All the fun stuff

Terms of Service

v1.09 effective 5 September 2025

These Terms are between Lumi Co Pty Ltd (“Lumi”, “us”, “we” or “our”) and you, either individually, or on behalf of your employer or any other entity which you represent (“client”, “you” or “your”).  In case you represent your employer or any other entity, you hereby represent that (i) you have full legal authority to bind your employer or such entity (as applicable) to these Terms; and (ii) after reading and understanding these Terms, you agree to these Terms on behalf of your employer or the respective entity (as applicable), and these Terms shall bind your employer or such entity (as the case may be).

TERMS AND CONDITIONS
The parties agree as follows:

1.    ACCEPTANCE OF OFFER
You acknowledge that these terms are binding, and you affirm and signify your consent to both these terms and also Lumi's Privacy Policy by registering onto, using, or accessing the services, additional services, sites, or mobile application with the date of such registration or acceptance being the “Commencement Date”.
2.    DEFINITIONS
2.1    In this Agreement, unless a contrary intention appears, the following definitions will apply:
2.1.1    Acceptable Use Policy: means Lumi’s acceptable use policy set out in Schedule B. Lumi reserves the right to amend or vary the acceptable use policy at any time;
2.1.2    Account: means any accounts or instances created by or on behalf of Client or its Client Users within the Lumi Application;
2.1.3    Active Client User means a Client User who logs on to the Lumi Application in any given calendar month during the Term;
2.1.4    Additional Feature: means additional features or functionality (including, but not limited to, Lumi’s API or software development kit (SDK) that are available or enabled through the Lumi Application, but do not form part of the Lumi Application;
2.1.5    Affiliate: means, with respect to a Party, any entity that directly or indirectly controls, is controlled by, or is under common control with such Party, whereby “control” (including, with correlative meaning, the terms “controlled by” and “under common control”) means the possession, directly or indirectly, of the power to direct, or cause the direction of the management and policies of such person, whether through the ownership of voting securities, by contract, or otherwise;
2.1.6    Agreement: means this document together with any ordering documents such as a Statement Of Work (“SOW”);
2.1.7    Applicable Data Protection Law: means the data protection laws that apply and include (a) in the United Kingdom, the Data Protection Act 2018; (b) in Europe, the General Data Protection Regulation (GDPR); (c) in Canada, the Personal Information Protection and Electronic Documents Act; (d) in Australia the Privacy Act 1988 (Cth); (e) in New Zealand, the Privacy Act (1993) and in the United States of America, relevant data protection laws as applicable;
2.1.8    Approved Sub-processor: an approved sub-processor as set out in Schedule D;
2.1.9    API: means the application programming interfaces developed and enabled by Lumi that permit Clients to access certain functionality provided by the Lumi Application, including, without limitation, the API that enables the interaction with the Lumi Application automatically through HTTP requests and the application development API that enables the integration of the Lumi Application with other web applications.
2.1.10    Associated Services: means products, services, features and functionality designed to be used in conjunction with the Services but are not included in the Service Plan to which the Client subscribes.
2.1.11    Azure Services means Microsoft Azure services used to host the Lumi Application; 
2.1.12    Beta Services: means a product, service or functionality provided by Lumi that may be made available to the Client to try at the Client’s option at no additional charge which is clearly designated as beta, pilot, limited release, non-production, early access, evaluation or by a similar description;
2.1.13    Client means the client as specified during Acceptance of Offer;
2.1.14    Client Address for Notices means the client electronic address for notices as provided by the client during Acceptance of Offer;
2.1.15    Client Personal Data: means the personal data Processed by Lumi in the course of providing the services under this Agreement;
2.1.16    Client User: means any individual (including those of the Client’s Affiliates) using the Lumi Application through the Client’s Account as an agent and/or administrator as identified through a unique login;
2.1.17    Confidential Information: means all information disclosed by the Client to Lumi or by Lumi to the Client which is in tangible form and labelled “confidential” (or with a similar legend) or is information, regardless of form, which a reasonable person would understand to be confidential given the nature of the information and circumstances of disclosure, including, but not limited to, information relating to Lumi’s security policies and procedures. For purposes of this Agreement, this Agreement as well as Service Data shall be deemed Confidential Information. Notwithstanding the foregoing, Confidential Information shall not include information that:
(a)    was already known to the receiving Party at the time of disclosure by the disclosing Party;
(b)    was or is obtained by the receiving Party from a third party not known by the receiving Party to be under an obligation of confidentiality with respect to such information;
(c)    is or becomes generally available to the public other than by violation of this Agreement or another valid agreement between the Parties; or
(d)    was or is independently developed by the receiving Party without the use of the disclosing Party’s Confidential Information;
2.1.18    Consulting Fees means fees charged by Lumi to the Client for Consulting Services;
2.1.19    Consulting Services: means consulting and professional services (including any training services, workflow advice, configuration, optimization, analysis or implementation services) provided by Lumi or its authorized subcontractors in consideration of the Consulting Fees;
2.1.20    Currency means the currency as specified during the Acceptance of Offer and any subsequent invoices;
2.1.21    Documentation: means any written or electronic documentation, images, video, text or sounds specifying the functionalities of the Lumi Application or describing Service Plans, as applicable, provided or made available by Lumi to the Client via any channel including the Lumi support portal including all user manuals, training materials, support information, technical documentation, white papers, release notes, system requirements and guidelines;
2.1.22    Fees means the Fees as specified during the Acceptance of Offer or subsequent invoices and may include Subscription Fees and Consulting Fees;
2.1.23    Jurisdiction means Australia;
2.1.24    Location in relation to the Azure data center means Sydney, Australia;
2.1.25    Lumi means Lumi Co Pty Ltd a company registered in Australia with Australian Company Number 622 984 132;
2.1.26    Lumi Address for Notices: 20 Tombonda Drive, Kiama NSW 2533 Australia or email: admin@lumi.media;
2.1.27    Lumi Application: means the Lumi Software delivered as a “Software as a Service” (SaaS) by Lumi to the Client in accordance with this Agreement, and made available online by Lumi via the applicable Client login link, including, individually and collectively, the applicable Lumi Software, updates, API, Documentation, and all applicable Associated Services that the Client has purchased or deployed or to which the Client has subscribed that are provided under this Agreement but excluding:
(a)    Third Party Services, including Azure Services; and
(b)    any Additional Features or Associated Services that are not provided under this Agreement;
2.1.28    Lumi Group means Lumi, together with all its Affiliates;
2.1.29    Lumi Software means object or otherwise executable code of all and any Lumi Group’s software products, including subsequent software releases, evaluation versions, beta versions, and associated Documentation;
2.1.30    Lumi Site means a website operated by the Lumi Group and includes https://www.lumi.media and/or https://app.lumi.media; 
2.1.31    Intellectual Property Rights means all present and future rights conferred by statute, common law and equity, in relation to copyright, trademarks, designs, patents, circuit layouts, business produce and domain names, inventions and confidential information and other results in the industrial, commercial, scientific, literary or artistic fields whether or not capable of being registered or patentable;
2.1.32    Payment Terms means the payments as specified during the Acceptance of Offer or as specified in subsequent invoice(s), generally fourteen (14) days from the date of an invoice;
2.1.33    Personal Data: means any information relating to an identified or identifiable natural person where an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity, or otherwise as defined by the Applicable Data Protection Law;
2.1.34    Process: means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;
2.1.35    Proposal: means the formal quotation document, if any, provided by Lumi to the Client which specifies fees and other details
2.1.36    Service Data: means electronic data, text, messages, communications or other materials submitted to and stored within the Lumi Application by the Client and Client Users in connection with the Client’s use of the Lumi Application, which may include, without limitation, Personal Data (but shall not include the Personal Data of the Client’s Client Users in the context of Account Information as described in the Privacy Policy);
2.1.37    Service Levels means the service levels set out in Schedule C;
2.1.38    Service Plan: means the packaged service plan and the functionality and services associated with that plan for the Lumi Application and includes the number of Active Client Users and any data storage allowance;
2.1.39    Subscription Fees means the fees charged by Lumi to the Client for access to the Lumi Application;
2.1.40    Support and Maintenance: means support and maintenance for resolving product-related problems such as service interruptions, application response times, software “bugs”; Lumi will endeavour to resolve all support and maintenance queries as quickly as reasonably practicable;
2.1.41    Term: means as stipulated in any accompanying formal Proposal or quotation or, if not stipulated, one (1) month during which this Agreement is effective and enforceable.  The Term is automatically renewed until cancelled by the Client or Lumi. The Term shall commence on the Commencement Date and shall continue unless terminated earlier in accordance with the provisions outlined in this contract. 
2.1.42    Third Party Services: means third party products, applications, services, software, networks, systems, directories, websites, databases and information which the Lumi Application links to, or which the Client may connect to or enable in conjunction with the Lumi Application, including, without limitation, Third Party Services which may be integrated directly into the Client’s Account by the Client or at the Client’s direction; third party services include Azure Service; and
2.1.43    Trial Period means any trial period specified during Acceptance of Offer.

3.    INTERPRETATION
3.1    The following rules apply to the interpretation of this Agreement unless the context requires otherwise:
3.1.1    Headings are for convenience only and do not affect interpretation.
3.1.2    The singular includes the plural and vice versa.
3.1.3    If a word or phrase is defined, its other grammatical forms have a corresponding meaning.
3.1.4    A reference to a party to this Agreement includes the party's successors, permitted substitutes and permitted assigns (and, where applicable, the party's legal representatives).
3.1.5    A reference to legislation includes a modification or re-enactment of it, a legislative provision substituted for it and a regulation or statutory instrument issued under it.
3.1.6    A reference to an amount is in the Currency, unless otherwise indicated in this Agreement.

4.    SUBSCRIPTION AND SERVICES
4.1    In consideration of payment to Lumi by the Client of the Fees, Lumi:
4.1.1    grants Client a non-exclusive, non-transferable subscription to use the Lumi Application during the Term;
4.1.2    will provide the Lumi Application using Azure Services from the Location;
4.1.3    will apply the Service Levels;
4.1.4    will provide Support and Maintenance;
4.1.5    will provide the Consulting Services;
4.1.6    shall use commercially reasonable efforts to provide availability in accordance with the Service Levels set out in Schedule C for the Lumi Application, except:
(a)    during planned downtime for upgrades and maintenance to the Lumi Application (of which Lumi will use commercially reasonable efforts to notify the Client in advance both through the Lumi Site and a notice to the Client’s Account owner and Client Users) (“Planned Downtime”); and
(b)    for any unavailability caused by circumstances beyond Lumi’s reasonable control, including, for example, pandemic, act of government, flood, fire, earthquake, civil unrest, act of terror, strike or other labor problem, Internet service provider failure or delay, power failure, Third Party Services, or acts undertaken by third parties, including without limitation, denial of service attack (“Force Majeure Event”).
4.2    All Support and Maintenance issues are to be reported via email to support@lumi.media. 
4.3    During the Term and subject to compliance by the Client and Client Users with this Agreement, the Client has the right to access the Lumi Application for the Client’s internal business purposes. The Client may extend the Client’s rights, benefits and protections to the Client’s Affiliates and to contractors or service providers acting on the Client’s or the Client’s Affiliates’ behalf, so long as the Client remains responsible for the Client’s compliance pursuant to this Agreement.

5.    CLIENT OBLIGATIONS
5.1    In order to access the Lumi Application, the Client must ensure it meets Lumi’s system requirements.
5.2    A high-speed Internet connection is required for proper transmission of the Lumi Application. The Client is responsible for procuring and maintaining the network connections that connect the Client’s network to the Lumi Application, including, but not limited to, “browser” software that supports protocols used by Lumi, including the security or other protocols accepted by Lumi, and to follow procedures for accessing services that support such protocols. Lumi is not responsible for notifying the Client or Client Users of any upgrades, fixes or enhancements to any such software or for any compromise of data, including Service Data, transmitted across computer networks or telecommunications facilities (including but not limited to the Internet) which are not owned, operated or controlled by Lumi. Lumi assumes no responsibility for the reliability or performance of any connections as described in this clause.
5.3    In addition to complying with the other terms, conditions and restrictions set forth below in this Agreement, the Client agrees to the Lumi’s Acceptable Use Policy.
5.4    In the Client’s use of the Lumi Application the Client agrees not to:
5.4.1    license, sublicense, sell, resell, rent, lease, transfer, assign, distribute, time share or otherwise commercially exploit or make the Lumi Application available to any third party, other than Client Users in furtherance of the Client’s internal business purposes as expressly permitted by this Agreement;
5.4.2    use the Lumi Application to Process data on behalf of any third party other than Client Users;
5.4.3    modify, adapt, or hack the Lumi Application or otherwise attempt to gain unauthorized access to the Lumi Application or related systems or networks;
5.4.4    falsely imply any sponsorship or association with Lumi or the Lumi Group,
5.4.5    use the Lumi Application in any unlawful manner, including, but not limited to, violation of any person’s privacy rights;
5.4.6    use the Lumi Application to send unsolicited or unauthorized bulk mail, junk mail, spam, other forms of duplicative or unsolicited messages, or messages that directly or indirectly support pyramid schemes or other fraudulent activities;
5.4.7    use the Lumi Application to store or transmit files, materials, data, text, audio, video, images or other content that infringes on any person’s intellectual property rights;
5.4.8    use the Lumi Application in any manner that interferes with or disrupts the integrity or performance of the Lumi Application and its components;
5.4.9    attempt to decipher, decompile, reverse engineer or otherwise discover the source code of any Lumi Software making up the Lumi Application;
5.4.10    use the Lumi Application to knowingly post, transmit, upload, link to, send or store any content that is (or directly or indirectly supports activities that are) unlawful, racist, hateful, abusive, libelous, obscene, or discriminatory;
5.4.11    use the Lumi Application to knowingly post transmit, upload, link to, send or store any viruses, malware, Trojan horses, time bombs, or any other similar harmful software (“Malicious Software”);
5.4.12    use or launch any automated system that accesses the Lumi Application (i.e., bot) in a manner that sends more request messages to a Lumi Application server in a given period of time than a human can reasonably produce in the same period by using a conventional online web browser;
5.4.13    allow Client Users to share access credentials with any person; or
5.4.14    attempt to use, or use the Lumi Application in violation of this Agreement.
5.5    As between the Client and Lumi, the Client is responsible for compliance with the provisions of this Agreement by Client Users and for any and all activities that occur under the Client’s Account. Without limiting the foregoing, the Client is solely responsible for ensuring that the use of the Lumi Application to store and transmit Service Data is compliant with all applicable laws and regulations as well as any Applicable Data Protection Laws, privacy policies, agreements or other obligations the Client may maintain or enter into with Client Users. The Client also maintains all responsibility for determining whether the Lumi Application or the information generated within the Lumi Application is accurate or sufficient for the Client’s purposes. Subject to any limitation on the number of individual Client Users available under the applicable Service Plan(s) to which the Client subscribed, access to and use of the Lumi Application is restricted to the specified number of individual Client Users permitted under the Client’s subscription to the Lumi Application.
5.6    The Client agrees and acknowledges that each Client User will be identified by a unique username and password (“Login”) and that a Client User Login may only be used by one (1) individual. Traditional or full-time Client User subscriptions are for designated individuals only and a Login cannot be shared or used by more than one individual but may be reassigned to new individuals replacing former individuals who no longer require ongoing use of the Lumi Application.
5.7    The Client and the Client’s Client Users are responsible for maintaining the confidentiality of all Login information for the Client’s Account. The Client agrees and acknowledges that the Client may not use the Lumi Application, including but not limited to APIs, to circumvent the requirement for an individual Client User Login for each individual who uses the Lumi Application; Processes data; or absent a license from Lumi or otherwise, Processes data related to interactions originating from a Third Party Service that provides functionality similar to functionality provided by the Lumi Application and which would, pursuant to this Agreement, require an individual Client User Login if utilizing the Lumi Application for such interaction.
5.8    Lumi reserves the right to periodically verify that the Client’s use of the Lumi Application complies with the Agreement including, without limitation, by accessing the Client’s Account. Should Lumi discover that the Client’s use of the Lumi Application is not in compliance with this Agreement, Lumi reserves the right to charge the Client, and the Client agrees to pay for, said usage in addition to other remedies available to Lumi.
5.9    The Client acknowledges that Lumi may modify the features and functionality of the Lumi Application during the Term.
5.10    The Client may not access the Lumi Application if the Client is a direct competitor of the Lumi Group, except with Lumi’s prior written consent. The Client may not access the Lumi Application for competitive purposes.

6.    TRIAL SERVICES
6.1    Lumi may make such Lumi Application available to the Client for the Trial Period until the earlier of:
6.1.1    the end of the Trial Period for which the Client registered to use the Lumi Application;
6.1.2    the start date of any subscription to the Lumi Application purchased by the Client; or
6.1.3    termination of the trial by Lumi at Lumi’s sole discretion.
6.2    Any Service Data the Client enters into the Lumi Application, and any configurations or customizations made to a service by or for the Client, will be permanently lost at the end of the Trial Period, unless the Client purchases a Subscription before the end of the Trial Period.

7.    BETA SERVICES
7.1    From time to time, Lumi may make Beta Services available to the Client at no charge. The Client may choose to try such Beta Services in the Client’s sole discretion. Beta Services are intended for evaluation purposes and not for production use and are not supported. Beta Services are not considered to be provision of the Lumi Application pursuant to this Agreement; however, all restrictions, Lumi’s reservation of rights and the Client’s obligations concerning the Lumi Application, and use of any Third Party Services shall apply equally to the Client’s use of Beta Services. Unless otherwise stated, any Beta Services trial period will expire upon the earlier of one year from the trial start date or the date that a version of the Beta Services becomes generally available without the applicable Beta Services designation. Lumi may discontinue Beta Services at any time at Lumi’s sole discretion and may never make them generally available. Lumi will have no liability for any harm or damage arising out of or in connection with a Beta Service. Lumi makes no warranties with respect to the Beta Services and the Client must not use the Beta Services for live cases.

8.    SUSPENSION OF SERVICE
8.1    Lumi reserves the right, in Lumi’s reasonable discretion, to temporarily suspend the Client’s access to and use of the Lumi Application if:
8.1.1    the Client has not paid any invoice and such invoice remains unpaid for a period of fourteen (14) days;
8.1.2    Lumi suspect or detect any Malicious Software connected to the Client’s Account or use of the Lumi Application by the Client or Client Users; or
8.1.3    the Client is in material breach of this Agreement.

9.    CONFIDENTIALITY AND PRIVACY
9.1    Each Party will protect each other’s Confidential Information from unauthorized use, access or disclosure in the same manner as each protects its own Confidential Information.
9.2    Except as otherwise expressly permitted pursuant to this Agreement, each Party may use each other’s Confidential Information solely to exercise its respective rights and perform its respective obligations under this Agreement and shall disclose such Confidential Information:
9.2.1    solely to the employees and/or non-employee service providers and contractors who have a need to know such Confidential Information and who are bound by terms of confidentiality intended to prevent the misuse of such Confidential Information;
9.2.2    as necessary to comply with an order or subpoena of any administrative agency or court of competent jurisdiction; or
9.2.3    as reasonably necessary to comply with any applicable law or regulation.
9.3    As between the Parties, all Service Data Processed under the terms of this Agreement shall remain the property of the Client. Except for where Lumi collects Personal Data about visitors to Lumi’s Site, under no circumstances will Lumi act, or be deemed to act as a “controller” (or equivalent concept) of the Service Data Processed within the Lumi Application under Applicable Data Protection Law.
9.4    The Client agrees that the Client is responsible for notifying Client Users that Personal Data collected, stored, used and/or processed by the Lumi Group, as described in this Agreement, is collected, stored, used and/or processed in compliance with the Applicable Data Protection Laws.
9.5    The Client agrees that the Lumi Group and the Approved Sub-processors that are utilised by the Lumi Group to assist in providing the Lumi Application to the Client shall have the right to access the Client’s Account and to use, modify, reproduce, distribute, display and disclose Service Data and the Personal Data of the Client’s Client Users only to the extent necessary to provide or improve the Lumi Application, including, without limitation, in response to the Client’s support requests. Any third-party service providers utilized by the Lumi Group will only be given access to the Client’s Account and Service Data as is reasonably necessary to provide the Lumi Application and will be subject to confidentiality obligations which meet, or exceed, the standards set out in this Agreement.
9.6    Lumi receives and stores any information that the Client knowingly provides to Lumi. For example, through the registration process for Lumi’s Application and/or through the Client’s Account settings, Lumi may collect Personal Data such as the Client’s name, email address, phone number and third-party account credentials. In addition, Lumi may communicate with the Client and the Client’s Client Users.

10.    INTELLECTUAL PROPERTY RIGHTS
10.1    Each Party shall retain all rights, title and interest in and to all its respective trademarks, patents, inventions, copyrights, trademarks, domain names, trade secrets, know-how and any other intellectual property and/or proprietary rights (collectively, “Intellectual Property Rights”) owned by each party at the Commencement Date.
10.2    The Client acknowledges all rights in and relating to the Intellectual Property of Lumi, including the Lumi Software and/or the Lumi Application, are and remain the property of Lumi and the Client does not acquire any right, title or interest in such Intellectual Property.
10.3    The rights granted to the Client and Client Users to use the Lumi Application under this Agreement do not convey any additional rights in the Lumi Application or in any Intellectual Property Rights associated with the Lumi Application.
10.4    Subject only to limited rights to access and use the Lumi Application as expressly stated in this Agreement, all rights, title and interest in and to the Lumi Application and all hardware, Lumi Software and other components of or used to provide the Lumi Application, including all related Intellectual Property Rights, will remain with the Lumi Group and belong exclusively to the Lumi Group.
10.5    The Lumi Group shall have a fully paid-up, royalty- free, worldwide, transferable, sub-licensable (through multiple layers), assignable, irrevocable and perpetual license to implement, use, modify, commercially exploit, and/or incorporate into the Lumi Application or otherwise use any suggestions, enhancement requests, recommendations or other feedback Lumi receive from the Client, Client Users, End- Users, or other third parties acting on the Client’s behalf.
10.6    Lumi names and logos used or displayed in or on the Lumi Application are registered or unregistered trademarks of Lumi (collectively, “Marks”), and the Client may use applicable Marks provided the Client does not attempt, now or in the future, to claim any rights in the Marks, degrade the distinctiveness of the Marks, or use the Marks to disparage or misrepresent Lumi, Lumi’s services or products.

11.    THIRD PARTY SERVICES
11.1    The Client shall not enable access to or use of Third Party Services, except those expressly authorised by Lumi. 
11.2    Lumi cannot guarantee the continued availability of such Third Party Service features, and may cease enabling access to them without entitling the Client to any refund, credit, or compensation, if, for example and without limitation, the provider of a Third Party Service ceases to make the Third Party Service available for interoperation with the corresponding Service in a manner acceptable to Lumi. The Client irrevocably waive any claim against Lumi with respect to such Third Party Services.
11.3    Lumi is not liable for any damage or loss caused or alleged to be caused by or in connection with the Client’s enablement, access or use of any such Third Party Services, or the Client’s reliance on the privacy practices, data security processes or other policies of such Third Party Services. The Client may be required to register for or log into such Third Party Services on their respective websites.
11.4    By enabling any Third Party Services, the Client is expressly permitting Lumi to disclose the Client’s Login, as well as Service Data as necessary to facilitate the use or enablement of such Third Party Services.

12.    BILLING AND PAYMENTS
12.1    Lumi will invoice the Client or automatically receive scheduled Payment for the Fees, which are payable within the Payment Terms.
12.2    If the Client fails to pay an invoice when it is due, Lumi may suspend or terminate access to and use of Lumi Application by the Client, Client Users and End- Users.
12.3    If the Client chooses to upgrade the Client’s Service Plan or increase the number of Client Users authorized to access and use the Lumi Application during the Term (a “Subscription Upgrade”), any incremental Subscription Fees associated with such Subscription Upgrade will be prorated over the remaining period of the Client’s then current Term, charged to the Client’s Account and due and payable upon implementation of such Subscription Upgrade. In any future Term, the Client’s Subscription Charges will reflect any such Subscription Upgrades.
12.4    No refunds or credits for Subscription Fees or other fees or payments will be provided to the Client. Downgrading the Client’s Service Plan may cause loss of content, features, or capacity of the Lumi Application as available to the Client under the Client’s Account, and Lumi does not accept any liability for such loss.
12.5    Unless otherwise stated, Lumi’s charges do not include any taxes, levies, duties or similar governmental assessments, including value-added, sales, use or withholding taxes assessable by any local, state, provincial or foreign jurisdiction (collectively “Taxes”). The Client is responsible for paying Taxes except those assessable against the Lumi Group measured by its net income. Lumi will invoice the Client for such Taxes if Lumi believe Lumi have a legal obligation to do so and the Client agree to pay such Taxes if so invoiced.

13.    CANCELLATION AND TERMINATION
13.1    Either party may terminate this Agreement for cause:
13.1.1    By cancelling the Subscription,  Except as expressly set forth in these Terms, in case a Client cancels its Subscription, during a Subscription Term, the Subscription will not renew for an additional period, but Client will not be refunded or credited for any unused period within the Subscription Term.
13.2    Upon request by the Client made within thirty (30) days after termination or expiration of this Agreement, Lumi will make Service Data available to the Client for export or download as provided in the Documentation. After such 30-day period, Lumi will have no obligation to maintain or provide any Service Data, and, as provided in the Documentation, will delete all copies of Service Data in Lumi’s possession or control in accordance with Lumi’s data retention policy, unless prohibited by law.

14.    REPRESENTATIONS, WARRANTIES AND DISCLAIMERS
14.1    Each Party represents that it has validly entered into this Agreement and has the legal power to do so.
14.2    Lumi warrants that during an applicable Term the Lumi Application will perform materially in accordance with the applicable Documentation.
14.3    Except as specifically set forth in clause 14.2, the Lumi Site and the Lumi Application, including all server and network components, are provided on an “as is” and “as available” basis, without any warranties of any kind to the fullest extent permitted by law, and Lumi expressly disclaims any and all warranties, whether express or implied, including, but not limited to, any implied warranties of merchantability, title, fitness for a particular purpose, and non- infringement. The Client acknowledges that Lumi does not warrant that the Lumi Application will be uninterrupted, timely, secure, error-free or free from viruses or other Malicious Software, and no information or advice obtained by the Client from Lumi or through the Lumi Application shall create any warranty not expressly stated in this Agreement.

15.    LIMITATION OF LIABILITY
15.1    Under no circumstances, whether in contract, tort, negligence or otherwise, will Lumi or the Lumi Group be liable to the Client or any Client Affiliate for any lost profits, lost sales or business, lost data (except, in the case of lost data only, other than as a result of Lumi’s breach of its obligations under clause 18 of this Agreement), business interruption, loss of goodwill, costs of cover or replacement, or for any type of indirect, incidental, special, exemplary, consequential or punitive loss or damages, or any other indirect loss or damages incurred by the Client or any Client Affiliate in connection with this Agreement regardless of whether Lumi has been advised of the possibility of or could have foreseen such damages.
15.2    Notwithstanding anything to the contrary in this Agreement (except Lumi’s obligations to indemnify under clause 18.13 of this Agreement), the Lumi Group’s aggregate liability to the Client, any affiliate, or any third party arising out of this Agreement, shall in no event exceed the Fees paid by the Client during the twelve (12) months prior to the first event or occurrence giving rise to such liability. The Client acknowledges and agrees that the essential purpose of this clause 15 is to allocate the risks under this Agreement between the parties and limit potential liability given the Fees, which would have been substantially higher if Lumi were to assume any further liability other than as set forth in this Agreement. Lumi has relied on these limitations in determining whether to provide the Client with the rights to access and use the Lumi Application provided for in this Agreement. The limitation of liability provided for in this Agreement will apply in aggregate to the Client and its Affiliates and shall not be cumulative.
15.3    Any claims or damages that the Client may have against Lumi shall only be enforceable against Lumi and not any other entity or its officers, directors, representatives or agents.

16.    INDEMNIFICATION
16.1    Lumi will indemnify and hold the Client harmless from and against any claim brought by a third party against the Client by reason of the Client’s use of the Lumi Application as permitted hereunder, alleging that the Lumi Application infringes or misappropriates a third party’s valid patent, copyright, trademark or trade secret (an “IP Claim”). Lumi shall, at Lumi’s expense, defend such IP Claim and pay damages finally awarded against the Client in connection therewith, including the reasonable fees and expenses of the attorneys engaged by Lumi for such defense, provided that:
16.1.1    the Client promptly notifies Lumi of the threat or notice of such IP Claim;
16.1.2    Lumi will have the sole and exclusive control and authority to select defense lawyers, and defend and/or settle any such IP Claim; and
16.1.3    the Client fully cooperates with Lumi in connection therewith. If use of the Lumi Application by the Client or Client Users has become, or, in Lumi’s opinion, is likely to become, the subject of any such IP Claim, Lumi may, at Lumi’s option and expense, procure for the Client the right to continue using the Lumi Application as set forth hereunder;
16.1.4    replace or modify a Lumi Application to make it non-infringing; or
16.1.5    if options 16.1.3 or 16.1.4 are not commercially reasonable or practicable as determined by Lumi, terminate the Client’s subscription to the Lumi Application and repay the Client, on a pro-rata basis, any Subscription Fees previously paid to Lumi for the corresponding unused portion of Term for the Lumi Application.
16.2    Lumi will have no liability or obligation under this clause with respect to any IP Claim if such claim is caused in whole or in part by:
16.2.1    compliance with designs, data, instructions or specifications provided by the Client;
16.2.2    modification of the Lumi Application by anyone other than Lumi; or
16.2.3    the combination, operation or use of the Lumi Application with other hardware or software where the Lumi Application would not by itself be infringing.
16.3    The provisions of this clause state the sole, exclusive and entire liability of Lumi to the Client and constitute the Client’s sole remedy with respect to an IP Claim brought by reason of access to or use of the Lumi Application by the Client or Client Users.
16.4    The Client will indemnify and hold Lumi harmless against any claim:
16.4.1    arising from or related to use of the Lumi Application by the Client or Client Users in breach of this Agreement; or
16.4.2    alleging that the Client’s use of the Lumi Application or the Client’s Service Data infringes or misappropriates a third party’s valid patent, copyright, trademark or trade secret; provided
(a)    Lumi promptly notify the Client of the threat or notice of such claim;
(b)    the Client will have the sole and exclusive control and authority to select defense lawyers, and defend and/or settle any such claim (however, the Client shall not settle or compromise any claim that results in liability or admission of any liability by Lumi without Lumi’s prior written consent); and
(c)    Lumi fully cooperate with the Client in connection therewith.

17.    INSURANCE
17.1    Lumi shall maintain during the term of this the following minimum levels of cover:
17.1.1    Employer’s liability Insurance to statutory limits;
17.1.2    Professional indemnity insurance not less than AU$10 million to cover any liabilities arising out of the Lumi Application for any one claim or series of claims arising out of any one incident or event; and
17.1.3    Product liability insurance in amounts not less than AU$2 million to cover any liabilities arising out of the Lumi Application for any one claim or series of claims arising out of any one incident or event.

18.    PRIVACY AND DATA PROCESSING
18.1    All parties to this Agreement shall comply with Applicable Data Protection Laws. The parties agree and acknowledge that for the purpose of the Applicable Data Protection Laws, Schedule D describes the subject matter, duration, nature and purpose of the processing and the personal data categories and data subject types in respect of which Lumi may process the Client Personal Data to fulfil the business purposes.
18.2    Lumi shall not Process Client Personal Data other than on the Client’s documented instructions.
18.3    In the event the Client instructs Lumi to Process Client Personal Data, clauses 18.4 to 18.12 shall apply.
18.4    Lumi personnel: Lumi shall take reasonable steps to ensure the reliability of any of its employees, agents or contractors, including the Approved Sub-processors, who may have access to Client Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Client Personal Data, as strictly necessary for the purposes of this Agreement, and to comply with the Applicable Data Protection Laws in the context of that individual's duties to Lumi, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
18.5    Security: Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Lumi shall in relation to Client Personal Data implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR and the measures set out in Lumi’s Security Guide (version published November 2020) provided to Client. In assessing the appropriate level of security, Lumi shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
18.6    Sub-processing: Lumi shall not appoint (or disclose any Client Personal Data to) any subcontractor or sub-processor unless required or authorized by the Client. Client consents to Lumi appointing only the Approved Sub-processors, as set out in Schedule D, to process Client Personal Data. Lumi confirms that it has entered into a written agreement incorporating terms which are substantially similar to those set out in this clause 18 and which Lumi confirms reflect and will continue to reflect the requirements of the Applicable Data Protection Laws. As between Client and Lumi, Lumi shall remain fully liable for all acts or omissions of the Approved Sub-processors or any other third-party processor appointed by it pursuant to this clause 18.
18.7    Data Subject Rights:  Taking into account the nature of the Processing, Lumi shall assist the Client by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Client obligations, as reasonably understood by the Client, to respond to requests to exercise Data Subject rights under the Applicable Data Protection Laws. Lumi shall:
18.7.1    promptly notify the Client if it receives a request from a Data Subject under any Applicable Data Protection Law in respect of Client Personal Data; and
18.7.2    ensure that it does not respond to that request except on the documented instructions of the Client or as required by Applicable Data Protection Laws to which Lumi is subject, in which case Lumi shall to the extent permitted by Applicable Data Protection Laws inform the Client of that legal requirement before Lumi or, where applicable, the Approved Sub-processor responds to the request.
18.8    Personal Data Breach:  Lumi shall notify the Client without undue delay upon Lumi becoming aware of a Personal Data Breach affecting Client Personal Data, providing the Client with sufficient information to allow the Client to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Applicable Data Protection Laws. Lumi shall co-operate with the Client and take reasonable commercial steps as are directed by the Client to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
18.9    Data Protection Impact Assessment and Prior Consultation: Lumi shall provide reasonable assistance to the Client with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which the Client reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Applicable Data Protection Law, in each case solely in relation to Processing of Client Personal Data by, and taking into account the nature of the Processing and information available to, Lumi and, where applicable, the Approved Sub-processors.
18.10    Deletion or return of Client Personal Data:  Subject to this clause 18.10, Lumi shall promptly and in any event within 10 business days of the date of cessation of any Lumi Application involving the Processing of Client Personal Data (the "Cessation Date"), delete and procure the deletion of all copies of those Client Personal Data. Lumi shall provide written certification to the Client that it has fully complied with this clause 18.10 within 10 business days of the Cessation Date.
18.11    Audit rights:  Subject to this clause 18.11, Lumi shall make available to the Client on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Client or an auditor mandated by the Client in relation to the Processing of the Client Personal Data by Lumi and, where applicable, the Approved Sub-processors. Information and audit rights of the Client only arise under this clause 18.11 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of the Applicable Data Protection Law.
18.12    Data Transfer:  Lumi may not transfer or authorise the transfer of Data from countries inside to countries outside the United Kingdom (UK) or the European Economic Area (EEA) without the prior written consent of the Client. If personal data processed under this Agreement is transferred from a country within the UK or the EEA to a country outside the UK or the EEA respectively, the parties shall ensure that the Personal Data are adequately protected. To achieve this, the parties shall complete and be bound by the terms and conditions set out in a separate International Data Transfer Agreement.
18.13    Indemnity: Lumi agrees to indemnify, keep indemnified and defend at its own expense the Client against all costs, claims, damages or expenses incurred by the Client or for which the Client may become liable due to any failure by Lumi or its employees, Approved Sub-processors, subcontractors or agents to comply with any of its obligations under this clause 18. Lumi’s liability pursuant to this clause 18.13 shall in no event be greater than AU$2 million.

19.    NOTICE
19.1    This Agreement and any other agreements, notices or other communications regarding the Lumi Application and/or the Client’s use of the Lumi Application may be provided to the Client electronically. The Client agrees to receive all communications from Lumi in electronic form.
19.2    Where a notice is sent by electronic mail, or through other electronic means, service of the notice is taken to be effected on the day after the day on which it is sent, unless Lumi receive notification that delivery has failed.

20.    DISPUTE RESOLUTION
20.1    Any dispute arising out of or in connection with this Agreement (a Dispute) shall be referred by either party to the other party for resolution.
20.2    If the Dispute cannot be resolved by the persons referred to in clause 20.2 within ten Business Days after the Dispute has arisen, either party may give written notice to the other party that a Dispute has arisen (the Notice). If the Dispute is not resolved by agreement in writing between the parties within ten Business Days after the date of the Notice, the Dispute shall be resolved in accordance with clause 20.3.
20.3    A Dispute may at the request of either party be referred to mediation. Any reference to mediation shall be made in accordance with the procedures of the International Dispute Resolution Centre (IDRC). The mediation shall be conducted by a single mediator appointed by the parties or, if the parties to the dispute are unable to agree on the identity of the mediator within 21 days after the date of the request that the Dispute be resolved by mediation, or if the person appointed is unable or unwilling to act, the mediator shall be appointed by the IDRC on the application of either party. The mediation shall be conducted in the capital city of the country specified in the Jurisdiction, in English. Mediation is without prejudice to the rights of the parties in any future proceedings. The costs of the mediation, including the fees and expenses of the mediator shall be borne equally by the parties.
20.4    This clause 20 is without prejudice to either party’s right to seek interim relief (such as an injunction) against the other party through the courts within the Jurisdiction to protect its rights and interests, or to enforce the obligations of the other party.

21.    GOVERNING LAW
21.1    This Agreement shall be governed by the laws of the Jurisdiction, without reference to conflict of laws principles. Any disputes under this Agreement shall be resolved in a court of general jurisdiction within the Jurisdiction. The Client agrees to submit to the exclusive personal jurisdiction of this jurisdiction for the purpose of resolving any dispute relating to this Agreement or access to or use of the Lumi Application by the Client or Client Users.

22.    ANTI-CORRUPTION
22.1    Lumi warrants to the Client that:
22.1.1    Lumi is in compliance with, and shall comply with, all applicable laws relating to corruption, bribery, ethical business conduct, money laundering, political contributions, gifts and gratuities, or lawful expenses;
22.1.2    Lumi has not directly or indirectly paid, offered or promised to pay, or authorised the payment of, or requested, accepted, or agreed to accept; and
22.1.3    will not directly or indirectly pay, offer or promise to pay, or authorise the payment of, or request, accept or agree to accept, any money or anything of value to or from any person (including, without limitation, any government or public official) for the purpose of influencing or inducing any act or decision of such person or Lumi to secure any improper advantage or to obtain or retain business in connection with any of the Lumi’s activities under this Agreement.

23.    GENERAL
23.1    Assignment: The Client may not, directly or indirectly, by operation of law or otherwise, assign all or any part of this Agreement or the Client’s rights under this Agreement or delegate performance of the Client’s duties under this Agreement without Lumi’s prior written consent, which consent will not be unreasonably withheld. Lumi may, without the Client’s consent, assign this Agreement to any member of the Lumi Group or in connection with any merger or change of control of Lumi or the Lumi Group or the sale of all or substantially all of Lumi’s assets provided that any such successor agrees to fulfill its obligations pursuant to this Agreement. Subject to the foregoing restrictions, this Agreement will be fully binding upon, inure to the benefit of and be enforceable by the Parties and their respective successors and assigns.
23.2    Entire Agreement: This Agreement constitutes the entire agreement, and supersede any and all prior agreements between the Client and Lumi with regard to the subject matter hereof. This Agreement shall apply in lieu of the terms or conditions in any purchase order or other order documentation the Client or any Entity which the Client represent provides (all such terms or conditions being null and void), and, except as expressly stated herein, there are no other agreements, representations, warranties, or commitments which may be relied upon by either Party with respect to the subject matter hereof. There are no oral promises, conditions, representations, understandings, interpretations, or terms of any kind between the Parties, except as may otherwise be expressly provided herein.
23.3    Variation: Lumi may amend this Agreement from time to time, in which case the new Agreement will supersede prior versions. Lumi will notify the Client not less than ten (10) days prior to the effective date of any such amendment and the Client’s continued use of the Services following the effective date of any such amendment may be relied upon by Lumi as the Client’s consent to any such amendment. Lumi’s failure to enforce at any time any provision of this Agreement does not constitute a waiver of that provision or of any other provision of this Agreement.
23.4    Severability: If any provision in this Agreement is held by a court of competent jurisdiction to be unenforceable, such provision shall be modified by the court and interpreted so as to best accomplish the original provision to the fullest extent permitted by law, and the remaining provisions of this Agreement shall remain in effect.
23.5    Relationship of the Parties: The Parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary or employment relationship between the Parties.
23.6    Survival: The obligations of confidentiality and protection of Intellectual Property Rights shall survive termination of this Agreement.
23.7    Counterparts: This Agreement may be signed electronically or be deemed to be signed as part of the Acceptance of Offer, and exchanged in any one or more counterparts, each of which shall be deemed to be an original and all of which, taken together, constitute one and the same instrument.

24.    SCHEDULE B – LUMI’S ACCEPTABLE USE POLICY

1.    Lumi provides the Lumi Application to a wide variety of Clients.

2.    It is important for Lumi’s Clients to be fully informed about their responsibilities with respect to use of the Lumi Application.

3.    The purpose of this Acceptable Use Policy is to define those responsibilities in plain English for Clients and Client Users.

4.    This Policy recognises the fact that no one owns or controls the internet. Lumi does not have the ability to monitor and control all of the activities of our Clients, and Lumi does not intend to actively screen, review, censor, edit or take responsibility for the activities or content of its Clients. Lumi’s Clients, not Lumi, are solely responsible for and assume all liability relating to their internet activities, including:

(a)    All aspects of the Client's business;
(b)    All technology, content and data provided by or through a Client for use with the Lumi Application;
(c)    All results obtained from using the Lumi Application;
(d)    Compliance with all applicable laws and governmental regulations regarding the Client’s business or use of the Lumi Application;
(e)    Use of the Lumi Application by the Client and Client Users;
(f)    Compliance with this Acceptable Use Policy by the Client and Client Users.

5.    Activities conducted on the internet are subject to many of the same laws and regulations applicable to the offline environment. In addition, a Client’s activities on the internet may affect other internet users, Lumi, its suppliers, or the safety or security of the Lumi Application. Consequently, Lumi’s Clients must exercise a high degree of judgement and responsibility with respect to their use of the Lumi Application, including the responsibility to comply with this Acceptable Use Policy.

6.    Clients will violate this Policy when they or their affiliates engage in any of the following activities:

(a)    Using the Lumi Application to violate any law, statute, ordinance or regulation governing the Client’s business or activities, including without limitation the laws and regulations governing export control, unfair competition, false advertising, consumer protection, issuance or sale of securities, child pornography, obscenity, trade in firearms, spamming, privacy, data transfer, and telecommunications;
(b)    Using the Lumi Application in a manner which presents a material security risk or will interfere materially with the continued operation of a data centre or the Lumi Application;
(c)    Using the Lumi Application in a manner that infringes another's copyrights, patents, trademarks, service marks, trade names, trade secrets or other intellectual property rights or rights of publicity, including failing to obtain all required permissions to receive, upload, download, display, distribute, or execute programs or perform other works or derivative works protected by intellectual property laws or removing or altering applicable copyright, trademark or patent notices;
(d)    Using the Lumi Application in a tortious manner, including without limitation engaging in libel, defamation, harassment, misappropriation of trade secrets, intentional misrepresentation or fraud, or publication of private information without the permission of the person(s) involved;
(e)    Introducing viruses, Trojan horses, trap doors, back doors, Easter eggs, worms, time bombs, packet bombs, cancelbots or other computer programming routines that are intended to damage, detrimentally interfere with, surreptitiously intercept or expropriate any system, data or personal information; and/or
(f)    Intentionally omitting, deleting, forging or misrepresenting transmission information, including headers, return addressing information and IP addresses, in violation of applicable law; using the Lumi Application to gain illegal or unauthorised access to other computers or networks through hacking or other means; assisting in or permitting any persons to engage in any of the activities described above.

7.    Upon becoming aware of harmful activity, Lumi reserves the right to take remedial action, up to and including termination of the Client’s use of the Lumi Application. Clients agree to cooperate with Lumi in any reasonable corrective action that Lumi deems necessary to ensure compliance or prevent further harm. Failure to cooperate with such corrective or preventive measures is a violation of this Policy.
8.    By using the Lumi Application Clients agree to comply with this Policy and also agree to indemnify Lumi against any claims by third parties arising from violation of this Policy. Lumi reserves the right to make changes to this Acceptable Use Policy at any time, and any changes will be effective immediately.

9.    Continued use of the Lumi Application following notification of any changes shall constitute acceptance of the changes.

25.    SCHEDULE C – SERVICE LEVELS

1.    Availability: Lumi is an online platform and will be available 24 hours a day, 7 days a week except for Planned Downtime or Force Majeure Events.
2.    Uptime: means the time the Lumi application is available to be accessed by the Client (except as indicated in section 5 below).
3.    Performance: Lumi is a web-based application. The application will have a response time not exceeding 30 seconds for a full screen load 90% of the time over a broadband connection that is not experiencing network related delays connecting to internet.
4.    Total Monthly Minutes:  The number of days in the month multiplied by 1,440 minutes per day.
5.    Downtime: “Downtime” in any month means the total number of minutes that the Client cannot access the Lumi Application. The calculation of Downtime Minutes excludes time that the Client is unable to access the Lumi Application due to any of the following:
a.    Planned Downtime;
b.    That result from a suspension of user access;
c.    Caused by factors outside of our reasonable control, including any Force Majeure Event, Internet access, or problems beyond the demarcation point of the Lumi network;
d.    That result from the equipment, software or other technology of you or any third party (other than third party equipment within our direct control); 
e.    That result from any Support and Maintenance; or
f.    Anything outside of the direct control of Lumi.
6.    Problem resolution response time: Support for responding to product-related problems will be available from Monday to Friday in the following time zones: Asia and Oceania: 8AM – 5PM (GMT+10), for example, service interruption reported on Friday at 6 PM may not be looked at until 9AM the following Monday. In conjunction with these guidelines Lumi Support Team will make every effort to respond within 24 hours of reporting the fault.
7.    Service Commitments and Service Credits: Service Credits are calculated as a percentage of the total monthly charges paid by Client (excluding one-time payments, e.g. for training, etc.) for the monthly billing cycle in which the Downtime occurred in accordance with the schedule below:
a.    For monthly Uptime percentage less than 99.75% but equal to or greater than 99.0%, the Client will be eligible for a 10% Service Credit on Subscription Fees.
b.    For monthly Uptime percentage less than 99.0%, the Client will be eligible for a 20% Service Credit on Subscription Fees.
8.    Credit Request and Payment Procedures: To receive a Service Credit for unavailability, Client must submit a claim by emailing support@lumi.media. To be eligible, the credit request must be received by Lumi by the end of the second billing cycle after which the incident occurred and must include:
a.    the words "SLA Credit Request" in the subject line;
b.    the dates and times of each Unavailability incident that the Client is claiming;
c.    the account name(s); and
d.    logs that document the errors and corroborate your claimed outage (any confidential or sensitive information in these logs should be removed or replaced with asterisks).
9.    If the Monthly Uptime Percentage of such request is confirmed by Lumi and is less than the Service Commitment, then Lumi will issue the Service Credit to Client within one billing cycle following the month in which the request is confirmed by Lumi. Client’s failure to provide the request and other information as required above will disqualify Client from receiving a Service Credit.
10.    Changes to Service Levels: Service Levels may be revised after mutual written agreement of both parties. 

26.    SCHEDULE D – PERSONAL DATA  PROCESSING PURPOSES AND DETAILS

Subject matter of processing:

Lumi provides a cloud based platform, for pre to post-production and delivery, which brings everything into a central hub, giving those with access to a particular production an immediate context for their role, no matter when they join a project, and from wherever they work. Production management and casting execs will be able to track casting applications and successes for all onscreen cast/talent, as well as auditions and outcomes with space for notes and all will be updated and added to as production moves forward.

 Duration of Processing:

The duration of the Term of the applicable Agreement(s) only and no longer.

 Nature of Processing:

In line with the subject matter of the processing, Lumi will process Client Personal Data in accordance with the terms of the applicable Agreement(s).

 Business Purposes:

For the purposes of Lumi providing the services outlined in Clause 4.1 of this Agreement.

 Personal Data Categories:

Full names; email addresses; postal home addresses; contact details; links to data subjects’ social media platforms (including Facebook, Linked-in); health data in the form of covid vaccination status and the outcome of a covid test; the outcome of psychometric tests; the outcome of criminal background checks.

 Data Subject Types:

Employees of Client or associated Freelancers, Sub-Contractors or other Crew; General members of the public who apply to be a part of a production run by the Client.

Approved Sub-processors:

 

27.    SCHEDULE E – UK INTERNATIONAL DATA TRANSFER AGREEMENT

1. Application to UK Clients
   This Schedule applies only to Clients established in the United Kingdom. In addition to the Terms of Service and Privacy Policy, UK Clients also agree to the UK International Data Transfer Agreement (“IDTA”), version A1.0 issued by the UK Information Commissioner.

2. Definitions and Interpretation
   For the purposes of this Schedule and the IDTA:

   • The “Exporter” means the “Client” as defined in the Terms of Service.
   • The “Importer” means Lumi Co Pty Ltd.
   • The “Linked Agreement” means the Lumi Terms of Service (including the Privacy Policy, any Proposal or Subscription Order, and the incorporated Schedules).
   • The categories of Personal Data, Data Subjects and Approved Sub-processors are as set out in Schedule D of the Terms.

3. Acceptance of the IDTA
   By placing an order, subscribing, or otherwise accessing the Lumi Application, UK Clients confirm that they accept and are bound by the IDTA (as set out in this Schedule) in addition to the Terms of Service and the Privacy Policy.

4. Structure of this Schedule
   The full text of the IDTA, including its tables and mandatory clauses, is incorporated into this Schedule and follows this introduction. Where there is any inconsistency between the Terms of Service and the IDTA in respect of Restricted Transfers under UK Data Protection Law, the IDTA will prevail.

INTERNATIONAL DATA TRANSFER AGREEMENT

(Version A1.0, in force 21 March 2022 — issued by the UK Information Commissioner)

The International Data Transfer Agreement (version A1.0, in force 21 March 2022) (IDTA) has been issued by the United Kingdom’s Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Part 1: Tables

Table 1: Parties and signatures

 

Acceptance method: By completing the Acceptance of Offer on the Lumi Site (tick-box assent to the Terms of Service, Privacy Policy and, for UK Clients, this IDTA).

Effective date of acceptance: the Commencement Date (as defined in the Terms of Service).

Exporter: the Client as specified during Acceptance of Offer.

Importer: Lumi Co Pty Ltd.

Authority: The individual completing the Acceptance of Offer represents and warrants that they have authority to bind the Exporter to this IDTA.

Signature requirement: No physical or electronic signature is required; acceptance occurs upon completion of the Acceptance of Offer.

Table 2: Transfer Details

 

 

Table 3: Transferred Data

 

 

 

Table 4: Security Requirements

 

 

Part 2: Extra Protection Clauses

 

 

Part 3: Commercial Clauses

 

 

Part 4: Mandatory Clauses

 

Information that helps you to understand this IDTA

 

This IDTA and Linked Agreements

 

Each Party agrees to be bound by the terms and conditions set out in the IDTA, in exchange for the other Party also agreeing to be bound by the IDTA.

This IDTA is made up of:

Part one: Tables;

Part two: Extra Protection Clauses;

Part three: Commercial Clauses; and

Part four: Mandatory Clauses.

The IDTA starts on the Start Date and ends as set out in Sections 29 or 30.

If the Importer is a Processor or Sub-Processor instructed by the Exporter: the Exporter must ensure that, on or before the Start Date and during the Term, there is a Linked Agreement which is enforceable between the Parties and which complies with Article 28 UK GDPR (and which they will ensure continues to comply with Article 28 UK GDPR).

References to the Linked Agreement or to the Commercial Clauses are to that Linked Agreement or to those Commercial Clauses only in so far as they are consistent with the Mandatory Clauses.

 

Legal Meaning of Words

If a word starts with a capital letter it has the specific meaning set out in the Legal Glossary in Section 36.

To make it easier to read and understand, this IDTA contains headings and guidance notes. Those are not part of the binding contract which forms the IDTA.

 

You have provided all the information required

The Parties must ensure that the information contained in Part one: Tables is correct and complete at the Start Date and during the Term.

In Table 2: Transfer Details, if the selection that the Parties are Controllers, Processors or Sub-Processors is wrong (either as a matter of fact or as a result of applying the UK Data Protection Laws) then:

the terms and conditions of the Approved IDTA which apply to the correct option which was not selected will apply; and

the Parties and any Relevant Data Subjects are entitled to enforce the terms and conditions of the Approved IDTA which apply to that correct option.

In Table 2: Transfer Details, if the selection that the UK GDPR applies is wrong (either as a matter of fact or as a result of applying the UK Data Protection Laws), then the terms and conditions of the IDTA will still apply to the greatest extent possible.

 

How to sign the IDTA

The Parties may choose to each sign (or execute):

the same copy of this IDTA;

two copies of the IDTA. In that case, each identical copy is still an original of this IDTA, and together all those copies form one agreement;

a separate, identical copy of the IDTA. In that case, each identical copy is still an original of this IDTA, and together all those copies form one agreement,

unless signing (or executing) in this way would mean that the IDTA would not be binding on the Parties under Local Laws.

 

Changing this IDTA

Each Party must not change the Mandatory Clauses as set out in the Approved IDTA, except only:

to ensure correct cross-referencing: cross-references to Part one: Tables (or any Table), Part two: Extra Protections, and/or Part three: Commercial Clauses can be changed where the Parties have set out the information in a different format, so that the cross-reference is to the correct location of the same information, or where clauses have been removed as they do not apply, as set out below;

to remove those Sections which are expressly stated not to apply to the selections made by the Parties in Table 2: Transfer Details, that the Parties are Controllers, Processors or Sub-Processors and/or that the Importer is subject to, or not subject to, the UK GDPR. The Exporter and Importer understand and acknowledge that any removed Sections may still apply and form a part of this IDTA if they have been removed incorrectly, including because the wrong selection is made in Table 2: Transfer Details;

so the IDTA operates as a multi-party agreement if there are more than two Parties to the IDTA. This may include nominating a lead Party or lead Parties which can make decisions on behalf of some or all of the other Parties which relate to this IDTA (including reviewing Table 4: Security Requirements and Part two: Extra Protection Clauses, and making updates to Part one: Tables (or any Table), Part two: Extra Protection Clauses, and/or Part three: Commercial Clauses); and/or

to update the IDTA to set out in writing any changes made to the Approved IDTA under Section 5.4, if the Parties want to. The changes will apply automatically without updating them as described in Section 5.4;

provided that the changes do not reduce the Appropriate Safeguards.

If the Parties wish to change the format of the information included in Part one: Tables, Part two: Extra Protection Clauses or Part three: Commercial Clauses of the Approved IDTA, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.

If the Parties wish to change the information included in Part one: Tables, Part two: Extra Protection Clauses or Part three: Commercial Clauses of this IDTA (or the equivalent information), they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.

From time to time, the ICO may publish a revised Approved IDTA which:

makes reasonable and proportionate changes to the Approved IDTA, including correcting errors in the Approved IDTA; and/or

reflects changes to UK Data Protection Laws.

The revised Approved IDTA will specify the start date from which the changes to the Approved IDTA are effective and whether an additional Review Date is required as a result of the changes. This IDTA is automatically amended as set out in the revised Approved IDTA from the start date specified.

 

Understanding this IDTA

This IDTA must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.

If there is any inconsistency or conflict between UK Data Protection Laws and this IDTA, the UK Data Protection Laws apply.

If the meaning of the IDTA is unclear or there is more than one meaning, the meaning which most closely aligns with the UK Data Protection Laws applies.

Nothing in the IDTA (including the Commercial Clauses or the Linked Agreement) limits or excludes either Party’s liability to Relevant Data Subjects or to the ICO under this IDTA or under UK Data Protection Laws.

If any wording in Parts one, two or three contradicts the Mandatory Clauses, and/or seeks to limit or exclude any liability to Relevant Data Subjects or to the ICO, then that wording will not apply.

The Parties may include provisions in the Linked Agreement which provide the Parties with enhanced rights otherwise covered by this IDTA. These enhanced rights may be subject to commercial terms, including payment, under the Linked Agreement, but this will not affect the rights granted under this IDTA.

If there is any inconsistency or conflict between this IDTA and a Linked Agreement or any other agreement, this IDTA overrides that Linked Agreement or any other agreements, even if those agreements have been negotiated by the Parties. The exceptions to this are where (and in so far as):

the inconsistent or conflicting terms of the Linked Agreement or other agreement provide greater protection for the Relevant Data Subject’s rights, in which case those terms will override the IDTA; and

a Party acts as Processor and the inconsistent or conflicting terms of the Linked Agreement are obligations on that Party expressly required by Article 28 UK GDPR, in which case those terms will override the inconsistent or conflicting terms of the IDTA in relation to Processing by that Party as Processor.

The words “include”, “includes”, “including”, “in particular” are used to set out examples and not to set out a finite list.

References to:

singular or plural words or people, also includes the plural or singular of those words or people;

legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this IDTA has been signed; and

any obligation not to do something, includes an obligation not to allow or cause that thing to be done by anyone else.

 

Which laws apply to this IDTA

This IDTA is governed by the laws of the UK country set out in Table 2: Transfer Details. If no selection has been made, it is the laws of England and Wales. This does not apply to Section 35 which is always governed by the laws of England and Wales.

 

How this IDTA provides Appropriate Safeguards

 

The Appropriate Safeguards

The purpose of this IDTA is to ensure that the Transferred Data has Appropriate Safeguards when Processed by the Importer during the Term. This standard is met when and for so long as:

both Parties comply with the IDTA, including the Security Requirements and any Extra Protection Clauses; and

the Security Requirements and any Extra Protection Clauses provide a level of security which is appropriate to the risk of a Personal Data Breach occurring and the impact on Relevant Data Subjects of such a Personal Data Breach, including considering any Special Category Data within the Transferred Data.

The Exporter must:

ensure and demonstrate that this IDTA (including any Security Requirements and Extra Protection Clauses) provides Appropriate Safeguards; and

(if the Importer reasonably requests) provide it with a copy of any TRA.

The Importer must:

before receiving any Transferred Data, provide the Exporter with all relevant information regarding Local Laws and practices and the protections and risks which apply to the Transferred Data when it is Processed by the Importer, including any information which may reasonably be required for the Exporter to carry out any TRA (the “Importer Information”);

co-operate with the Exporter to ensure compliance with the Exporter’s obligations under the UK Data Protection Laws;

review whether any Importer Information has changed, and whether any Local Laws contradict its obligations in this IDTA and take reasonable steps to verify this, on a regular basis. These reviews must be at least as frequent as the Review Dates; and

inform the Exporter as soon as it becomes aware of any Importer Information changing, and/or any Local Laws which may prevent or limit the Importer complying with its obligations in this IDTA. This information then forms part of the Importer Information.

The Importer must ensure that at the Start Date and during the Term:

the Importer Information is accurate;

it has taken reasonable steps to verify whether there are any Local Laws which contradict its obligations in this IDTA or any additional information regarding Local Laws which may be relevant to this IDTA.

Each Party must ensure that the Security Requirements and Extra Protection Clauses provide a level of security which is appropriate to the risk of a Personal Data Breach occurring and the impact on Relevant Data Subjects of such a Personal Data Breach.

 

Reviews to ensure the Appropriate Safeguards continue

Each Party must:

review this IDTA (including the Security Requirements and Extra Protection Clauses and the Importer Information) at regular intervals, to ensure that the IDTA remains accurate and up to date and continues to provide the Appropriate Safeguards. Each Party will carry out these reviews as frequently as the relevant Review Dates or sooner; and

inform the other party in writing as soon as it becomes aware if any information contained in either this IDTA, any TRA or Importer Information is no longer accurate and up to date.

If, at any time, the IDTA no longer provides Appropriate Safeguards the Parties must Without Undue Delay:

pause transfers and Processing of Transferred Data whilst a change to the Tables is agreed. The Importer may retain a copy of the Transferred Data during this pause, in which case the Importer must carry out any Processing required to maintain, so far as possible, the measures it was taking to achieve the Appropriate Safeguards prior to the time the IDTA no longer provided Appropriate Safeguards, but no other Processing;

agree a change to Part one: Tables or Part two: Extra Protection Clauses which will maintain the Appropriate Safeguards (in accordance with Section 5); and

where a change to Part one: Tables or Part two: Extra Protection Clauses which maintains the Appropriate Safeguards cannot be agreed, the Exporter must end this IDTA by written notice on the Importer.

 

The ICO

Each Party agrees to comply with any reasonable requests made by the ICO in relation to this IDTA or its Processing of the Transferred Data.

The Exporter will provide a copy of any TRA, the Importer Information and this IDTA to the ICO, if the ICO requests.

The Importer will provide a copy of any Importer Information and this IDTA to the ICO, if the ICO requests.

 

The Exporter

 

Exporter’s obligations

The Exporter agrees that UK Data Protection Laws apply to its Processing of the Transferred Data, including transferring it to the Importer.

The Exporter must:

comply with the UK Data Protection Laws in transferring the Transferred Data to the Importer;

comply with the Linked Agreement as it relates to its transferring the Transferred Data to the Importer; and

carry out reasonable checks on the Importer’s ability to comply with this IDTA, and take appropriate action including under Section 9.2, Section 29 or Section 30, if at any time it no longer considers that the Importer is able to comply with this IDTA or to provide Appropriate Safeguards.

The Exporter must comply with all its obligations in the IDTA, including any in the Security Requirements, and any Extra Protection Clauses and any Commercial Clauses.

The Exporter must co-operate with reasonable requests of the Importer to pass on notices or other information to and from Relevant Data Subjects or any Third Party Controller where it is not reasonably practical for the Importer to do so. The Exporter may pass these on via a third party if it is reasonable to do so.

The Exporter must co-operate with and provide reasonable assistance to the Importer, so that the Importer is able to comply with its obligations to the Relevant Data Subjects under Local Law and this IDTA.

 

The Importer

 

General Importer obligations

The Importer must:

only Process the Transferred Data for the Purpose;

comply with all its obligations in the IDTA, including in the Security Requirements, any Extra Protection Clauses and any Commercial Clauses;

comply with all its obligations in the Linked Agreement which relate to its Processing of the Transferred Data;

keep a written record of its Processing of the Transferred Data, which demonstrate its compliance with this IDTA, and provide this written record if asked to do so by the Exporter;

if the Linked Agreement includes rights for the Exporter to obtain information or carry out an audit, provide the Exporter with the same rights in relation to this IDTA; and

if the ICO requests, provide the ICO with the information it would be required on request to provide to the Exporter under this Section 12.1 (including the written record of its Processing, and the results of audits and inspections).

The Importer must co-operate with and provide reasonable assistance to the Exporter and any Third Party Controller, so that the Exporter and any Third Party Controller are able to comply with their obligations under UK Data Protection Laws and this IDTA.

 

Importer’s obligations if it is subject to the UK Data Protection Laws

If the Importer’s Processing of the Transferred Data is subject to UK Data Protection Laws, it agrees that:

UK Data Protection Laws apply to its Processing of the Transferred Data, and the ICO has jurisdiction over it in that respect; and

it has and will comply with the UK Data Protection Laws in relation to the Processing of the Transferred Data.

If Section 13.1 applies and the Importer complies with Section 13.1, it does not need to comply with:

• Section 14 (Importer’s obligations to comply with key data protection principles);

• Section 15 (What happens if there is an Importer Personal Data Breach);

• Section 15 (How Relevant Data Subjects can exercise their data subject rights); and

• Section 21 (How Relevant Data Subjects can exercise their data subject rights – if the Importer is the Exporter’s Processor or Sub-Processor).

 

Importer’s obligations to comply with key data protection principles

The Importer does not need to comply with this Section 14 if it is the Exporter’s Processor or Sub-Processor.

The Importer must:

ensure that the Transferred Data it Processes is adequate, relevant and limited to what is necessary for the Purpose;

ensure that the Transferred Data it Processes is accurate and (where necessary) kept up to date, and (where appropriate considering the Purposes) correct or delete any inaccurate Transferred Data it becomes aware of Without Undue Delay; and

ensure that it Processes the Transferred Data for no longer than is reasonably necessary for the Purpose.

 

What happens if there is an Importer Personal Data Breach

If there is an Importer Personal Data Breach, the Importer must:

take reasonable steps to fix it, including to minimise the harmful effects on Relevant Data Subjects, stop it from continuing, and prevent it happening again. If the Importer is the Exporter’s Processor or Sub-Processor: these steps must comply with the Exporter’s instructions and the Linked Agreement and be in co-operation with the Exporter and any Third Party Controller; and

ensure that the Security Requirements continue to provide (or are changed in accordance with this IDTA so they do provide) a level of security which is appropriate to the risk of a Personal Data Breach occurring and the impact on Relevant Data Subjects of such a Personal Data Breach.

If the Importer is a Processor or Sub-Processor: if there is an Importer Personal Data Breach, the Importer must:

notify the Exporter Without Undue Delay after becoming aware of the breach, providing the following information:

a description of the nature of the Importer Personal Data Breach;

(if and when possible) the categories and approximate number of Data Subjects and Transferred Data records concerned;

likely consequences of the Importer Personal Data Breach;

steps taken (or proposed to be taken) to fix the Importer Personal Data Breach (including to minimise the harmful effects on Relevant Data Subjects, stop it from continuing, and prevent it happening again) and to ensure that Appropriate Safeguards are in place;

contact point for more information; and

any other information reasonably requested by the Exporter,

if it is not possible for the Importer to provide all the above information at the same time, it may do so in phases, Without Undue Delay; and

assist the Exporter (and any Third Party Controller) so the Exporter (or any Third Party Controller) can inform Relevant Data Subjects or the ICO or any other relevant regulator or authority about the Importer Personal Data Breach Without Undue Delay.

If the Importer is a Controller: if the Importer Personal Data Breach is likely to result in a risk to the rights or freedoms of any Relevant Data Subject the Importer must notify the Exporter Without Undue Delay after becoming aware of the breach, providing the following information:

a description of the nature of the Importer Personal Data Breach;

(if and when possible) the categories and approximate number of Data Subjects and Transferred Data records concerned;

likely consequences of the Importer Personal Data Breach;

steps taken (or proposed to be taken) to fix the Importer Personal Data Breach (including to minimise the harmful effects on Relevant Data Subjects, stop it from continuing, and prevent it happening again) and to ensure that Appropriate Safeguards are in place;

contact point for more information; and

any other information reasonably requested by the Exporter.

If it is not possible for the Importer to provide all the above information at the same time, it may do so in phases, Without Undue Delay.

If the Importer is a Controller: if the Importer Personal Data Breach is likely to result in a high risk to the rights or freedoms of any Relevant Data Subject, the Importer must inform those Relevant Data Subjects Without Undue Delay, except in so far as it requires disproportionate effort, and provided the Importer ensures that there is a public communication or similar measures whereby Relevant Data Subjects are informed in an equally effective manner.

The Importer must keep a written record of all relevant facts relating to the Importer Personal Data Breach, which it will provide to the Exporter and the ICO on request.

This record must include the steps it takes to fix the Importer Personal Data Breach (including to minimise the harmful effects on Relevant Data Subjects, stop it from continuing, and prevent it happening again) and to ensure that Security Requirements continue to provide a level of security which is appropriate to the risk of a Personal Data Breach occurring and the impact on Relevant Data Subjects of such a Personal Data Breach.

 

Transferring on the Transferred Data

The Importer may only transfer on the Transferred Data to a third party if it is permitted to do so in Table 2: Transfer Details Table, the transfer is for the Purpose, the transfer does not breach the Linked Agreement, and one or more of the following apply:

the third party has entered into a written contract with the Importer containing the same level of protection for Data Subjects as contained in this IDTA (based on the role of the recipient as controller or processor), and the Importer has conducted a risk assessment to ensure that the Appropriate Safeguards will be protected by that contract; or

the third party has been added to this IDTA as a Party; or

if the Importer was in the UK, transferring on the Transferred Data would comply with Article 46 UK GDPR; or

if the Importer was in the UK transferring on the Transferred Data would comply with one of the exceptions in Article 49 UK GDPR; or

the transfer is to the UK or an Adequate Country.

The Importer does not need to comply with Section 16.1 if it is transferring on Transferred Data and/or allowing access to the Transferred Data in accordance with Section 23 (Access Requests and Direct Access).

Importer’s responsibility if it authorises others to perform its obligations

The Importer may sub-contract its obligations in this IDTA to a Processor or Sub-Processor (provided it complies with Section 16).

If the Importer is the Exporter’s Processor or Sub-Processor: it must also comply with the Linked Agreement or be with the written consent of the Exporter.

The Importer must ensure that any person or third party acting under its authority, including a Processor or Sub-Processor, must only Process the Transferred Data on its instructions.

The Importer remains fully liable to the Exporter, the ICO and Relevant Data Subjects for its obligations under this IDTA where it has sub-contracted any obligations to its Processors and Sub-Processors, or authorised an employee or other person to perform them (and references to the Importer in this context will include references to its Processors, Sub-Processors or authorised persons).

 

What rights do individuals have?

 

The right to a copy of the IDTA

If a Party receives a request from a Relevant Data Subject for a copy of this IDTA:

it will provide the IDTA to the Relevant Data Subject and inform the other Party, as soon as reasonably possible;

it does not need to provide copies of the Linked Agreement, but it must provide all the information from those Linked Agreements referenced in the Tables;

it may redact information in the Tables or the information provided from the Linked Agreement if it is reasonably necessary to protect business secrets or confidential information, so long as it provides the Relevant Data Subject with a summary of those redactions so that the Relevant Data Subject can understand the content of the Tables or the information provided from the Linked Agreement.

 

The right to Information about the Importer and its Processing

The Importer does not need to comply with this Section 19 if it is the Exporter’s Processor or Sub-Processor.

The Importer must ensure that each Relevant Data Subject is provided with details of:

the Importer (including contact details and the Importer Data Subject Contact);

• the Purposes; and

• any recipients (or categories of recipients) of the Transferred Data;

The Importer can demonstrate it has complied with this Section 19.2 if the information is given (or has already been given) to the Relevant Data Subjects by the Exporter or another party.

The Importer does not need to comply with this Section 19.2 in so far as to do so would be impossible or involve a disproportionate effort, in which case, the Importer must make the information publicly available.

The Importer must keep the details of the Importer Data Subject Contact up to date and publicly available. This includes notifying the Exporter in writing of any such changes.

The Importer must make sure those contact details are always easy to access for all Relevant Data Subjects and be able to easily communicate with Data Subjects in the English language Without Undue Delay.

 

How Relevant Data Subjects can exercise their data subject rights

The Importer does not need to comply with this Section 20 if it is the Exporter’s Processor or Sub-Processor.

If an individual requests, the Importer must confirm whether it is Processing their Personal Data as part of the Transferred Data.

The following Sections of this Section 20, relate to a Relevant Data Subject’s Personal Data which forms part of the Transferred Data the Importer is Processing.

If the Relevant Data Subject requests, the Importer must provide them with a copy of their Transferred Data:

Without Undue Delay (and in any event within one month);

at no greater cost to the Relevant Data Subject than it would be able to charge if it were subject to the UK Data Protection Laws;

in clear and plain English that is easy to understand; and

in an easily accessible form

together with

(if needed) a clear and plain English explanation of the Transferred Data so that it is understandable to the Relevant Data Subject; and

information that the Relevant Data Subject has the right to bring a claim for compensation under this IDTA.

If a Relevant Data Subject requests, the Importer must:

rectify inaccurate or incomplete Transferred Data;

erase Transferred Data if it is being Processed in breach of this IDTA;

cease using it for direct marketing purposes; and

comply with any other reasonable request of the Relevant Data Subject, which the Importer would be required to comply with if it were subject to the UK Data Protection Laws.

The Importer must not use the Transferred Data to make decisions about the Relevant Data Subject based solely on automated processing, including profiling (the “Decision-Making”), which produce legal effects concerning the Relevant Data Subject or similarly significantly affects them, except if it is permitted by Local Law and:

the Relevant Data Subject has given their explicit consent to such Decision-Making; or

Local Law has safeguards which provide sufficiently similar protection for the Relevant Data Subjects in relation to such Decision-Making, as to the relevant protection the Relevant Data Subject would have if such Decision-Making was in the UK; or

the Extra Protection Clauses provide safeguards for the Decision-Making which provide sufficiently similar protection for the Relevant Data Subjects in relation to such Decision-Making, as to the relevant protection the Relevant Data Subject would have if such Decision-Making was in the UK.

 

How Relevant Data Subjects can exercise their data subject rights– if the Importer is the Exporter’s Processor or Sub-Processor

Where the Importer is the Exporter’s Processor or Sub-Processor: If the Importer receives a request directly from an individual which relates to the Transferred Data it must pass that request on to the Exporter Without Undue Delay. The Importer must only respond to that individual as authorised by the Exporter or any Third Party Controller.

 

Rights of Relevant Data Subjects are subject to the exemptions in the UK Data Protection Laws

The Importer is not required to respond to requests or provide information or notifications under Sections 18, 19, 20, 21 and 23 if:

it is unable to reasonably verify the identity of an individual making the request; or

the requests are manifestly unfounded or excessive, including where requests are repetitive. In that case the Importer may refuse the request or may charge the Relevant Data Subject a reasonable fee; or

a relevant exemption would be available under UK Data Protection Laws, were the Importer subject to the UK Data Protection Laws.

If the Importer refuses an individual’s request or charges a fee under Section 22.1.2 it will set out in writing the reasons for its refusal or charge, and inform the Relevant Data Subject that they are entitled to bring a claim for compensation under this IDTA in the case of any breach of this IDTA.

 

How to give third parties access to Transferred Data under Local Laws

 

Access requests and direct access

In this Section ‎23 an “Access Request” is a legally binding request (except for requests only binding by contract law) to access any Transferred Data and “Direct Access” means direct access to any Transferred Data by public authorities of which the Importer is aware.

The Importer may disclose any requested Transferred Data in so far as it receives an Access Request, unless in the circumstances it is reasonable for it to challenge that Access Request on the basis there are significant grounds to believe that it is unlawful.

In so far as Local Laws allow and it is reasonable to do so, the Importer will Without Undue Delay provide the following with relevant information about any Access Request or Direct Access: the Exporter; any Third Party Controller; and where the Importer is a Controller, any Relevant Data Subjects.

In so far as Local Laws allow, the Importer must:

make and keep a written record of Access Requests and Direct Access, including (if known): the dates, the identity of the requestor/accessor, the purpose of the Access Request or Direct Access, the type of data requested or accessed, whether it was challenged or appealed, and the outcome; and the Transferred Data which was provided or accessed; and

provide a copy of this written record to the Exporter on each Review Date and any time the Exporter or the ICO reasonably requests.

 

Giving notice

If a Party is required to notify any other Party in this IDTA it will be marked for the attention of the relevant Key Contact and sent by e-mail to the e-mail address given for the Key Contact.

If the notice is sent in accordance with Section 24.1, it will be deemed to have been delivered at the time the e-mail was sent, or if that time is outside of the receiving Party’s normal business hours, the receiving Party’s next normal business day, and provided no notice of non-delivery or bounceback is received.

The Parties agree that any Party can update their Key Contact details by giving 14 days’ (or more) notice in writing to the other Party.

 

General clauses

In relation to the transfer of the Transferred Data to the Importer and the Importer’s Processing of the Transferred Data, this IDTA and any Linked Agreement:

contain all the terms and conditions agreed by the Parties; and

override all previous contacts and arrangements, whether oral or in writing.

If one Party made any oral or written statements to the other before entering into this IDTA (which are not written in this IDTA) the other Party confirms that it has not relied on those statements and that it will not have a legal remedy if those statements are untrue or incorrect, unless the statement was made fraudulently.

Neither Party may novate, assign or obtain a legal charge over this IDTA (in whole or in part) without the written consent of the other Party, which may be set out in the Linked Agreement.

Except as set out in Section 17.1, neither Party may sub contract its obligations under this IDTA without the written consent of the other Party, which may be set out in the Linked Agreement.

This IDTA does not make the Parties a partnership, nor appoint one Party to act as the agent of the other Party.

If any Section (or part of a Section) of this IDTA is or becomes illegal, invalid or unenforceable, that will not affect the legality, validity and enforceability of any other Section (or the rest of that Section) of this IDTA.

If a Party does not enforce, or delays enforcing, its rights or remedies under or in relation to this IDTA, this will not be a waiver of those rights or remedies. In addition, it will not restrict that Party’s ability to enforce those or any other right or remedy in future.

If a Party chooses to waive enforcing a right or remedy under or in relation to this IDTA, then this waiver will only be effective if it is made in writing. Where a Party provides such a written waiver:

it only applies in so far as it explicitly waives specific rights or remedies;

it shall not prevent that Party from exercising those rights or remedies in the future (unless it has explicitly waived its ability to do so); and

it will not prevent that Party from enforcing any other right or remedy in future.

 

What happens if there is a breach of this IDTA?

 

Breaches of this IDTA

Each Party must notify the other Party in writing (and with all relevant details) if it:

has breached this IDTA; or

it should reasonably anticipate that it may breach this IDTA, and provide any information about this which the other Party reasonably requests.

In this IDTA “Significant Harmful Impact” means that there is more than a minimal risk of a breach of the IDTA causing (directly or indirectly) significant damage to any Relevant Data Subject or the other Party.

 

Breaches of this IDTA by the Importer

If the Importer has breached this IDTA, and this has a Significant Harmful Impact, the Importer must take steps Without Undue Delay to end the Significant Harmful Impact, and if that is not possible to reduce the Significant Harmful Impact as much as possible.

Until there is no ongoing Significant Harmful Impact on Relevant Data Subjects:

the Exporter must suspend sending Transferred Data to the Importer;

If the Importer is the Exporter’s Processor or Sub-Processor: if the Exporter requests, the importer must securely delete all Transferred Data or securely return it to the Exporter (or a third party named by the Exporter); and

if the Importer has transferred on the Transferred Data to a third party receiver under Section 16, and the breach has a Significant Harmful Impact on Relevant Data Subject when it is Processed by or on behalf of that third party receiver, the Importer must:

notify the third party receiver of the breach and suspend sending it Transferred Data; and

if the third party receiver is the Importer’s Processor or Sub-Processor: make the third party receiver securely delete all Transferred Data being Processed by it or on its behalf, or securely return it to the Importer (or a third party named by the Importer).

If the breach cannot be corrected Without Undue Delay, so there is no ongoing Significant Harmful Impact on Relevant Data Subjects, the Exporter must end this IDTA under Section 30.1.

 

Breaches of this IDTA by the Exporter

If the Exporter has breached this IDTA, and this has a Significant Harmful Impact, the Exporter must take steps Without Undue Delay to end the Significant Harmful Impact and if that is not possible to reduce the Significant Harmful Impact as much as possible.

Until there is no ongoing risk of a Significant Harmful Impact on Relevant Data Subjects, the Exporter must suspend sending Transferred Data to the Importer.

If the breach cannot be corrected Without Undue Delay, so there is no ongoing Significant Harmful Impact on Relevant Data Subjects, the Importer must end this IDTA under Section 30.1.

 

Ending the IDTA

 

How to end this IDTA without there being a breach

The IDTA will end:

at the end of the Term stated in Table 2: Transfer Details; or

if in Table 2: Transfer Details, the Parties can end this IDTA by providing written notice to the other: at the end of the notice period stated;

at any time that the Parties agree in writing that it will end; or

at the time set out in Section 29.2.

If the ICO issues a revised Approved IDTA under Section 5.4, if any Party selected in Table 2 “Ending the IDTA when the Approved IDTA changes”, will as a direct result of the changes in the Approved IDTA have a substantial, disproportionate and demonstrable increase in:

its direct costs of performing its obligations under the IDTA; and/or

its risk under the IDTA,

and in either case it has first taken reasonable steps to reduce that cost or risk so that it is not substantial and disproportionate, that Party may end the IDTA at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved IDTA.

 

How to end this IDTA if there is a breach

A Party may end this IDTA immediately by giving the other Party written notice if:

the other Party has breached this IDTA and this has a Significant Harmful Impact. This includes repeated minor breaches which taken together have a Significant Harmful Impact, and

the breach can be corrected so there is no Significant Harmful Impact, and the other Party has failed to do so Without Undue Delay (which cannot be more than 14 days of being required to do so in writing); or

the breach and its Significant Harmful Impact cannot be corrected;

the Importer can no longer comply with Section 8.3, as there are Local Laws which mean it cannot comply with this IDTA and this has a Significant Harmful Impact.

 

What must the Parties do when the IDTA ends?

If the parties wish to bring this IDTA to an end or this IDTA ends in accordance with any provision in this IDTA, but the Importer must comply with a Local Law which requires it to continue to keep any Transferred Data then this IDTA will remain in force in respect of any retained Transferred Data for as long as the retained Transferred Data is retained, and the Importer must:

notify the Exporter Without Undue Delay, including details of the relevant Local Law and the required retention period;

retain only the minimum amount of Transferred Data it needs to comply with that Local Law, and the Parties must ensure they maintain the Appropriate Safeguards, and change the Tables and Extra Protection Clauses, together with any TRA to reflect this; and

stop Processing the Transferred Data as soon as permitted by that Local Law and the IDTA will then end and the rest of this Section 29 will apply.

When this IDTA ends (no matter what the reason is):

the Exporter must stop sending Transferred Data to the Importer; and

if the Importer is the Exporter’s Processor or Sub-Processor: the Importer must delete all Transferred Data or securely return it to the Exporter (or a third party named by the Exporter), as instructed by the Exporter;

if the Importer is a Controller and/or not the Exporter’s Processor or Sub-Processor: the Importer must securely delete all Transferred Data.

the following provisions will continue in force after this IDTA ends (no matter what the reason is):

Section 1 (This IDTA and Linked Agreements);

Section 2 (Legal Meaning of Words);

Section 6 (Understanding this IDTA);

Section 7 (Which laws apply to this IDTA);

Section 10 (The ICO);

Sections 11.1 and 11.4 (Exporter’s obligations);

Sections 12.1.2, 12.1.3, 12.1.4, 12.1.5 and 12.1.6 (General Importer obligations);

Section 13.1 (Importer’s obligations if it is subject to UK Data Protection Laws);

Section 17 (Importer’s responsibility if it authorised others to perform its obligations);

Section 24 (Giving notice);

Section 25 (General clauses);

Section 31 (What must the Parties do when the IDTA ends);

Section 32 (Your liability);

Section 33 (How Relevant Data Subjects and the ICO may bring legal claims);

Section 34 (Courts legal claims can be brought in);

Section 35 (Arbitration); and

Section 36 (Legal Glossary).

 

How to bring a legal claim under this IDTA

 

Your liability

The Parties remain fully liable to Relevant Data Subjects for fulfilling their obligations under this IDTA and (if they apply) under UK Data Protection Laws.

Each Party (in this Section, “Party One”) agrees to be fully liable to Relevant Data Subjects for the entire damage suffered by the Relevant Data Subject, caused directly or indirectly by:

Party One’s breach of this IDTA; and/or

where Party One is a Processor, Party One’s breach of any provisions regarding its Processing of the Transferred Data in the Linked Agreement;

where Party One is a Controller, a breach of this IDTA by the other Party if it involves Party One’s Processing of the Transferred Data (no matter how minimal)

in each case unless Party One can prove it is not in any way responsible for the event giving rise to the damage.

If one Party has paid compensation to a Relevant Data Subject under Section 32.2, it is entitled to claim back from the other Party that part of the compensation corresponding to the other Party’s responsibility for the damage, so that the compensation is fairly divided between the Parties.

The Parties do not exclude or restrict their liability under this IDTA or UK Data Protection Laws, on the basis that they have authorised anyone who is not a Party (including a Processor) to perform any of their obligations, and they will remain responsible for performing those obligations.

 

How Relevant Data Subjects and the ICO may bring legal claims

The Relevant Data Subjects are entitled to bring claims against the Exporter and/or Importer for breach of the following (including where their Processing of the Transferred Data is involved in a breach of the following by either Party):

• Section 1 (This IDTA and Linked Agreements);

• Section 3 (You have provided all the information required by Part one: Tables and Part two: Extra Protection Clauses);

• Section 8 (The Appropriate Safeguards);

• Section 9 (Reviews to ensure the Appropriate Safeguards continue);

• Section 11 (Exporter’s obligations);

• Section 12 (General Importer Obligations);

• Section 13 (Importer’s obligations if it is subject to UK Data Protection Laws);

• Section 14 (Importer’s obligations to comply with key data protection laws);

• Section 15 (What happens if there is an Importer Personal Data Breach);

• Section 16 (Transferring on the Transferred Data);

• Section 17 (Importer’s responsibility if it authorises others to perform its obligations);

• Section 18 (The right to a copy of the IDTA);

• Section 19 (The Importer’s contact details for the Relevant Data Subjects);

• Section 20 (How Relevant Data Subjects can exercise their data subject rights);

• Section 21 (How Relevant Data Subjects can exercise their data subject rights– if the Importer is the Exporter’s Processor or Sub-Processor);

• Section 23 (Access Requests and Direct Access);

• Section 26 (Breaches of this IDTA);

• Section 27 (Breaches of this IDTA by the Importer);

• Section 28 (Breaches of this IDTA by the Exporter);

• Section 30 (How to end this IDTA if there is a breach);

• Section 31 (What must the Parties do when the IDTA ends); and

• any other provision of the IDTA which expressly or by implication benefits the Relevant Data Subjects.

The ICO is entitled to bring claims against the Exporter and/or Importer for breach of the following Sections: Section 10 (The ICO), Sections 11.1 and 11.2 (Exporter’s obligations), Section 12.1.6 (General Importer obligations) and Section 13 (Importer’s obligations if it is subject to UK Data Protection Laws).

No one else (who is not a Party) can enforce any part of this IDTA (including under the Contracts (Rights of Third Parties) Act 1999).

The Parties do not need the consent of any Relevant Data Subject or the ICO to make changes to this IDTA, but any changes must be made in accordance with its terms.

In bringing a claim under this IDTA, a Relevant Data Subject may be represented by a not-for-profit body, organisation or association under the same conditions set out in Article 80(1) UK GDPR and sections 187 to 190 of the Data Protection Act 2018.

 

Courts legal claims can be brought in

The courts of the UK country set out in Table 2: Transfer Details have non-exclusive jurisdiction over any claim in connection with this IDTA (including non-contractual claims).

The Exporter may bring a claim against the Importer in connection with this IDTA (including non-contractual claims) in any court in any country with jurisdiction to hear the claim.

The Importer may only bring a claim against the Exporter in connection with this IDTA (including non-contractual claims) in the courts of the UK country set out in the Table 2: Transfer Details

Relevant Data Subjects and the ICO may bring a claim against the Exporter and/or the Importer in connection with this IDTA (including non-contractual claims) in any court in any country with jurisdiction to hear the claim.

Each Party agrees to provide to the other Party reasonable updates about any claims or complaints brought against it by a Relevant Data Subject or the ICO in connection with the Transferred Data (including claims in arbitration).

 

Arbitration

Instead of bringing a claim in a court under Section 34, any Party, or a Relevant Data Subject may elect to refer any dispute arising out of or in connection with this IDTA (including non-contractual claims) to final resolution by arbitration under the Rules of the London Court of International Arbitration, and those Rules are deemed to be incorporated by reference into this Section ‎35.

The Parties agree to submit to any arbitration started by another Party or by a Relevant Data Subject in accordance with this Section ‎‎35.

There must be only one arbitrator. The arbitrator (1) must be a lawyer qualified to practice law in one or more of England and Wales, or Scotland, or Northern Ireland and (2) must have experience of acting or advising on disputes relating to UK Data Protection Laws.

London shall be the seat or legal place of arbitration. It does not matter if the Parties selected a different UK country as the ‘primary place for legal claims to be made’ in Table 2: Transfer Details.

The English language must be used in the arbitral proceedings.

English law governs this Section ‎‎35. This applies regardless of whether or not the parties selected a different UK country’s law as the ‘UK country’s law that governs the IDTA’ in Table 2: Transfer Details.

 

Legal Glossary

 

Alternative Part 4 Mandatory Clauses:

 

 

 

SCHEDULE B –PERSONAL DATA PROCESSING PURPOSES AND DETAILS

 

 

Subject matter of processing:

Lumi provides a cloud based platform, for pre to post-production and delivery, which brings everything into a central hub, giving those with access to a particular production an immediate context for their role, no matter when they join a project, and from wherever they work. Production management and casting execs will be able to track casting applications and successes for all onscreen cast/talent, as well as auditions and outcomes with space for notes and all will be updated and added to as production moves forward.

 

Duration of Processing:

The duration of the Term of the Agreement only and no longer.

 

Nature of Processing:

In line with the subject matter of the processing, Lumi will process Client Personal Data in accordance with the terms of the applicable Agreement(s).

 

Business Purposes:

For the purposes of Lumi providing the services outlined in Clause 4.1 of the executed Lumi Subscription Terms and Conditions Agreement.

 

Personal Data Categories:

Full names; email addresses; postal home addresses; contact details; links to data subjects’ social media platforms (including Facebook, Linked-in); health data in the form of covid vaccination status and the outcome of a covid test; the outcome of psychometric tests; the outcome of criminal background checks.

 

Data Subject Types:

Employees of Client; General members of the public who apply to be a part of a production run by the Client.

 

Approved Sub-processors: