1. Definitions

Some capitalized terms are defined in this section, and others are defined contextually elsewhere in the DPA. Any capitalized terms that are not defined in this DPA have the meanings assigned to such terms in the Agreement.

1.1. “Data Privacy Laws” means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. along with its associated amendments in the California Privacy Rights Act of 2020 (“CCPA”), the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”), the Swiss Federal Data Protection Act, and the United Kingdom Data Protection Act of 2018 (“UK Privacy Act”). For the avoidance of doubt, if Luma’s Processing activities involving Personal Data are not within the scope of a given Data Privacy Law, such law is not applicable for purposes of this DPA.

1.2. “Data Subject” means an identified or identifiable natural person about whom Personal Data relates.

1.3. “EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council. ¹

1.4. “Mural” (Tactivos, Inc Dba, Mural) is the sole and exclusive owner of Luma Institute.

1.5. “Personal Data” includes “personal data,” “personal information,” “personally identifiable information,” and similar terms, and such terms will have the same meaning as defined by applicable Data Privacy Laws, that is Processed in connection with the purchase or performance of the Services under the Agreement. In light of the protections afforded by Data Privacy Laws and this DPA, Personal Data is not considered Confidential Information under the Agreement.

1.6. “Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

1.7. “UK SCC’s” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, as published by the UK Information Commissioner’s Office and in force as of 21 March 2022. ²

2. Luma as a Controller

This section applies to the applicable Services listed in Schedule 2

2.1. Parties as Independent Controllers
With respect to the applicable Services referenced in Schedule 2, each Party will act as a “controller” or “business” (as defined by and as applicable under applicable Data Privacy Laws) with respect to Personal Data Processed in connection with such applicable Services and will independently determine the purposes and means of such Processing.

2.2. Compliance with Law
Each party is solely responsible for compliance with applicable Data Privacy Laws with respect to its own Processing of Personal Data in connection with the Agreement, and represents and warrants that it has fully complied with any legal requirement: (1) to provide notice or transparency to Data Subjects regarding its own Processing of Personal Data; (2) to obtain a Data Subject’s consent with respect to Processing Personal Data; (3) applicable to its own transfer of Personal Data to the other party; and (4) to have an appropriate “legal basis” for Processing Personal Data. Each party will disclose Personal Data to the other party solely for the purposes permitted by the Agreement. The recipient of any such Personal Data will not “sell” or “share” (as such terms are defined in applicable Data Privacy Laws) such Personal Data provided by the disclosing party pursuant to the Agreement, or otherwise retain, use, disclose, or process such Personal Data, for any purposes other than for the specific purposes set forth herein or otherwise outside the direct business relationship between the parties.

2.3. Cooperation Between the Parties
If a Party receives a request by a Data Subject to exercise rights under applicable Data Privacy Laws with respect to Personal Data (such as an applicable right to access such Personal Data), or a request purporting to exercise such rights, or a complaint related to the Processing of such data by a Data Subject or applicable supervisory authority, the parties will reasonably cooperate to address such request or complaint promptly and in compliance with applicable Data Privacy Laws. The parties also agree to reasonably cooperate with one another in demonstrating compliance with this DPA and applicable Data Privacy Laws in their Processing of Personal Data.

2.4. Security
Luma will maintain Security Measures to provide a level of protection that is appropriate to the risks concerning confidentiality, integrity, availability and resilience of our systems and Services against accidental or unlawful destruction, loss, alteration, disclosure or access of Personal Data (a “Personal Data Incident”) , while also taking into account the state of the art, implementation costs, the nature, scope and purposes of Processing, as well as the probability of occurrence and the severity of the risk to the rights and freedoms of Data Subjects. Luma’s Security Measures are as described in Schedule 3. If a party discovers a Personal Data Incident (“Breached Party”) relating to Personal Data Processed pursuant to the Agreement, it will notify the other party without undue delay after discovery. In such an event, the Breached Party will provide reasonable assistance and cooperation to the other Party in addressing the Personal Data Incident.

2.5. Data Transfers
With respect to data transfers between the parties, to the extent legally required, the parties agree that the EU SCCs or UK SCCs, as applicable, form part of this DPA and will be deemed completed as set forth in Schedule 1 and Schedule 4. With respect to Personal Data transferred from Switzerland for which Swiss law (and not the law in any European Economic Area jurisdiction or the United Kingdom) governs the international nature of the transfer, references to the GDPR in Clause 4 of the EU SCCs are, to the extent legally required, amended to refer to the Swiss Federal Data Protection Act or its successor instead, and the concept of supervisory authority will include the Swiss Federal Data Protection and Information Commissioner. In the event of a conflict between the DPA and either the EU SCCs or UK SCCs, the applicable SCCs will govern.

3. Miscellaneous

We may need to update this DPA from time to time as laws, regulations and industry standards evolve, or as we make changes to our business or the Services. For example, if we release a new feature, product or service, we may need to update the information in the Schedules accordingly. If that happens, we will promptly post the revised DPA to our Site and update the “last updated” date. If we make changes that materially change the parties’ rights or obligations under this DPA, we will provide additional notice in accordance with applicable legal requirements, such as via email or through our Services. For the sake of clarity: updating this DPA to include a newly released feature, product or service does not by default constitute a material change; and we will only make updates for features, products or services that are generally released (not for any product research in beta). By continuing to access and use Luma Services after the effective date of the revised DPA, you agree to be bound by the revised DPA. If you do not agree with the revised DPA, do not use our Services.

Each party represents, warrants, and covenants that it understands and will comply with the restrictions and obligations set forth in this DPA. Each party further represents, warrants, and covenants that it will comply with all Data Privacy Laws applicable to such party in its role as data controller or business (as applicable under Data Privacy Laws). If applicable to Customer, Customer represents and warrants that it is authorized to enter into this DPA, issue instructions, and make and receive any communications or notifications in relation to this DPA on behalf of Customer affiliates. The parties acknowledge and agree that the exchange of Personal Data between the parties does not constitute a “sale” of Personal Data under any US Data Privacy Laws, and does not form part of any monetary or other valuable consideration exchanged between the parties with respect to the Agreement or this DPA. Each party’s liability arising out of or related to this DPA is subject to the “Limitations of Liability” section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party under the Agreement and this DPA together. The provisions of this DPA survive the termination or expiration of the Agreement for so long as Luma Processes the Personal Data.

SCHEDULE 1

EU SCCS – Module One
Luma and Customer as Controllers

By entering into this DPA and Schedule 1, the parties are deemed to be signing the EU SCCs, including without limitation the applicable Annex Information set forth below. Any undefined capitalized terms used in this Schedule 1 have the meanings assigned to such terms in the EU SCCs.

1. Module One of the EU SCCs will apply to the transfer of Personal Data between the Parties as independent
   controllers.
2. The docking option under Clause 7 (Optional – Docking Clause) will apply.
3. For purposes of Clause 8.5 (Security of processing), the Parties agree to the Security Measures contained in
   this DPA and Schedule 3.
4. For purposes of Clause 15(1)(a) (Notification), the Parties agree to cooperate in respect of any such
   notification in accordance with Section C.3.
5. For purposes of Clause 17 (Governing law), the parties agree that the EU SCCs will be governed by the laws
   of Ireland.
6. For purposes of Clause 18 (Choice of forum and jurisdiction), the parties agree that any dispute arising from the EU SCCs will be resolved by the courts in Ireland. A Data Subject may also bring legal proceedings
   against Customer and/or Luma before the courts of the Member State in which the Data Subject has their
   habitual residence. The parties agree to submit themselves to the jurisdiction of such courts.

Annex I(A): List of Parties

The Parties	Data Exporter	Data Importer
Name	Customer	LUMA Institute, LLC
Address	As provided in your Luma Customer account information	301 Grant Street, suite 270, Pittsburgh, PA 15219, USA
Contact Person	As provided in your Luma Customer account information	Dave Lambert General Counsel privacy@mural.co
Activities relevant to the transfer	Processing necessary to provide the applicable Services to you and for any disclosures of Personal Data in accordance with the Agreement and our Privacy Statement.
Role	Controller	Controller

Annex I(B): Description of Processing & Transfer
As provided in Schedule 2 to this DPA.

Annex I(C): Competent Supervisory Authority
The competent supervisory authority will be in accordance with the provision applicable to Customer as provided in Clause 13(a) of the EU SCCs, and where possible, will be the Irish Data Protection Commissioner.

Annex II: Technical and Organizational Measures
As provided in Schedule 3 to this DPA.

SCHEDULE 2

Details of Processing – Luma as a Controller

 

Applicable Services	The applicable Services include the Learning Platform and Learning Programs.
Categories of Data Subjects	Authorized Users
Categories of Personal Data	Learning Platform Contact information (including name, email, organization, employee ID) Device information (including IP address, general location derived from IP address) Product usage information (including session information, favorites, content used (including downloads, videos, templates)) Certification information (including name, email, courses taken, programs taken, attendance, performance results, certifications earned, certificate records) Learning Programs Contact information (including name, email, organization, employee ID) Profile information (including job title, team, role) Certification information (including name, email, courses taken, programs taken, attendance, performance results, certifications earned, certificate records)
Sensitive Data	Not applicable (as provided in the Agreement)
Frequency of the Transfer	Continuous during the Term of the Agreement
Nature & Purpose of Processing	Processing necessary to provide the applicable Services to you and your Authorized Users and as otherwise permitted by the Agreement, DPA, and applicable Data Privacy Laws. Processing necessary for any sharing or disclosures of Personal Data in accordance with the Agreement and our Privacy Statement.
Purpose of Transfer	To provide the applicable Services to Customer
Duration of Processing	The Processing commences upon your agreement to the Agreement and will terminate upon termination or expiration of the Agreement
Transfers to Subprocessors	Not applicable

SCHEDULE 3

SECURITY MEASURES

Luma places great importance on the security of the Services, and we have adopted a variety of administrative, technical, physical, and organizational measures to protect the Services against a Personal Data Incident (collectively the “Security Measures”). The following provides an overview of some of Luma’s key Security Measures. The specific Security Measures utilized will depend on the Services that you use. The Services and security standards are subject to evolving risks, technical progress, and further development, and we reserve the right to implement alternative Security Measures or make future replacements or updates to our Security Measures. More information is available at https://www.mural.co/trust or its successor webpages, or upon request to compliance@mural.co.

Encryption	At Rest: Data resides in the production environment encrypted with at least AES-256. In Transit: All network communication uses at least TLS v1.2, and it is encrypted and authenticated using at least AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism.
Password Hashing	Passwords are salted and hashed using industry standard accepted algorithms appropriate for the data processed.
Payment Information	Payment information is not stored by Luma and all payments made to Luma go through a PCI-compliant payment processor.
Standards Based Identity	We support Single Sign On (SSO) with multiple identity providers via SAML 2.0. Non-SSO users are required to separately validate their accounts.
Infrastructure	We utilize trusted cloud providers for our products (ex: Microsoft Azure and Amazon Web Services) and leverage their tools to set up appropriate firewall rules, intrusion, and DMZ policies. Every component of our infrastructure has redundancy. We have an automated process that patches our virtual machines on a regular cadence. We utilize a Web Application Firewall in addition to other technologies to perform real-time monitoring and proactive blocking of malicious user behavior. All actions on the back-end are logged.
Continuous Security Assessments	We periodically utilize an independent 3rd party to perform penetration tests. We run an ongoing public Vulnerability Disclosure Program (VDP) as well as continuous automated security tests. The ISO certifications, attestations, SOC 2 and/or SOC 3 reports applicable to our various products and services are available on the Mural website or upon request (subject to confidentiality).
Vendor Selection	All of our vendors offer industry-leading products and go through an exhaustive security audit as a standard part of our vendor management policy, to ensure their practices meet our security and compliance standards.
Personnel	Level of access is determined by role. Logical access reviews are performed periodically and access is immediately removed when no longer necessary. Multi-factor authentication is enforced for all personnel. Personnel devices are monitored in real time, with antivirus, disk encryption, automatic device blocking, and security patches. We run background checks and sign confidentiality agreements with all personnel. We regularly provide security training for all personnel.
Policies & Plans	Among other company policies and plans, Luma has a Disaster Recovery Business Continuity Plan that is routinely tested to maximize availability, and an incident response plan in the event of a Security Incident or Personal Data Incident. Where appropriate, we also maintain formal software development lifecycle methodology and change management procedures.

SCHEDULE 4

UK SCCS

United Kingdom International Data Transfer Agreement
By entering into this DPA and Schedule 4, the parties are deemed to be signing the UK SCCs, including without limitation the Mandatory Clauses in Part 2 and its applicable Tables and Appendix Information. The parties agree that this Schedule 4 appends both Schedule A and Schedule 1, as appropriate. Any undefined capitalized terms used in this Schedule 4 have the meanings assigned to such terms in the UK SCCs.

 

Start Date	Coterminous with the Agreement
The Parties	Data Exporter	Data Importer
Full Legal Name	As provided in your Luma Customer account information	LUMA Institute, LLC
Trading Name (if different)		N/a
Address	As provided in your Luma Customer account information	301 Grant Street, suite 270, Pittsburgh, PA 15219, USA
Official Registration Number	As applicable to Customer	N/a
Key Contact	As provided in your Luma Customer account information	Dave Lambert General Counsel privacy@mural.co

Table 2: Selected SCCs, Modules and Selected Clauses
The “Approved EU SCCs” referenced in Table 2, to which this Addendum is appended, will be the EU SCCs as executed by the parties and completed as set forth in Schedule A and/or Schedule 1, as appropriate.

Table 3: Appendix Information
As provided in Schedule 1 to this DPA, as appropriate, with specific reference to Annex I(A), Annex I(B), Annex II, and Annex III.

Table 4: Ending this Addendum with the Approved Addendum Changes
Either party may end the UK SCCs as set out in Section 19 of the UK SCCs.

¹ Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN.
² Available at: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.