Data Processing Agreement

This Data Processing Agreement (this "DPA") is incorporated into the Master Subscription Agreement between Manafold Inc. (dba Layo) and Customer referencing this Data Processing Agreement (the "Agreement"). Capitalized terms used but not defined in this DPA (or in another document referenced by this DPA) will be understood to have the meanings given to them in the Agreement.

1. Data Processing, Subject Matter, and Roles

1.1 Data Processing

In the course of providing the Services to Customer pursuant to the Agreement, Layo may Process Customer Data that constitutes "personal data," "personal information," "personally identifiable information," or an analogous term under applicable law ("Customer Personal Data"). The Parties agree to comply with this DPA and all privacy and data protection laws applicable to the Processing of Customer Personal Data under the Agreement, including, as applicable, those of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom, and the United States (including the California Consumer Privacy Act or "CCPA") (collectively, "Data Protection Laws").

1.2 Subject Matter

The subject matter, nature, and purpose of the Processing, the types of Customer Personal Data, and the categories of "Data Subjects" (as such term is defined under applicable Data Protection Laws) are set out in Annex I, which is an integral part of this DPA.

1.3 Roles

Customer is a "Controller" or "Business" (as such terms are defined under applicable Data Protection Law) and appoints Layo as a "Processor" or "Service Provider" (as such terms are defined under applicable Data Protection Law) on behalf of Customer. Customer is responsible for compliance with the requirements of Data Protection Law applicable to Controllers and Businesses. If Customer is a Processor on behalf of a Controller for which Customer is a Processor ("Third-Party Controller"), then Customer (i) is the single point of contact for Layo, (ii) must obtain all necessary authorizations from such Third-Party Controller, and (iii) undertakes to issue all instructions and exercise all rights on behalf of such other Third-Party Controller.

2. Processing Instructions

Layo shall Process Customer Personal Data on behalf of and only in accordance with Customer's documented instructions for the following purposes: (i) Processing in accordance with the DPA, Agreement, and applicable Order Form(s); (ii) Processing initiated by Users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.

3. Personnel

Layo will ensure that all personnel authorized to Process Customer Personal Data are subject to an obligation of confidentiality and have received appropriate training on data protection and security requirements.

4. CCPA Limitations on Processing

Except as permitted by applicable Data Protection Law, the Agreement, or this DPA, Layo is prohibited from: (a) retaining, using, or disclosing Customer Personal Data for any purpose other than for the specific purposes of performing the Services and in accordance with Customer's documented instructions; (b) retaining, using, or disclosing Customer Personal Data outside of the direct business relationship between the Parties; (c) combining Customer Personal Data with Customer Personal Data obtained from, or on behalf of, sources other than Customer; and (d) "Selling" or "Sharing" (as such terms are defined under applicable Data Protection Laws) Customer Personal Data.

5. Security and Security Incident

5.1 Security

Layo will implement reasonable and appropriate technical and organizational measures designed to ensure a level of security appropriate to the risks presented by the Processing of Customer Personal Data in accordance with (a) the measures set forth in Annex II and (b) SOC-2 Type II or a substantially equivalent standard during the Term.

5.2 Security Incident Notification

Layo will notify Customer without undue delay and within 72 hours after becoming aware of any actual or reasonably suspected unauthorized access to, or other Processing of, Customer Personal Data ("Security Incident"). If Layo's notification of a Security Incident is delayed beyond 72 hours, it will be accompanied by reasons for the delay.

5.3 Security Incident Response

Layo will take reasonable measures in response to a Security Incident, including (i) taking measures designed to mitigate any Security Incident and prevent the recurrence of the Security Incident, (ii) providing Customer with reasonable information relating to the Security Incident known to Layo, and (iii) providing other commercially reasonable assistance to Customer in complying with its obligations under applicable Data Protection Laws.

5.4 Vulnerability Testing

Layo will perform regular vulnerability scanning and penetration testing of Layo's platform used to provide the Services, at least annually or when significant changes are made to the platform.

5.5 Encryption

Layo will encrypt Customer Personal Data in transit using TLS 1.2 or higher and at rest using AES-256 encryption or equivalent industry-standard encryption techniques.

6. Subprocessing

6.1 Subprocessors

Customer hereby authorizes Layo to engage any Processor that processes Customer Personal Data on behalf of Layo ("Subprocessor"). A list of Layo's current Subprocessors is listed in Annex III.

6.2 Subprocessor Agreements

Layo will enter into a written agreement with all Subprocessors which imposes substantially similar obligations on the Subprocessors as the obligations imposed on Layo under this DPA, including requirements for security, confidentiality, and data protection.

6.3 Subprocessor Changes

Layo will notify Customer at least thirty (30) days prior to any intended change to Subprocessors by email to the address associated with Customer's account and by posting notice on Layo's website. Customer may object to the addition of a Subprocessor based on reasonable grounds that the appointment of such Subprocessor will result in a material violation of Data Protection Law by providing written notice detailing the grounds of such objection within thirty (30) days following Layo's notification of the intended change. Customer and Layo will work together in good faith to address Customer's objection. If Layo chooses to retain such new Subprocessor and the Parties cannot reach a mutually acceptable resolution, either party may immediately discontinue providing or using the relevant parts of the Services that uses such Subprocessor, as applicable, and may terminate the relevant parts of the Services that uses such Subprocessor within thirty (30) days.

7. Assistance

7.1 Assistance

Taking into account the nature of the Processing, and the information available to Layo, Layo will provide reasonable assistance, including in connection with implementing appropriate technical and organizational measures, to Customer designed to comply with Data Subject or "Consumer" (as such term is defined under applicable Data Protection Laws) requests, reply to inquiries, complaints, and investigations, and conduct data protection impact assessments, data protection assessments, and prior consultations with regulators. Layo may charge reasonable fees for assistance beyond basic support provided under the Agreement.

8. Audit

Upon Customer's reasonable written request, and no more than once per twelve (12) months unless required by a supervisory authority, Layo will permit Customer, at Customer's expense, to audit Layo's applicable controls and compliance with this DPA (an "Audit"), provided such Audit is (a) conducted by Customer or a third-party auditor designated by Customer that has executed an appropriate confidentiality agreement with Layo, (b) Customer and Layo mutually agree on reasonable details of the Audit, including the start date, scope and duration of, and security and confidentiality controls applicable to, such audit, (c) conducted during normal business hours with at least thirty (30) days' prior written notice, and (d) does not interfere with Layo's business operations. As an alternative to an Audit, Layo may provide Customer with a copy of its most recent SOC 2 Type II report or equivalent certification. Customer will pay all costs and expenses incurred by Layo in connection with any such Audit. Customer may use the results of an Audit only for the purposes of meeting Customer's regulatory audit requirements and confirming compliance with the requirements of the DPA.

9. International Data Transfers

9.1 European Data Transfers

Layo will obtain Customer's specific prior written authorization for any transfer of Customer Personal Data subject to European Data Protection Law that is not subject to an adequacy decision by the European Commission ("International Data Transfer"). Customer hereby authorizes Layo to conduct International Data Transfers outside the EEA or Switzerland:

  • to any country subject to a valid adequacy decision of the European Commission;
  • on the basis of an organization's binding corporate rules approved by EEA Supervisory Authorities; and
  • to any data importer with whom Layo has entered into standard contractual clauses ("SCCs").

9.2 European Transfer Mechanisms

Customer and Layo conclude Module 2 (Controller-to-Processor) of the SCCs and, to the extent Customer is a Processor on behalf of a Third-Party Controller, Module 3 (Processor-to-Subprocessor) of the SCCs, which are hereby incorporated and completed as follows: the "data exporter" is Customer; the "data importer" is Layo; the optional docking clause in Clause 7 is implemented; Option 1 of Clause 9(a) is implemented and the time period therein is specified in Section 6.3 above; the optional redress clause in Clause 11(a) is struck; Option 1 in Clause 17 is implemented and the governing law is the law of Delaware; the courts in Clause 18(b) are the Courts of Delaware; Annex I, II and III to the SCCs are Annex I, II and III to this DPA respectively. For International Data Transfers from Switzerland, Data Subjects who have their habitual residence in Switzerland may bring claims under the SCCs before the courts of Switzerland.

9.3 UK Data Transfers

Customer hereby authorizes Layo to perform International Data Transfers outside the UK subject to the requirements:

  • to any country subject to a valid adequacy decision issued by the UK Government;
  • on the basis of an organization's binding corporate rules approved by the UK Information Commissioner; and
  • to any data importer with whom Layo has entered into the UK Addendum or other standard contractual clauses issued by the UK Information Commissioner, as appropriate.

9.4 UK Transfer Mechanism

Customer and Layo conclude the UK Addendum which is hereby incorporated and applies to International Data Transfers outside the UK. Part 1 of the UK Addendum is completed as follows: (i) in Table 1, the "Exporter" is Customer and the "Importer" is Layo, their details are set forth in this DPA and the Agreement; (ii) in Table 2, the first option is selected and the "Approved EU SCCs" are the SCCs referred to in Section 9.2 of this DPA; (iii) in Table 3, Annexes 1 (A and B), II, and III to the "Approved EU SCCs" are Annex I, II, and III to this DPA respectively; and (iv) in Table 4, both the "Importer" and the "Exporter" can terminate the UK Addendum.

10. Return and Deletion

Following the date of expiration or earlier termination of this DPA, Layo will promptly return or delete all Customer Personal Data within sixty (60) days; provided, however, that Layo may retain copies of Customer Personal Data as expressly agreed by the parties or as required by applicable law or contained in standard backups that will remain subject to the protections of this DPA. Customer may request expedited deletion by contacting legal@uselayo.com.

ANNEX I - DESCRIPTION OF THE TRANSFER

A. LIST OF PARTIES

Data exporter

  • Name: Customer (as defined above)
  • Activities relevant to the data transferred under these Clauses: Customer receives Layo's services as described in the Agreement and Customer provides Personal Data to Layo in that context.
  • Role (controller/processor): Controller, or Processor on behalf of Third-Party Controller

Data importer

  • Name: Manafold Inc. (dba Layo)
  • Activities relevant to the data transferred under these Clauses: Layo provides its services to Customer as described in the Agreement and Processes Personal Data on behalf of Customer in that context.
  • Role (controller/processor): Processor on behalf of Customer, or Subprocessor on behalf of Third-Party Controller

B. DESCRIPTION OF INTERNATIONAL DATA TRANSFER

Categories of Data Subjects whose Customer Personal Data is transferred:

  • Customer's end users of AI-native applications created using the Platform
  • Customer's employees, contractors, and Users accessing the Platform
  • Customer's customers and partners

Categories of Customer Personal Data transferred:

  • Name, email address, username
  • Contact details (phone number, address)
  • User identifiers and authentication credentials
  • Application usage data and analytics
  • IP addresses and device information
  • Application inputs and outputs
  • API credentials and integration data
  • Any other data Customer chooses to input or process through the Platform

Sensitive data transferred (if applicable):

Layo does not intentionally process sensitive personal data. Customer must not process sensitive data (including health information, financial data, biometric data, or data revealing racial or ethnic origin, political opinions, religious beliefs, or trade union membership) through the Platform without prior written agreement with Layo.

The frequency of the International Data Transfer:

On a continuous basis for the duration of the Agreement.

Nature of the processing:

The Customer Personal Data will be processed and transferred as described in the Agreement, including collection, storage, retrieval, consultation, use, organization, structuring, adaptation, deletion, and disclosure for the purposes of providing the Platform services.

Purpose(s) of the International Data Transfer and further Processing:

  • Provision of the no-code AI application builder platform
  • Deployment and hosting of AI-native applications
  • Analytics and reporting on application performance
  • Technical support and troubleshooting
  • Platform improvement and development
  • Compliance with legal obligations

The period for which the Customer Personal Data will be retained:

Customer Personal Data will be retained for the duration of the Agreement and for sixty (60) days following termination, unless otherwise required by applicable law or longer retention is necessary for legitimate business purposes such as dispute resolution.

For International Data Transfer to (Sub)Processors, also specify subject matter, nature and duration of the Processing:

For the subject matter and nature of the Processing, reference is made to the Agreement and this DPA. The Processing will take place for the duration of the Agreement and as necessary to provide the Services.

C. COMPETENT SUPERVISORY AUTHORITY

  • The competent authority for the Processing of Customer Personal Data relating to Data Subjects located in the EEA is the Data Protection Commission of Ireland.
  • The competent authority for the Processing of Customer Personal Data relating to Data Subjects located in the UK is the UK Information Commissioner's Office.
  • The competent authority for the Processing of Customer Personal Data relating to Data Subjects located in Switzerland is the Swiss Federal Data Protection and Information Commissioner.

ANNEX II - TECHNICAL AND ORGANIZATIONAL MEASURES

Layo implements comprehensive security safeguards designed to protect Customer Personal Data from unauthorized access, acquisition, disclosure, destruction, alteration, accidental loss, misuse, or damage. These measures include, but are not limited to:

Access Controls

  • Multi-factor authentication for administrative access
  • Role-based access control (RBAC) limiting access to Customer Personal Data
  • Regular access reviews and revocation procedures
  • Unique user accounts for all personnel
  • Automated session timeout mechanisms

Data Security

  • Encryption in transit using TLS 1.2 or higher
  • Encryption at rest using AES-256 or equivalent
  • Secure key management and rotation procedures
  • Database encryption and access logging
  • Secure deletion and data sanitization procedures

Network Security

  • Firewall and intrusion detection/prevention systems
  • Network segmentation and isolation
  • DDoS protection and mitigation
  • Regular security patching and updates
  • Vulnerability scanning and penetration testing

Application Security

  • Secure software development lifecycle (SDLC)
  • Code review and security testing
  • Input validation and output encoding
  • Protection against OWASP Top 10 vulnerabilities
  • Regular security assessments and audits

Physical Security

  • Layo uses Google Cloud Platform infrastructure with SOC 2 Type II certified data centers
  • Physical access controls and monitoring
  • Environmental controls for temperature and humidity
  • Backup power and redundancy systems

Organizational Measures

  • Information security policies and procedures
  • Security awareness training for all personnel
  • Background checks for personnel with access to Customer Personal Data
  • Confidentiality agreements with personnel and contractors
  • Incident response plan and procedures
  • Business continuity and disaster recovery plans
  • Vendor risk management program

Monitoring and Logging

  • Continuous security monitoring and alerting
  • Comprehensive audit logging
  • Log retention and analysis
  • Security information and event management (SIEM)

Compliance and Certification

  • SOC 2 Type II compliance (in progress)
  • PCI-DSS compliance for payment processing
  • Regular third-party security assessments
  • Compliance with industry best practices and standards

ANNEX III - LIST OF SUBPROCESSORS

Customer authorizes Layo to engage the following Subprocessors:

Subprocessor NameLocation of ProcessingNature and Purpose of Processing
Google CloudUnited StatesCloud infrastructure and hosting services
VercelUnited StatesApplication hosting and content delivery
UpstashUnited StatesRate limiting and caching services
OpenAIUnited StatesAI model services for application functionality
Google (Firebase)United StatesAuthentication services and real-time database
StripeUnited StatesPayment processing services
CloudflareUnited StatesContent delivery network and security services
ResendUnited StatesEmail delivery services
Google WorkspaceUnited StatesInternal productivity and communication tools (limited)

Layo may update this list from time to time in accordance with Section 6.3 of this DPA. The current list of Subprocessors is maintained at <https://uselayo.com/legal/subprocessors>.

Contact Information

For questions regarding this Data Processing Agreement, please contact:

Manafold Inc. Email: legal@uselayo.com Website: uselayo.com