.

i. GDPR means the General Data Protection Regulation ((EU) 2016/679), and the retained UK version of the same.

j. Standard Contractual Clauses means the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021 currently found HERE , as may be amended, superseded, or replaced.

k. UK Addendum means the International Data Transfer Addendum issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018 currently found HERE, as may be amended, superseded, or replaced.

2. Compliance

Both parties will comply with all applicable requirements of Data Protection Laws. This schedule is in addition to, and does not relieve, remove, or replace, a party's obligations or rights under Data Protection Laws.

3. Controller/Processor

The parties have determined that for the purposes of Data Protection Laws, ClientLab shall process the Customer Personal Data as processor on behalf of the Customer. Customer may be either a Controller or Processor.

4. Consents

Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of Customer Personal Data to ClientLab, and the lawful collection of the same by the Customer using the ClientLab Services for the duration and purposes of the Agreement and DPA, and shall indemnify ClientLab against all loss and damage (including fines) arising from a failure to do so.

5. Nature, Scope, Purpose of Processing, and Data Subjects

The scope, nature, and purpose of Customer Personal Data Processing by ClientLab, the duration of the Processing, and the types of Customer Personal Data and categories of Data Subjects will be agreed upon by the parties as outlined in the Agreement.

6. Customer Instructions

ClientLab shall process Customer Personal Data only on the documented instructions of the Customer, unless ClientLab is required by any applicable laws to otherwise process that Customer Personal Data. The Agreement and DPA are deemed to be the instructions of Customer; the parties may agree to additional instructions. ClientLab shall inform the Customer if, in the opinion of ClientLab, the instructions of the Customer breach Data Protection Laws.

7. ClientLab Obligations

ClientLab will:

a. Implement and maintain appropriate technical and organizational measures to protect Customer Personal Data from Personal Data Breaches ("Security Measures").

b. Ensure that any personnel engaged and authorized by ClientLab to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory or common law obligation of confidentiality.

c. Assist the Customer, insofar as this is reasonably possible (taking into account the nature of the Processing and the information available to ClientLab), and at the Customer's cost and written request, in responding to any request from a Data Subject and in ensuring the Customer's compliance with its obligations under Data Protection Laws with respect to security, breach notifications, impact assessments, and consultations with supervisory authorities or regulators.

d. Notify the Customer without undue delay on becoming aware of a Personal Data Breach involving the Customer Personal Data.

e. At the written direction of the Customer, delete or return Customer Personal Data and copies thereof to the Customer on termination of the Agreement unless ClientLab is required by any applicable law to continue to process that Customer Personal Data. For the purposes of this paragraph, Customer Personal Data shall be considered deleted where it is put beyond further use by ClientLab.

f. For European Data, assist Customer in ensuring compliance with Articles 32 to 36 of the GDPR; make available all information reasonably necessary to demonstrate compliance with this DPA to the Customer and allow for and reasonably contribute to audits, including inspections conducted by the Customer to assess compliance with this DPA to the extent required by Data Protection Laws; and will make available all information reasonably necessary to demonstrate compliance with GDPR Article 28 requirements for Processors.

g. Maintain records to demonstrate its compliance with this paragraph.

8. Service Provider

The parties agree that if the CCPA applies, Customer is a “business” and ClientLab is a “service provider” as defined under the CCPA. ClientLab will not retain, use, or disclose the California Personal Information it collects pursuant to the Agreement for any purposes other than for the Business Purposes specified in the Agreement.

9. Subprocessors

ClientLab uses GoHighLevel as a service provider, and the subprocessors engaged by GoHighLevel are outlined on their Data Processing Agreement page. The Customer agrees to these subprocessors as part of the agreement.