Data Processing Agreement.

Lyfeguard Limited, 128 City Road, London, United Kingdom, EC1V 2NX

Company number: 13160456

ICO number: ZA938389

This Data Processing Agreement ("DPA") governs the processing of personal data by Lyfeguard Limited ("Lyfeguard", "we", "us" or "our") as a processor on behalf of our Professional Customers who use the Services for business or professional purposes and act as data controllers when uploading personal data to the Application.

This DPA does not apply to Direct Users (consumers) who use the Services for personal or household purposes. For those users, Lyfeguard acts as a data controller and processes personal data in accordance with our Privacy Policy.

1. Definitions

Unless otherwise stated, the definitions in the Terms of Use shall apply to this DPA. In addition, the following definitions apply:

"controller", "processor", "data subject", "personal data", "personal data breach", "process", "processing", "appropriate technical and organisational measures" and "supervisory authority" shall have the meanings given to them under Data Protection Laws.

Client Personal Data: means any Client Data (as defined in the Terms of Use) that constitutes personal data processed by Lyfeguard on behalf of a Professional Customer in its capacity as a data controller as further described in the section 2 (Processing Details).

Data Protection Laws: all applicable data protection and privacy legislation in force in the United Kingdom, including: (i) the UK GDPR as defined in section 3(10) of the Data Protection Act 2018; and (ii) the Data Protection Act 2018, in each case as amended, updated or replaced from time to time.

2. Processing Details

2.1 Scope, nature and purpose of the processing

Lyfeguard processes personal data on behalf of Professional Customers to provide the Services, which allow Professional Customers to upload, store, organise, manage, and share their personal, financial, legal and other life-related information within the LyfeHubs of the Application. Lyfeguard hosts, stores, secures, backs up and maintains access to the Client Personal Data on its cloud-based platform, but does not access the content of the Professional Customer’s documents.

2.2 Categories of data subject

Individuals whose personal data is uploaded or entered by the Professional Customer, including but not limited to: the Professional Customer themselves, their family members, Trusted Users, Affiliated Users, beneficiaries, executors, legal, financial or professional advisers, and any other individuals whose data is included in the Professional Customer’s uploaded documents or information.

2.3 Categories of personal data

Data may include: names, dates of birth, contact details, national insurance or other identification numbers, identification documents, financial and investment information, bank account details, insurance and pension information, estate planning details, family relationships, health-related data (including special category data), professional advice, and any other personal data relevant to managing personal, legal, financial or family affairs.

2.4 Duration of processing

For the duration of the Professional Customer’s subscription or as instructed by the Professional Customer or required by applicable law, after which Client Personal Data will be securely deleted.

3. Roles and Relationship

3.1 The Professional Customer is the controller in respect of the Client Personal Data, and where we process Client Personal Data on the Professional Customer’s behalf, we are a processor of the Client Personal Data in respect of that Client Personal Data.

3.2 The Professional Customer is solely responsible for the integrity, accuracy and legality of the Client Personal Data. The Professional Customer shall ensure that it has all necessary consents and notices in place to enable the lawful transfer of Client Personal Data to Lyfeguard for the duration, and purposes of the Services so that Lyfeguard may lawfully collect and process Client Personal Data in accordance with this DPA.

3.3 We are a controller in respect of personal data provided by you, where this personal data is not covered by the definition of Client Personal Data (e.g. user information, such as billing information and contact details). This is processed in accordance with our Privacy Policy.

4. Controller Obligations

4.1 The Professional Customer shall, as a controller of the Client Personal Data:

4.1.1 maintain records which indicate how it processes personal data under its responsibility. These records will contain at least the minimum information required by Data Protection Laws;

4.1.2 ensure that it has provided all necessary notices to data subjects in accordance with Data Protection Laws; and

4.1.3 ensure that it has established a legal basis under Data Protection Laws for transferring the personal data to Lyfeguard and, where necessary, has obtained and recorded all necessary consents.

5. Processor Obligations

5.1 To the extent that we process Client Personal Data on behalf of the Professional Customer, we shall:

5.1.1 process the Client Personal Data only on the Professional Customer's documented instructions, which shall be to process the Client Personal Data to the extent necessary to provide, maintain, support and develop the Services unless otherwise required to process the Client Personal Data by applicable laws. In such a case, Lyfeguard shall inform the Professional Customer of that legal requirement before processing, unless prohibited by law. Lyfeguard shall promptly inform the Professional Customer if, in its opinion, an instruction infringes Data Protection Laws or other applicable laws;

5.1.2 implement appropriate technical and organisational measures to protect the Client Personal Data against unauthorised or unlawful processing, and against accidental loss, destruction or damage, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risks to individuals' rights and freedoms;

5.1.3 ensure that any personnel engaged and authorised by Lyfeguard to process Client Personal Data are subject to an appropriate duty of confidentiality, whether contractual or statutory;

5.1.4 not transfer Client Personal Data to any country or territory outside of the United Kingdom or European Economic Area unless such transfer is conducted in compliance with applicable Data Protection Laws, including the use of appropriate safeguards such as adequacy decisions, binding corporate rules, or standard contractual clauses (as applicable);

5.1.5 taking into account the nature of the processing and the information available to Lyfeguard, assist the Professional Customer, at the Professional Customer’s written request and cost, to the extent reasonably necessary to enable the Professional Customer to comply with its obligations under Data Protection Laws in relation to: (a) responding to data subject requests; (b) security of processing; (c) notification of personal data breaches; (d) data protection impact assessments; and (e) consultations with supervisory authorities;

5.1.6 notify the Professional Customer without undue delay upon becoming aware of any personal data breach involving Client Personal Data;

5.1.7 maintain complete and accurate records to demonstrate compliance with this Clause 5.1. The Professional Customer may request access to these records once per calendar year by submitting a written request to Lyfeguard. Lyfeguard shall make such records available electronically and shall respond to the request as soon as reasonably practicable.

6. Retention of Personal Data

6.1 The Professional Customer acknowledges and agrees that:

6.1.1 it can delete the Client Personal Data held by us at any time by deleting any of the relevant documents held in the Professional Customer’s account during its use of the Services;

6.1.2 unless the Professional Customer has instructed us otherwise, we will not retain documents stored on the Application after the Professional Customer terminates their account, and any Client Personal Data will be securely deleted in accordance with our Terms of Use; and

6.1.3 personal data collected for the purpose of opening and managing the account (e.g. contact and billing information) will be retained in accordance with Clause 12 of the Terms of Use.

7. Sub-processors

7.1 The Professional Customer hereby provides its prior, general authorisation for us to appoint sub-processors to process the Client Personal Data, provided that we shall:

7.1.1 ensure that the terms on which we appoint such sub-processors are consistent with the obligations imposed on us as a processor in this DPA;

7.1.2 remain responsible for the acts and omissions of any such sub-processor as if they were our own acts and omissions;

7.1.3 notify the Professional Customer of any material changes to sub-processors.

7.2 A list of current sub-processors is available on request.