14 Day Free Trial
login

DATA PROCESSING AGREEMENT (DPA)

Lightning Reviews LLC

This Data Processing Agreement (“DPA”) is made and entered into on [Effective Date] (the “Effective Date”) by and between:

(1) Lightning Reviews LLC, (“Lightning Reviews” or “Processor”); and
(2) [Customer Legal Name], (“Customer” or “Controller”).

Processor and Customer are each a “Party” and together the “Parties”.

Background

A. Customer has entered into (or will enter into) a services agreement, terms of service, order form, or subscription agreement with Lightning Reviews governing Customer’s use of Lightning Reviews’ review/reputation management platform (the “Agreement”).
B. This DPA forms part of and is incorporated into the Agreement.
C. This DPA applies to Processing of Customer Personal Data by Lightning Reviews on behalf of Customer in connection with the Services.

1. Definitions

1.1 “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a Party. “Control” means ownership of more than 50% of voting interests or power to direct management.

1.2 “Applicable Data Protection Laws” means all laws applicable to the Processing of Personal Data under the Agreement, including as applicable: (i) the GDPR, (ii) the UK GDPR and the Data Protection Act 2018, and (iii) the CCPA/CPRA, plus any other U.S. state privacy laws that apply to the Parties.

1.3 “Customer Contact Data” means business contact information of Customer’s users/representatives (e.g., name, work email, role, phone number).

1.4 “Customer Personal Data” means Personal Data processed by Lightning Reviews on behalf of Customer in connection with the Services, excluding Customer Contact Data.

1.5 “EEA” means the European Economic Area.

1.6 “Personal Data”, “Processing”, “Controller”, “Processor” have the meanings set out in Applicable Data Protection Laws.

1.7 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.

1.8 “Standard Contractual Clauses” means:
(a) the EU SCCs (Commission Implementing Decision (EU) 2021/914), and/or
(b) the UK International Data Transfer Addendum (“UK Addendum”),
each as applicable and incorporated under Section 9.

2. Roles of the Parties

2.1 Customer as Controller. Customer is the Controller of Customer Personal Data and determines the purposes and means of Processing.

2.2 Lightning Reviews as Processor / Service Provider. Lightning Reviews acts as Processor (and, where applicable under CCPA/CPRA, a “service provider” / “processor”) and will Process Customer Personal Data only:
(a) to provide the Services,
(b) in accordance with Customer’s documented instructions in the Agreement and this DPA, and
(c) as required by Applicable Data Protection Laws.

2.3 Customer Contact Data. Each Party is an independent Controller of Customer Contact Data it Processes for business relationship management, billing, support, compliance, and security purposes.

3. Customer Instructions

3.1 Purpose Limitation. Lightning Reviews will not:
(a) “sell” or “share” Customer Personal Data (as those terms are defined under CCPA/CPRA),
(b) Process Customer Personal Data for any purpose other than providing and supporting the Services,
(c) retain, use, or disclose Customer Personal Data outside the direct business relationship with Customer, except as permitted by Applicable Data Protection Laws,
(d) combine Customer Personal Data with personal data received from another customer except as permitted by law (e.g., security, fraud prevention), or
(e) attempt to re-identify deidentified data.

3.2 Lawful Instructions. Customer will not provide instructions that violate Applicable Data Protection Laws. Lightning Reviews will notify Customer if it reasonably believes an instruction violates applicable law.

3.3 Complete Instructions. The Agreement and this DPA are Customer’s complete instructions regarding Processing, including for SCC purposes.

4. Confidentiality & Disclosure Restrictions

4.1 Lightning Reviews will ensure that personnel authorized to Process Customer Personal Data are under appropriate confidentiality obligations.

4.2 Lightning Reviews will not disclose Customer Personal Data to any third party except:
(a) Sub-processors in accordance with Section 5,
(b) as required by law under Section 11, or
(c) as authorized in writing by Customer.

5. Sub-processors

5.1 Authorization. Customer provides general authorization for Lightning Reviews to engage Sub-processors to support delivery of the Services.

5.2 Sub-processor Obligations. Lightning Reviews will impose written obligations on Sub-processors that are no less protective than this DPA (as applicable).

5.3 Liability. Lightning Reviews remains responsible for Sub-processors’ performance to the extent required by Applicable Data Protection Laws.

5.4 Sub-processor List. Lightning Reviews will make available a current list of Sub-processors upon request to cameron@lightningreviews.io.

5.5 Notice of Changes. Lightning Reviews will provide notice of material Sub-processor additions or replacements at least ten (10) days in advance, by email to Customer’s DPA notice contact (set forth in Exhibit A).

5.6 Right to Object. Customer may object on reasonable data protection grounds by notifying Lightning Reviews in writing within ten (10) business days of notice. If the Parties cannot resolve the objection commercially, Customer may terminate the affected portion of the Services (without penalty beyond fees accrued for Services already provided).

6. Security

6.1 Security Measures. Lightning Reviews will implement and maintain appropriate technical and organizational security measures consistent with industry standards and proportionate to the risks (see Exhibit B).

6.2 No Absolute Guarantee. Customer acknowledges that no security program can guarantee 100% protection.

7. Personal Data Breach Notification

7.1 Notice. Lightning Reviews will notify Customer without undue delay after confirming a Personal Data Breach involving Customer Personal Data, and where feasible within 72 hours of confirmation.

7.2 Content. The notice will include, to the extent reasonably available:
(a) nature of the breach,
(b) categories/approximate number of affected data subjects and records,
(c) likely consequences, and
(d) mitigation steps taken or proposed.

7.3 Customer Responsibility. Customer is responsible for any legally required notices to individuals, regulators, or other third parties unless the law specifically requires Lightning Reviews to notify.

8. Data Subject Requests

8.1 If Lightning Reviews receives a request from an individual relating to Customer Personal Data (a “Data Subject Request”), it will (to the extent legally permitted) notify Customer.

8.2 Lightning Reviews will provide commercially reasonable assistance to Customer to respond to such requests where Customer cannot do so using the Services.

9. International Data Transfers (EU/UK)

9.1 When SCCs apply. If Customer transfers Customer Personal Data from the EEA/UK/Switzerland to Lightning Reviews in a manner requiring transfer safeguards, the Standard Contractual Clauses apply as follows:

EU SCCs (EEA transfers):

  • Module 2 (Controller → Processor) applies.

  • Option 2 for Sub-processors (general authorization) applies.

  • Governing law: Ireland.

  • Forum: Ireland.

  • Annexes are completed using Exhibit A and Exhibit B.

UK Addendum (UK transfers):

  • The UK Addendum is incorporated and completed using the same Exhibit information.

9.2 Order of precedence. If SCCs apply and conflict with this DPA, the SCCs control for the relevant transfer.

10. Audits & Compliance Information

10.1 Compliance Information. Upon written request no more than once per year, Lightning Reviews will provide reasonable information to demonstrate compliance (which may include security summaries, policies, or third-party attestations if available).

10.2 On-site audits. On-site audits are permitted only where required by law and subject to reasonable scope, confidentiality, and scheduling to prevent undue disruption.

11. Legal Process

If Lightning Reviews is legally required to disclose Customer Personal Data, it will (to the extent permitted by law):
(a) provide prompt notice to Customer, and
(b) reasonably cooperate with Customer’s efforts to seek protective treatment.

12. Deletion / Return of Customer Personal Data

12.1 Upon termination. Following termination of the Agreement, Lightning Reviews will delete or anonymize Customer Personal Data within a reasonable period, unless retention is required by law or for legitimate security/backups.

12.2 Backups. Customer acknowledges that data may remain in backups for a limited period consistent with standard retention cycles and will remain protected under this DPA.

13. Liability; Order of Precedence

13.1 Liability. Liability arising under this DPA is subject to the limitation of liability provisions in the Agreement, unless prohibited by Applicable Data Protection Laws.

13.2 Precedence. This DPA controls over the Agreement for data protection matters. SCCs (if applicable) control over this DPA for transfers.

14. Governing Law

Except where SCCs apply, this DPA is governed by the laws of the State of Georgia, without regard to conflicts of law rules.

Exhibit A — Processing Details

A. Subject Matter
Provision of review/reputation management Services (including review request workflows, messaging templates, widgets, analytics, and account administration).

B. Duration
For the term of the Agreement, plus any retention period described in Section 12.

C. Nature of Processing
Collection, storage, hosting, organization, transmission, retrieval, analytics (including aggregated/anonymized), and deletion.

D. Categories of Data Subjects

  • Customer’s authorized users (admins, staff)

  • Customer’s end customers/contacts (review request recipients)

  • Website visitors (if Customer installs website tools)

E. Categories of Personal Data (as determined by Customer)
May include:

  • Name, email, phone number

  • Business/store location information (if provided by Customer)

  • Review request metadata (send status, timestamps)

  • Message content (as configured by Customer)

  • IP address, device/browser identifiers (website/app usage)
    Sensitive Data: Not intended; Customer should not upload sensitive categories unless explicitly required and lawful.

F. Processing Location / Transfer Mechanism
May include processing in the United States and other jurisdictions where Sub-processors operate; SCCs apply if required.

G. Customer DPA Notice Contact
Name/Role: [Customer Contact Name / Role]
Email: [Customer Contact Email]

H. Lightning Reviews DPA Notice Contact
Email: cameron@lightningreviews.io

Exhibit B — Technical & Organizational Measures (Summary)

Lightning Reviews maintains reasonable security measures including, as appropriate:

  1. Access Controls: role-based access, least privilege, MFA where available, unique credentials.

  2. Encryption: encryption in transit (TLS) and encryption at rest where supported by hosting/storage providers.

  3. Logging & Monitoring: system logging, anomaly monitoring, alerting for suspicious activity where feasible.

  4. Vulnerability Management: patching and updates, periodic scanning and remediation practices.

  5. Secure Development: secure coding practices aligned with common frameworks (e.g., OWASP guidance).

  6. Incident Response: documented incident handling and escalation procedures.

  7. Vendor Management: Sub-processor diligence and contractual protections.

  8. Backups & Recovery: backup routines and recovery processes consistent with service needs.