Data Processing Agreement

Last Revised: 05-02-2025

This Data Processing Agreement (this “DPA”) applies to Provider’s processing of Client Personal Data (as defined below) as a Processor (as defined below) in the course of providing the Services, inclusive of Professional Services (collectively, the “Services”), and is incorporated by reference when included on the Order Form into the LightBox Master Services Agreement located at: www.lightboxre.com/masterservicesagreement (collectively the “Agreement”). This DPA shall take effect on the Commencement Date specified in the applicable Order Form. Unless otherwise defined herein, capitalized terms shall have the meaning assigned to them in the Agreement. In the event of any conflict between the terms of the Agreement and this DPA with respect to the subject matter in this DPA, the terms of this DPA prevail.

1. Definitions
   
   “Applicable Data Protection Laws” means all data protection and privacy laws applicable to the respective party in its role in the Processing of Personal Data under the Agreement, including, where applicable, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”), Directive 2002/58/EC, the United Kingdom’s Data Protection Act 2018, and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them, and all other applicable laws relating to processing of personal data and privacy that may exist in any relevant jurisdiction, including, where applicable, the guidance and codes of practice issued by supervisory authorities that have the force of law.
   
   “Client Personal Data” means any information relating to an identified or identifiable natural person including personal data as defined in similar terms in Applicable Data Protection Laws, that is provided by the Controlle (as defined belo) to the Processor for Processing on behalf of Controller pursuant to the Agreement in the course of Controller accessing and using the Service and subject to Applicable Data Protection Laws.
   
   “Controller,” “Processor,” “Data Subject,” “Process,” “Processed” or “Processing” have the meaning given in the GDPR and includes equivalent terms under Applicable Data Protection Laws.
   
   “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Client Personal Data.
   
   “Standard Contractual Clauses” means the Standard Contractual Clauses for the transfer of Client Personal Data to data processors established in a country for which an adequacy finding has not been granted under Applicable Data Protection Laws and as set out in either (i) the European Commission decision of 4 June 2021; or (ii) as published by the UK Information Commissioner’s Office (C/2021/3972).
   
   “Sub-Processor” means any other Processors engaged by Provider to Process Client Personal Data.
2. Processor Obligations
   1. Client Instructions: Processor shall only Process Client Personal Data on behalf of Data Controller to provide the Services in accordance with the Agreement, which constitutes the Client’s instructions regarding Processing of Client Personal Data. Data Controller may provide additional written instructions provided that they are consistent with the purpose and scope of the Agreement. Data Controller is responsible for ensuring its instructions to Processor comply with Applicable Data Protection Laws, and Data Controller acknowledges and agrees that Processor is not liable for any claim brought by Data Controller or a Data Subject arising from any action or omission by Processor resulting from Data Controller’s instructions.
   2. Processor may also Process Client Personal Data as required under applicable law, provided, however, that unless legally prohibited from doing so, Processor shall take reasonable steps to inform Data Controller of such requirement. Should Processor receive a request a lawful request from a government agency, unless legally prohibited from doing so, Processor shall take reasonable steps to refer the request to Data Controller, or shall otherwise promptly notify Data Controller of the request so that it may take steps it deems necessary to respond.
   3. Processor Personnel: Processor shall ensure that its personnel who are authorized to Process the Client Personal Data are under an appropriate obligation of confidentiality consistent with the Agreement and this DPA.
   4. Security: Processor shall implement appropriate technical and organizational measures designed to protect Client Personal Data from Security Incidents. These measures shall be appropriate to the harm which might result from any Security Incident and shall be as established in the Processor’s then-current information security policy. Processor may change the security measures provided that such changes do not lesson the level of protection available upon the effective date of the DPA.
      1. Security Incidents: In the event of a Security Incident impacting Client Personal Data, Provider shall notify Client without undue delay, and shall promptly take reasonable steps to contain, investigate, and mitigate any Security Incident.
      2. Reasonable Assistance: Taking into account the nature of the Processing and the information available to Processor, to the extent required under Applicable Data Protection Laws, Processor shall reasonably assist Data Controller in carrying out its obligations under Articles 32 to 34 of the GDPR with respect to security of the Processing and notification of a Client Personal Data breach to a supervisory authority and to Data Subjects. Processor shall not undertake any task that can be performed by Data Controller, and Data Controller remains solely responsible for its obligations under Applicable Data Protection Laws.
   5. Data Subject Requests. Processor shall provide reasonable assistance to Data Controller to facilitate Data Controller’s obligation to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Laws. Processor shall not be responsible for directly responding to Data Subject requests and shall promptly forward any such requests received by Processor to Data Controller.
   6. Data Protection Impact Assessments. Processor shall provide reasonably requested information regarding the Services not otherwise available to Data Controller to enable Client to carry out data protection impact assessments or prior consultations with data protection authorities as required under Applicable Data Protection Laws.
   7. Sub-processors. Processor may engage with Sub-processors to provide the Services. Processor shall enter into a written agreement with each Sub-processor that obligates each Sub-processor to data protection requirements consistent with this DPA, and shall remain liable for its Sub-processor’s compliance with this DPA. Where required under Applicable Data Protection Laws, Processor shall require Sub-Processors to engage in the Standard Contractual Clauses for Processors.
   8. Data Controller authorizes and consents to Processor’s engagement with Sub-processors listed at: www.lightboxre.com/subprocessors. Should Processor engage with a new Sub-processor, Processor shall notify Data Controller by updating Processor’s link set forth in the previous sentence. In the event of a reasonable objection by the Data Controller, the Processor shall not proceed with the use of the Sub-processor with respect to Client Personal Data. If the Processor determines that it is no longer reasonably feasible to provide the Services without engaging the Sub-processor, the Data Controller may, as its sole and exclusive remedy, request termination of the Agreement, or the applicable portion thereof, by providing reasonable written notice to the Processor. Termination shall be at the sole liability of the Processor.
   9. Client Personal Data Storage: Processor shall store Client Personal Data at rest in the countries set forth here and may be updated from time to time by Processor: www.lightboxre.com/subprocessors.
   10. Transfer of Client Personal Data: Processor may transfer Client Personal Data to another country, including to a sub-processor located in another country, provided that such transfers are conducted in accordance with Applicable Data Protection Laws, including in compliance with the data importer’s obligations in the Standard Contractual Clauses, incorporated into this DPA and pursuant to Annex 1 and Annex 2, which are attached hereto and incorporated by reference to this DPA. The Data Controller shall comply with the data exporter’s obligations under the Standard Contractual Clauses.
   11. Client Personal Data Storage: Processor shall store Client Personal Data at rest in the countries set forth here and may be updated from time to time by Processor: www.lightboxre.com/subprocessors.
   12. Transfer of Client Personal Data: Processor may transfer Client Personal Data to another country, including to a sub-processor located in another country, provided that such transfers are conducted in accordance with Applicable Data Protection Laws, including in compliance with the data importer’s obligations in the Standard Contractual Clauses, incorporated into this DPA and pursuant to Annex 1 and Annex 2, which are attached hereto and incorporated by reference to this DPA. The Data Controller shall comply with the data exporter’s obligations under the Standard Contractual Clauses.
   13. Data Retention: Within thirty (30) days of written request, Processor will delete Client’s Personal Data.
3. Data Controller Obligations
   1. Data Controller represents and warrants that it (i) operates in compliance with Applicable Data Protection Laws, and has provided Data Subjects with the required notices and has obtained any necessary consents or otherwise has a lawful basis to provide Client Personal Data to Processor for Processing of Client Personal Data as articulated in the Agreement and this DPA; and (ii) its instructions to the Processor do and shall comply with Applicable Data Protection Laws.

Annex 1

Data Description and Processing Activities

This Annex 1 (“Annex 1”) describes the types of data and the processing activities that the Provider will carry out in connection with the provision of the Services.

1.       LIST OF PARTIES

Controller(s) / Data exporter(s):

Name:	Client name set forth on the applicable Order Form
Address:	As set forth on the applicable Order Form
Contact person’s name, position and contact details:	As set forth on the applicable Order Form.
Activities relevant to the data transferred under the SCCs:	Receipt of the Services for the purposes defined in the Agreement, as Software, Hosted Services, Provider Data, Professional Services, and Documentation together with any upgrades, modified versions, bug fixes or updates thereto provided by Provider.
Role (controller/processor):	Controller

Processor(s) / Data importer(s):

Name:	LightBox Parent, L.P.
Address:	6 Armstrong Rd. 4th Floor Shelton, CT 06484
Contact person’s name, position and contact details:	Data protection inquiries can be addressed to Nate Monte, Senior Security & Compliance Analyst. Email : privacy@lightboxre.com Phone : (203) 783-8155
Activities relevant to the data transferred under the SCCs:	Receipt of the Services for the purposes defined in the Agreement, as Software, Hosted Services, Provider Data, Professional Services, and Documentation together with any upgrades, modified versions, bug fixes or updates thereto provided by Provider.
Role (controller/processor):	Processor

2.       DESCRIPTION OF TRANSFER

Categories of data subjects whose Personal Data is transferred:	The Personal Data processed concerns Users of the Services.
Categories of Personal Data transferred:	Information a User inputs into open text fields as determined by the customer. RIMS: Licensed User information, such as first name, middle initial, last name, business address, business email, company name (when associated with an individual), and business phone(s) Vendors, VJM’s information, such as first name, middle initial, last name, business address, business email, business phone(s), company name (when associated with an individual), Tax ID (could be SSN), remit to information Borrower information, such as first name, last name, middle initial, email, phone(s), and company name (when associated with an individual) Valuation: Licensed User information, such as first name, middle initial, last name and email address Client contract information, such as first name, middle initial, last name, business phone number, business email, and business address PZR: Information contained in rent rolls, such as tenant name/client name, firm name, email, and phone number Firm information when ordering reports, such as first name, last name, business phone, and business email owner authorization forms, such as first name, last name, business phone, and business email Broker RCM Packages, Deal Center, and ClientLook: Client contact information, such as first name, last name, email address, direct phone number, mobile phone number, license, address (city, state, zip, country) Licensed User information, such as first name, middle initial, last name and email address Payee information, such as first name, last name, credit card, and zip code ESA Data Packages: Company account information, such as first name and last name Billing information, such as address, phone number and email Order contacts, such as first name, last name, phone number and email Information used for image export and upload (Draw Tools), such as email address License User information, such as email address, first name and last name Location Based Data: License User information, such as first name, last name, email, and phone C360/PARCEL: License User information, such as first name, middle initial, last name, business address, business email, company name business phone(s) Vendors, VJMs, such as first name, middle initial, last name, business address, business email, business phone(s), company name Borrower information, such as first name, last name, middle initial, email, phone(s), company name Property information, such as first name, last name, middle initial, email, phone(s) Transaction information, such as borrower information, lender/legal contact information (first/last name, email address, phone number, physical address) Request information, such as loan number, borrower information, requester first/last name Collateral information, such as contact for property (first/last name, phone, email), physical address Revere CRE: License User information, such as email, first name, last name, office address, city/state, personal/office phone Information for mail marketing and CRM functionality, such as license User information, such as email, first name, last name, office address, city/state, personal/office phone All Products: Payment processing, such as full name, home address (business address), email address, phone number Customer relationship management (CRM), such as first name and last name, phone Customer support and account management, such as full name, home address (business address), email address, phone number, mobile phone number, date of birth, workplace information (employment history, job title, etc.), username and passwords.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.	Provider does not intentionally collect or transfer any sensitive data in relation to these data subjects.
The frequency of the transfer (e.g. whether the data is transferred on a one- off or continuous basis):	Continuous for the duration of the Agreement.
Nature of the processing:	Collection, aggregation, analytics, to deliver, maintain, monitor, protect, and analyze the use of the Services.

Purpose(s) of the data transfer and further processing:	Processing to perform the Services for the purposes defined in the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:	Personal Data will be retained in accordance with 2.9 of the DPA.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:	Processing activities in performance of the Services, as set out in the Agreement, including providing access to the Services. Personal Data will be retained in accordance with 2.9 of DPA.

3.       COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance (e.g. in accordance with Clause 13 EU SCCs)

The competent supervisory authority in accordance with Clause 13 of the EU SCCs shall be the supervisory authority of the EU Member State where the data exporter is established. In the absence of an EU establishment, the competent supervisory authority will be the primary supervisory authority of the EU Member State most closely related to the data subjects involved, or otherwise designated by applicable EU data protection regulations

Annex 2

Technical and Organizational Security Measures

This Annex 2 (“Annex 2”) refers to the security and privacy audits, certifications, and administrative, technical, and physical controls in place to protect the information and data submitted by Provider’s Clients (“Customer Data”) through their use of the Services, as detailed at www.lightboxre.com/securityaddendum which may be updated from time to time by Provider.