Data Processing Addendum

1. Definitions

Terms used in this DPA carry the meaning given to them by applicable Data Protection Laws, including the UAE Personal Data Protection Law (PDPL), Ghana’s Data Protection Act 2012 (Act 843), and the EU General Data Protection Regulation (GDPR) where it applies.

Controller means the party that determines the purposes and means of processing Personal Data, typically the Partner.
Processor means the party that processes Personal Data on behalf of the Controller, in this DPA, Lyvwell.
Personal Data means any information relating to an identified or identifiable natural person processed under the master agreement.
Data Subject means the individual to whom Personal Data relates, typically the Partner’s employees or covered members.
Sub-processor means any third party engaged by Lyvwell to process Personal Data on the Partner’s behalf.

2. Roles and scope

The Partner is the Controller of the Personal Data of its employees, members, or dependants enrolled in the Lyvwell programme. Lyvwell is the Processor of that Personal Data. The Personal Data covered, categories of Data Subjects, and duration of processing are described in Annex A of this DPA.

Lyvwell processes Personal Data only to perform its obligations under the master agreement, in accordance with the Partner’s documented instructions, and as required by applicable law. Lyvwell will inform the Partner if it believes an instruction would cause it to violate applicable Data Protection Laws.

3. Lyvwell’s obligations

Lyvwell shall:

• process Personal Data only for the purposes set out in the master agreement and in line with the Partner’s documented instructions;
• ensure that personnel authorised to process Personal Data are bound by appropriate confidentiality obligations;
• implement and maintain the technical and organisational security measures described in Section 5;
• assist the Partner, taking into account the nature of the processing, in fulfilling its obligations to respond to Data Subject requests (Section 7);
• notify the Partner of Personal Data Breaches in line with Section 8;
• delete or return Personal Data to the Partner at the end of the engagement (Section 11);
• make available to the Partner information necessary to demonstrate compliance with this DPA and contribute to audits (Section 10).

4. Confidentiality

Lyvwell will keep Personal Data confidential and will not disclose it to any third party except (a) to its Sub-processors under Section 6, (b) where required to perform the master agreement, or (c) where required by applicable law. Personnel access to Personal Data is restricted to those with a documented operational need.

5. Security measures

Lyvwell maintains technical and organisational measures appropriate to the risk of processing Personal Data, including:

• encryption of Personal Data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent);
• field-level encryption for sensitive identifiers using a managed Key Encryption Key (KEK);
• access controls based on least-privilege, with role-based access and audit logging of administrative actions;
• strong authentication for all administrative access, including multi-factor authentication;
• regular vulnerability scanning of code and infrastructure, and patching on a documented cadence;
• secure software-development practices including peer review of code changes and automated testing;
• environment separation between development, staging, and production data;
• incident-response procedures documented and exercised, with on-call coverage for production incidents;
• annual security review and, where applicable to the engagement, independent assessment.

The Partner acknowledges that Lyvwell may update its security measures from time to time, provided the updated measures do not materially decrease the level of protection.

6. Sub-processors

The Partner provides general written authorisation for Lyvwell to engage Sub-processors to process Personal Data under this DPA, subject to the following conditions:

• Lyvwell maintains an up-to-date list of Sub-processors and the categories of processing each performs. The current list is available on request to privacy@lyvwell.health.
• Lyvwell imposes on each Sub-processor data-protection obligations equivalent to those set out in this DPA;
• Lyvwell remains liable to the Partner for the performance of any Sub-processor;
• Lyvwell will give the Partner reasonable advance notice of any intended addition or replacement of a Sub-processor, and the Partner may object on reasonable, documented data-protection grounds.

7. Data Subject rights

Where a Data Subject contacts Lyvwell directly to exercise their rights (access, rectification, erasure, restriction, portability, objection), Lyvwell will refer them to the Partner unless the Partner has instructed otherwise in writing. Lyvwell will assist the Partner, by appropriate technical and organisational measures, in responding to verified Data Subject requests within the timelines required by applicable Data Protection Laws.

8. Personal Data Breach notification

Lyvwell will notify the Partner without undue delay, and in any event within 72 hours of becoming aware, of any confirmed Personal Data Breach affecting the Partner’s Personal Data. The notification will include, to the extent then known, the nature of the breach, categories and approximate volume of affected Personal Data, likely consequences, and measures Lyvwell has taken or proposes to take in response. Lyvwell will update the notification as additional information becomes available.

9. International data transfers

Personal Data may be processed and stored in jurisdictions outside the country of origin, including the United Arab Emirates, the European Economic Area, and other locations where Lyvwell or its Sub-processors operate. Where required by applicable Data Protection Laws, transfers will be subject to appropriate safeguards, including Standard Contractual Clauses or an equivalent transfer mechanism recognised by the relevant Data Protection Authority. The current list of processing locations is available on request.

10. Audits

Lyvwell will, on the Partner’s reasonable written request and no more than once in any twelve-month period (except where required by a Data Protection Authority or following a Personal Data Breach), make available information necessary to demonstrate compliance with this DPA. Where a third-party audit report or certification (for example, SOC 2 or ISO 27001) is available and addresses the Partner’s reasonable concerns, that report will satisfy the audit obligation. On-site audits, where required, will be scheduled with reasonable advance notice and conducted under confidentiality.

11. Return and deletion

On termination or expiry of the master agreement, the Partner may elect, within 30 days, to have Personal Data returned in a commonly used machine-readable format or deleted. Absent an election, Lyvwell will delete Personal Data within 60 days of termination, subject to limited retention for: (a) backups, which are cycled and overwritten on a documented schedule; and (b) records required for legal, regulatory, or audit purposes, retained only for as long as required.

12. Liability

Each party’s liability under this DPA is subject to the limitations set out in the master agreement, except where applicable Data Protection Laws prohibit such limitation.

13. Order of precedence

Where this DPA and the master agreement conflict on data-protection matters, this DPA controls. Where this DPA and Standard Contractual Clauses (where used) conflict, the Standard Contractual Clauses control.

14. Governing law

This DPA is governed by the law and jurisdiction specified in the master agreement, except where mandatory provisions of the applicable Data Protection Laws require otherwise.

---

Annex A: Description of processing

Subject matter: Provision of the Lyvwell preventive-health and rewards platform to the Partner’s employees, members, or dependants.

Duration: The term of the master agreement, plus the limited retention periods described in Section 11.

Nature and purpose of processing: Account creation; ingestion of wearable and self-reported health data; computation of LyvScore; issuance and redemption of Lyv Coins; partner reporting; product analytics in line with the Partner’s instructions.

Categories of Data Subjects: The Partner’s employees, members, dependants, or other individuals enrolled in the Lyvwell programme by the Partner.

Categories of Personal Data:

• Identifiers: name, phone number, email, employee ID;
• Demographic data: age, sex, country, cohort;
• Health and wellness data: steps, sleep, heart rate, activity minutes, weight, blood-pressure readings, mood check-ins, screening logs;
• Engagement data: app activity, redemption history, challenge participation;
• Financial identifiers: mobile-money wallet identifier (encrypted), payout reference.

Special categories of Personal Data: The above may include health data, which is a special category under several Data Protection Laws. Processing is performed under the legal basis chosen by the Partner as Controller (typically explicit consent from the Data Subject, captured by Lyvwell during onboarding).

Annex B: Sub-processors

The current list of Sub-processors and the categories of processing each performs is available on request to privacy@lyvwell.health. Categories include cloud hosting, database, message queue, analytics, SMS gateway, mobile-money settlement, and error monitoring.

Signature

This DPA is incorporated by reference into the master agreement and takes effect on the effective date of that agreement. No separate signature page is required unless requested by the Partner.

A note on this template. This is Lyvwell’s starting DPA. It will be reviewed and finalised by counsel before execution with each Partner, and may be adjusted to reflect the specific arrangement, for example where a Partner’s home jurisdiction or sector regulation imposes additional requirements. For questions about this template, email privacy@lyvwell.health.