Publication Date: April 2, 2023
Effective Date: April 2, 2023
Last Updated Date: July 25, 2024

THESE TERMS OF SERVICE (the “Terms of Service”) govern the use of Exlink, a Software as a Service (“SaaS”) platform owned by Lulo Solutions LLC, a Wyoming limited liability company (“Lulo Solutions” or the “Company”). 
1. The Exlink platform (“Exlink”) assists Clients in providing international student exchange, au pair, work & travel programs (“Exchange Services”).

2. Client means an entity that has contracted with Lulo Solutions by signing a Lulo Solutions Joinder Agreement for a license to use Exlink by its authorized users (each an “Authorized User”). Capitalized terms not defined in this Agreement shall have the meaning stated in the Joinder Agreement. 

3. Configuration; Customization.

(a) Configuration means the implementation by the Company in a Client’s licensed version of Exlink of the Client’s instructions for available standard variables and elections of standard variable features of Exlink as documented in the Client’s Lulo Solutions Joinder Agreement.
(b) Customization means a modification of Exlink contracted by a Client as documented in the Client’s Lulo Solutions Joinder Agreement that requires the Company to modify Exlink standard variables, or standard variable features, or to create additional variables or features that are not then available in Exlink.
(c) The determination of what constitutes a Configuration and what constitutes a Customization will be made by the Company, in its sole and absolute discretion, at the time of entering into a Client’s Lulo Solutions Joinder Agreement.

4. Non-Exclusive.
Company’s obligations to Client pursuant to this Agreement are non-exclusive. During the term of this Agreement, Company may provide services to others of its clients even if such services are similar to or the same as services Company provides to Client pursuant to this Agreement.

5. Agreement to Terms of Service.

The Terms of Service and EULA as may be modified from time to time by Lulo Solutions are posted on the Company’s website at www.exlink.org/legal and are incorporated by reference and made a part of the Lulo Solutions Joinder Agreement signed by each Client. By access to and use of Exlink and anything else on the Company website, Each Client and each User consent to be bound by this Terms of Services and the EULA.

6. Lulo Solutions End User License Agreement (“EULA”).

The EULA as updated or amended from time to time by Lulo Solutions is posted on the Company’s website at www.exlink.org, incorporated into the Terms of Service, and made a part hereof by this reference. Anyone who uses the Company website (www.exlink.org) whether or not a Client or an Authorized User is a “User”, and is bound by the EULA and the Terms of Service. Anyone who does not agree with the EULA and Terms of Service is not permitted to use Exlink.

7. Client Content means any information entered in or posted on Exlink by a Client or Authorized User.

Lulo Solutions is not responsible for any Client Content and does not make any warranties or representations about the Client Content, including without limitation, its accuracy, or suitability for the Exchange Services or any other purpose. Upon termination of the License and payment by Client of all fees and expenses then due to Lulo Solutions, Lulo Solutions shall cooperate to facilitate the transfer of Client Content from Exlink to Client’s designated data repository.

8. Intellectual Property. 
(a) Client is solely responsible for and retains ownership of its Client Content. Notwithstanding the preceding sentence, Client herby grants Lulo Solutions a non-exclusive, fully paid up, royalty free, worldwide license to use, copy, store, transmit and display Client Content and to modify and create derivative works of Client Content as necessary or helpful to enable functioning of Exlink to provide the Exchange Services. Neither Client nor Lulo Solutions grants the other any licenses other than expressly stated in this Agreement or the Joinder Agreement.

(b) Lulo Solutions is the sole and exclusive owner of Exlink and all intellectual property rights therein, worldwide, including without limitation copyright, trademark, and patent rights. If Client or a User gives Lulo Solutions suggestions, comments, or other feedback (“Feedback”) with respect to Exlink or anything related to the business of Lulo Solutions, its products, services, or anything else, the Feedback is voluntary by the individual or entity giving Feedback (the “Giving Party”). The Giving Party may not claim that the Feedback is confidential information of the Giving Party, nor may the Giving Party claim any intellectual property rights in the Feedback. The Giving Party hereby grants Lulo Solutions worldwide, non-exclusive, perpetual, irrevocable, royalty free, fully paid up rights to use the Feedback for any purpose whatsoever, including without limitation, to make, use, disclose, copy, modify, distribute, license, sell, rent, lease, or create derivative works of the Feedback without obligation of any kind to the Giving Party except that the Receiver will not disclose the source of the Feedback without the consent of the Giving Party. 

9. Use of Exlink, User Accounts.
Use of Exlink is restricted to Clients and Authorized Users for the sole purpose of facilitating the Exchange Services. Any other use of Exlink is prohibited. Every User must create an account (a “User Account”) to enable access to Exlink. To create an account, the applicant must be listed by a Client (the “Sponsor”) as an Authorized User. A User may be sponsored by more than one Client; however, the User must create a separate User Account with distinct login credentials for each of its Sponsors. Lulo Solutions is not responsible for the accuracy of a Client’s list of Authorized Users; this is the sole responsibility of the Client. The rights to use Exclink by a Client and its Authorized Users terminates immediately upon termination of the License pursuant to the Joinder Agreement. 

10. Fees for Use of Exlink.
Fees and payment schedule for use of Exlink are specified in the Client’s Joinder Agreement. Exlink fees are not refundable. All fees and other amounts due to Lulo Solutions by Client shall be paid in U.S. Dollars.

11. Exlink Integrations.
Exlink integrates with various third-party systems, including without limitation:

(a) US Department of State API system to manage immigration documents for US-based high school, work and travel, and au pair programs.

(b) Various Criminal Background Check provider APIs to screen host families and independent contractors involved in high school exchange programs.

(c) Various insurance provider APIs to enroll and update enrollments; and

(d) Zapier API - an online-based platform that provides integrations with various other applications or services.


Lulo Solutions makes no warranties or representations about the proper functioning, accuracy of information obtained from any third-party system, or Client’s use of any such integrations.

12. Termination

In addition to termination pursuant to the Joinder Agreement, this Agreement and the License may be terminated by either Party for any or no reason on giving ninety (90) days advance written notice to the other Party. Either Party may terminate this Agreement and the License for material breach of this Agreement or the Joinder Agreement by the other Party, which breach is not cured within thirty (30) days after written notice to the breaching Party. Client’s obligations to pay amounts due Lulo Solutions that have accrued prior to termination shall survive termination of this Agreement and the License.

13. Service Level Agreement (“SLA”).

Lulo Solutions agrees to provide Exlink services to Clients and Authorized Users pursuant to and in accordance with this Agreement.

(a) Definitions:


(1) "Service Availability" means the ability of a Client to access and use Exlink as intended.

(2) "Downtime" refers to any period during which Exlink is not available or is not functioning as intended, excluding any Scheduled Maintenance or a Force Majeure event.
 (3) "Scheduled Maintenance" refers to planned maintenance or updates to the Exlink platform, which may result in temporary unavailability or reduced functionality.


(b) Service Availability Commitment. The Company commits to maintaining a Service Availability of 99.5% during each calendar month, excluding Scheduled Maintenance and Force Majeure events. 

(c) Service Credits.


(1) If Service Availability falls below 99.5% during a calendar month, the Client may request a service credit of 5% of its monthly fee for each full percentage point below the 99.5% commitment, up to a maximum of 100% of the Monthly Fee.


 (2) Service credits shall be applied to the Client's future Monthly Fees and shall not be paid as a refund or applied to any other charges.


 (3) To request a service credit, the Client must submit a claim within 30 days of the end of the calendar month in which the Service Availability fell below the commitment. The claim must include the Client's account information, a description of the Downtime, and any relevant documentation or evidence.


(4) The Company shall review each claim and, if approved, apply the Service Credit to the Client's account within 30 days of receiving the claim. Service Credits may not be transferred or sold and are subject to the Client's continued subscription to Exlink.

(d) Scheduled Maintenance. The Company will make reasonable efforts to perform Scheduled Maintenance during periods of low usage and to provide at least 48 hours advance notice to Clients via email or on Exlink. Scheduled Maintenance will not count towards Downtime for the purpose of calculating Service Availability.

(e) Support Services. Lulo Solutions shall provide support services to the Client via email, phone, or in-platform chat during its regular business hours (Monday through Friday, 9:00 am to 5:00 pm Eastern U.S. Time, excluding U.S. national holidays). The Company shall make reasonable efforts to respond to support requests within 24 hours during our regular business hours and to resolve issues in a timely manner, depending on the complexity and severity of the issue. The Client is responsible for providing accurate and complete information when submitting a support request and for cooperating with our support team in diagnosing and resolving any issues.

(f) Client Responsibilities. The Client is responsible for: maintaining a compatible device, operating system, and Internet connection to access and use Exlink; implementing reasonable security measures to protect its account credentials and any Personal data accessed or stored on its device or network; promptly notifying Lulo Solutions of any issues affecting Service Availability or performance and for providing any information or assistance requested by the Company’s support team.

(g) Exclusions. This SLA does not apply to any issues or delays resulting from the Client's failure to meet its responsibilities, or from factors outside our reasonable control, such as a Force Majeure Event or third-party service outages.


(h) Limitation of Liability. Lulo Solutions’ liability for any failure to meet the Service Availability commitment or for any other breach of this SLA is limited to the Service Credits described in this Agreement. In no event shall the Company be liable for any indirect, special, incidental, consequential, or punitive damages, including but not limited to lost profits or lost data, arising from or related to this SLA or the use of Exlink or any service provided by Lulo Solutions.

14. Privacy Policy.

This Privacy Policy governs the collection, use, and disclosure of personal information by Lulo Solutions. 

(a) Collection of Information. Personal information is provided to Lulo Solutions on Exlink by Clients and Authorized Users. Personal Information means information that may identify a specific individual, including, but not limited to: name, address, email address, telephone number, date of birth, gender, government issued identification such as social security number, passport, visa, and other immigration-related information, medical, health and insurance information, employment and education history. Personal information may also include criminal background check information, and other information gathered in connection with an individual’s use of Exlink, including, but not limited to your IP address and browser information. 

(b) Use of Information. Lulo Solutions uses the Personal Information and other information it collects for various purposes, including but not limited to provide and maintain Exlink; enable and facilitate Exlink to provide Exchange Services; communicate with Clients and Authorized Users; aid in compliance with applicable governmental rules and regulations; and to improve Exlink.

(c) Publication. Lulo Solutions may share information with third parties, including without limitation: with the consent of the involved individual; with service providers, agents, or contractors who help us operate Exlink platform; with third-party integrations, as necessary to facilitate the administration and operation of Exlink, including without limitation, the US Department of State API system, criminal background check providers, and insurance providers; as required by law, regulation, or legal process, such as in response to a court order, subpoena, or government investigation; and when we believe disclosure is necessary to protect the rights, property, or safety of Lulo Solutions, our Clients, Authorized Users, or others, or to detect, prevent, or respond to fraud, abuse, or other harmful activities. Each User consents to the transfer of its Personal Information to the United States and other countries, which may have different data protection laws than your country of residence.

(d) Correction of Personal Information. Each User may access, correct, update, or delete its Personal Information in Exlink. To do so send an email request to privacy@lulo.xyz.

15. Security Policy. 

(a) The protection of Client data is a priority of Lulo Solutions. The Company uses commercially reasonable organizational and technical measures intended to prevent unauthorized access, use, alteration, disclosure, or destruction of Client data stored on Exlink or other systems controlled by Lulo Solutions. This includes, without limitation, limiting access to Client data by Lulo Solutions’ personnel on a need-to-know basis, multi-factor authentication for administrator access, and individually assigned Secure Socket Shell (SSH) keys for external engineer access. Lulo Solutions’ personnel are prohibited from storing Client data on unauthorized electronic portable storage devices such as computer laptops, portable drives and other similar devices. 
The Company separates each Client and Authorized User’s data logically and maintains measures designed to prevent a Client’s data from being exposed to or accessed by other Clients or Authorized Users.

(b) Data Encryption. The Company uses strong encryption technologies to protect Client Data in transport and at rest, including, but not limited to, AES 256-bit encryption for Client Data stored in the Lulo Solutions’ production environment


(c) Network Security, Physical Security, and Environmental Controls. Lulo Solutions maintains controls intended to ensure that security patches for firewalls, systems, and applications used to develop and operate Exlink and other systems controlled by the Company are properly assessed, tested and applied. The Company monitors privileged access to applications that process Client data, including, without limitation, cloud services. Remote access to Lulo Solutions’ environments is controlled with a virtual private network (“VPN”) and or encrypted connection, and or private lines, consistent with industry best practices.


(d) No method of data transmission over the Internet and no data storage mechanism is completely secure. Therefore, the Company cannot guarantee the absolute security of Client data, Personal Information, or any other information transmitted by or to, or stored by or on Exlink or other systems controlled by the Company.

(e) User Accounts. Each User is responsible for maintaining the confidentiality of its own User Account credentials and for any activities that occur under its User Account. If a User suspects any unauthorized use of its account, it must notify the Company immediately at privacy@lulo.xyz.

(f) Data Retention. Lulo Solutions retains Client data and Personal Information for as long as necessary to enable Exlink to support the Exchange Services and to comply with legal, regulatory, or contractual requirements.

(g) Amazon Web Services (“AWS”). Exlink and other systems of Lulo Solutions operate AWS and are protected by Amazon’s security and environmental controls. Detailed information about AWS security is available at https://aws.amazon.com/security/ and http://aws.amazon.com/security/sharing-the-security-responsibility/. AWS ISO certification and SOC Reports are available at https://aws.amazon.com/compliance/iso-certified/ and https://aws.amazon.com/compliance/soc-faqs/, respectively. Client data hosted in AWS is AES-256 encrypted both in transit and at rest. AWS does not have access to Client unencrypted Data.

(h) Independent Security Assessments. Lulo periodically assesses the security of Lulo systems and Exlink by regular penetration testing by independent third-party security experts that includes black-box automated and manual penetration testing of Service. Lulo Solutions will provide the Client with a high-level summary of the most recent penetration test, subject to reasonable confidentiality protections, at Client’s request.

(i) Incident Response. Immediately upon becoming aware of unauthorized access or disclosure of Client data under its control (an “Incident”), Lulo Solutions will take reasonable measures to mitigate the harmful effects of the Incident and to prevent further unauthorized access or disclosure. Upon confirmation of the Incident, the Company will notify the Client’s designated security contact by email within 24 hours. Notwithstanding the foregoing, Lulo Solutions is not required to make such notice to the extent prohibited by applicable laws. The Company may delay such notice as requested by law enforcement or in light of Lulo legitimate need to investigate or remediate the matter before providing notice. Each notice of an Incident shall include, without limitation: the extent to which Client data has been, or is reasonably believed to have been, used, accessed, acquired or disclosed during the Incident; a description of what happened, including the date of the Incident and the date of discovery of the Incident, if known; the scope of the Incident, to the extent known; and a description of the Company’s response to the Incident, including steps the Company has taken to mitigate any harm caused by the Incident.

(j) Business Continuity. The Company maintains a business continuity and disaster recovery plan in accordance with industry trends and standards. It maintains reasonable processes to ensure failover redundancy with its systems, networks and data storage.

(k) Personnel Management. Lulo Solutions performs employment verification (e.g. proof of identity validation, review of education records and employment track, and background checks) for new hires in positions requiring access to systems and applications storing Client data in accordance with applicable Law. The Company provides training for its personnel who are involved in the processing of Client data to ensure they understand their obligations to not collect, process, or use Client data without authorization and to keep Client data confidential, including following the termination of any role involving Client data. The Company continuously monitors employee activity in its production environments. Upon employee termination, whether voluntary or involuntary, the Company immediately disables the employee’s access to Company systems and physical facilities.

(l) Secure Software Development. Lulo Solutions implements and maintains effective secure software development policies and practices that: reasonably protect the Exlink software from tampering and unauthorized access; minimize security vulnerabilities in each release of the software; and timely respond to address vulnerabilities reported or otherwise identified in the software. Any software testing environments that contain Client data shall be secured in the same fashion as the production environment and as set forth in this Agreement.

16. Restrictive Covenants.

(a) Nondisclosure, Confidential Information. Company and Client acknowledge that prior to or in the course of performance under this Agreement, either may entrust or may have entrusted the other with certain trade secrets, or non-public information (the “Confidential Information”). For purposes of this Agreement, whether or not specifically labeled as such, Confidential Information includes, but is not limited to source code or object code, software designs, operating policies and procedures, prices, terms and conditions of either Party’s business or the providing of services or information by one Party to the other pursuant to this Agreement, a Party’s business, marketing or sales plans or strategies, the identities, needs and requirements of a Party’s employees, customers, personnel information, internal reports and communications of any kind, a Party’s financial information, any other of the Discloser’s non-public information. Confidential Information also includes information that a reasonable person would recognize as being confidential and non-public. The Party disclosing Confidential Information may be referred to herein as the “Discloser” or “Disclosing Party”. The Party receiving Confidential Information may be referred to herein as the “Recipient” or “Receiving Party”. Recipient further acknowledges that the development or acquisition of Confidential Information is the result of great effort and expense by the Discloser, that the Confidential Information is critical to the survival and success of the Discloser, and that the unauthorized disclosure or use of the Confidential Information would cause the Discloser irreparable harm.  

(1) Exclusions from Confidential Information: Notwithstanding anything to the contrary, Confidential Information will not include information that: (A) is now, or hereafter becomes generally known or available to the public through no act or failure to act on the part of Recipient; (B) was acquired by Recipient before receiving such information from the Discloser and without restriction as to use or disclosure; (C) is hereafter rightfully furnished to Recipient by a third party, that was not restricted as to use or disclosure of said information; (D) is information which Recipient can document was developed by Recipient independently and not in connection with Recipient’s relationship with Discloser pursuant to this Agreement; (E) is required to be disclosed pursuant to law, provided Recipient uses reasonable efforts to give the Disclosing Party reasonable notice of such required disclosure; or (F) is disclosed with the prior written consent of the Discloser.

(2) Nondisclosure Period: (A) Recipient shall exercise at least the level of care in protecting Disclosure’s Confidential Information as it exercises in protecting its own Confidential Information; (B) Recipient shall not, during or after the term of this Agreement (the “Non-Disclosure Period”), disclose any Confidential Information to any person or entity, other than to any person or entity that has a need to know such information in order to enable Recipient to perform its obligations to Discloser pursuant to and in accordance with this Agreement; and (C) Recipient shall not, during the Non-Disclosure Period, use any Confidential Information for the benefit of Recipient or any other person or entity, except with the prior written consent of the Discloser.  

(3) Privacy Policy Controls. If there is a conflict between the provisions of Section 15 of this Agreement and the Privacy Policy in Section 13 of this Agreement, or the Security Policy in Section 14 of this Agreement, the provisions of the Privacy Policy shall control.

(4) Return of Materials: Recipient acknowledges and agrees that all originals and copies (whether tangible, intangible, digital or in any other form) of records, reports, documents, lists, plans, memoranda, notes and other documentation related to the business of the Discloser or containing any Confidential Information are the sole and exclusive property of the Discloser, and shall be returned to Discloser or destroyed upon the termination of this Agreement or upon written request by Discloser.  

(b) Non-solicitation. During the term of this Agreement, and during the period Company is eligible to receive any compensation from Client under this Agreement, and the twelve (12) consecutive month period following the expiration of the longer of such periods (herein the “Restricted Period”), Contractor shall not, directly or indirectly hire, solicit, or encourage to leave the Company’s employment or engagement, any employee, consultant, or contractor of the Company or hire any such employee, consultant, or contractor who has left the Company’s employment or contractual engagement within one (1) year of the termination of said individual’s employment or engagement by the Company;

(c) Non-disparagement. During the Restricted Period a Client shall not, in any communication, criticize, ridicule or make any statement which disparages or is derogatory of the Company, its affiliates or any of its respective directors, officers, members, employees, contractors, or agents.

(d) Reasonableness of Restrictions. The Parties agree that the periods of time and geographical area specified above are reasonable in view of the nature of the business in which the Parties are engaged and propose to engage. A Party’s access to the Confidential Information of the other Party, and a Party’s knowledge of the other Party’s business. If the time period or geographic coverage of the covenants contained above is adjudged unreasonable by a court of competent jurisdiction, then such geographic coverage or such time period, as the case may be, shall be reduced to the extent necessary to enable the court to enforce such restrictions to the fullest extent permitted under applicable law.  

(e) Remedies. Each Party agrees that it would be difficult to measure the damages to the other Party from any breach of Section 15(a), 15(b), or 15(c) of this Agreement, and that monetary damages would be an inadequate remedy for such breach. Accordingly, the Parties agree that if a Party breaches Section 15(a), 15(b), or 15(c) of this Agreement, in addition to all other remedies available to it at law or in equity, the injured Party shall be entitled to an injunction or other appropriate orders to restrain any such breach, without being required to show or prove the amount of actual damages sustained by the injured Party. 

17. Data Protection Law – GDPR.

“GDPR” is the General Data Protection Legislation of the European Union (“EU”). It went into effect on May 25, 2018. GDPR protects the online privacy and security of citizens and residents of the EU. The following provisions of this Section 17 are GDPR Model Clauses. They are applicable to Lulo Solutions and Exlink transactions involving citizens and residents of the EU that involve data transfers from the EU to the USA. Provisions of this Agreement that apply to citizens or residents of the EU that conflict with this Section 17 shall be construed to conform to the requirements of the GDPR. The following subsections of this section 17 are the relevant standard clauses approved by the European Commission June 4, 2021.

(a) Definitions. The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (1) for the transfer of personal data to a third country. For purposes of the GDPR, the transferor of personal data is called the “Data Exporter” or “Data Controller”. In this Agreement the transferor is the Client or Authorized User. For purposes of the GDPR, the receiver of personal data from the Data Exporter is called the “Data Importer”, or “Data Processor”. In this Agreement, the importer is Lulo Solutions or Exlink.

(b) Hierarchy. In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

(c) Data Protection Safeguards. The data exporter warrants that it has made reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organizational measures, to satisfy its obligations under these Clauses.

(d) Purpose Limitation. The Data Importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in this Agreement.

(e) Transparency. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. 

(f) Accuracy and Data Minimization. If the Data Importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the Data Exporter without undue delay. In this case, the Data Importer shall cooperate with the Data Exporter to erase or rectify the data.

(g) Storage Limitation. After the end of the provision of the processing services, the Data Importer shall, at the choice of the Data Exporter, delete all personal data processed on behalf of the controller and certify to the Data Exporter that it has done so, or return to the Data Exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the Data Importer shall continue to ensure compliance with Section 17. In case of local laws applicable to the Data Importer that prohibit return or deletion of the personal data, the Data Importer warrants that it will continue to ensure compliance with Section 17 and will only process it to the extent and for as long as required under that local law. 

(h) Security of Processing. 

(1) The Data Importer and, during transmission, also the Data Exporter shall implement appropriate technical and organizational measures to ensure the security of the personal data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access (hereinafter ‘personal data breach’). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subject. The Parties shall in particular consider having recourse to encryption or pseudonymization, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymization, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter or the controller.

 (2) The Data Importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.

(3) The Data Importer shall ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(4) In the event of a personal data breach concerning personal data processed by the under these Clauses, the Data Importer, the Data Importer shall take appropriate measures to address the personal data the breach, including measures to mitigate its possible adverse effects. 

(5) In case of a personal data breach the Data Importer shall also notify, without undue delay, the Data Exporter and where appropriate and feasible, the controller after having become aware of the breach. Such notification shall contain details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and measures taken or proposed to address the data breach, including measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently provided without undue delay.

(6) The Data Importer shall cooperate with and assist the Data Exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the Data Importer. 

(i) Sensitive Data. Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter ‘sensitive data’), the Data Importer shall apply the specific restrictions and/or additional safeguards set out in Annex I.B.

(j) Onward Transfers. The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union if the third party is or agrees to be bound by the GDPR Model Clauses.

(k) Documentation and Compliance. The Data Importer shall promptly and adequately deal with inquiries from the Data Exporter that relate to the processing under this Section 17. The Parties shall be able to demonstrate compliance with Section 17. In particular, the Data Importer shall keep appropriate documentation on the processing activities carried out on behalf of the Data Exporter. The Data Importer shall make available to the Data Exporter all information necessary to demonstrate compliance with the obligations set out in this Section 17 and the GDPR Model Clauses. At the Data Exporter’s request the Data Importer shall allow for and contribute to audits of the processing activities covered by this Section 17 and the GDPR Model Clauses at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the Data Exporter may take into account relevant certifications held by the Data Importer. The Data Exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the Data Importer and shall, where appropriate, be carried out with reasonable notice. The Parties shall make the information referred to in this subsection (k), including the results of any audits, available to the competent supervisory authority on request.

(l) Use of Sub-Processors.

(1) The Data Importer has the Data Exporter’s general authorization for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least seven (7) days in advance, thereby giving the Data Exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The Data Importer shall provide the data exporter with the information necessary to enable the Data Exporter to exercise its right to object.

(2) Where the Data Importer engages a sub-processor to carry out specific processing activities (on behalf of the Data Exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under the GDPR Model Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this subsection, the Data Importer fulfills its obligations under Model Clause 8.8. The Data Importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to the GDPR Model Clauses.

(3) The Data Importer shall provide, at the Data Exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the Data Exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.

(4)The Data Importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.

(5)The Data Importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

(m) Data Subject Rights.

(1) The Data Importer shall promptly notify the Data Exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorized to do so by the Data Exporter.

(2) The Data Importer shall assist the Data Exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out the appropriate technical and organizational measures, taking into account the nature of the processing by which the assistance shall be provided, as well as the scope and the extent of the assistance required.

(3) In fulfilling its obligations under paragraphs (1) and (2), the Data Importer shall comply with the instructions from the Data Exporter.

(n) Redress.
(1) The Data Importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorized to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

(2) In case of a dispute between a data subject and one of the Parties as regards compliance with the GDPR Model Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.

(3) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:

(A) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority; or

(B) refer the dispute to the competent courts.

(4) The Parties accept that the data subject may be represented by a not-for-profit body, organization or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.

(o) Liability.

(1) Each Party shall be liable to the other Party for any damages it causes the other Party by any breach of the GDPR Model Clauses.

(2) The Data Importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.

(3) Notwithstanding subparagraph (2), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.

(4) The Parties agree that if the Data Exporter is held liable under subparagraph (3) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the Data Importer that part of the compensation corresponding to the Data Importer’s responsibility for the damage.

(5) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

(6) The Parties agree that if one Party is held liable under subparagraph (5), it shall be entitled to claim back from the other Party that part of the compensation corresponding to its responsibility for the damage.

(7) The Data Importer may not invoke the conduct of a sub-processor to avoid its own liability.

(p) Supervision.

(1) Where the Data Exporter is established in an EU member state, the supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.

(2) The Data Importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with Section 17, the GDPR Model Clauses. In particular, the Data Importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

(q) Local Laws and Practices Affecting Compliance with the GDPR Model Clauses.

(1) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorizing access by public authorities, prevent the data importer from fulfilling its obligations under the GDPR Model Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with the GDPR Model Clauses.

(2) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements: (i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred; (ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorizing access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards; (iii) any relevant contractual, technical or organizational safeguards put in place to supplement the safeguards under the GDPR Model Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

(3) The Data Importer warrants that, in carrying out the assessment under subparagraph (2), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with the GDPR Model Clauses.

(4) The Parties agree to document the assessment under subparagraph (2) and make it available to the competent supervisory authority on request.

(5) The Data Importer agrees to notify the data exporter promptly if, after having agreed to this Section 17 and the GDPR Model Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under subparagraph (1), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in subparagraph (1).

(6) Following a notification pursuant to subparagraph (5), or if the data exporter otherwise has reason to believe that the Data Importer can no longer fulfil its obligations under these Clauses, the Data Exporter shall promptly identify appropriate measures (e.g. technical or organizational measures to ensure security and confidentiality) to be adopted by the Data Exporter or Data Importer to address the situation. The Data Exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the Data Exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under the GDPR Model Clauses. Where the contract is terminated pursuant to this Clause, Clause 17(d) and (e) shall apply.

(r) Obligations of the Data Importer in Case of Access by Public Authorities.

(1) Notification.

(A) The Data Importer agrees to notify the Data Exporter and, where possible, the data subject promptly (if necessary with the help of the Data Exporter) if it: (i) receives  a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or (ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to the GDPR Model Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.

(B) If the Data Importer is prohibited from notifying the Data Exporter or the data subject under the laws of the country of destination, the Data Importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The Data Importer agrees to document its best efforts in order to be able to demonstrate them on request of the Data Exporter.

(C) Where permissible under the laws of the country of destination, the Data Importer agrees to provide the Data Exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority, whether requests have been challenged and the outcome of such challenges, etc.).

(D) The Data Importer agrees to preserve the information pursuant to subparagraphs (A) to (C) for the duration of the contract and make it available to the competent supervisory authority on request.

(E) Subparagraphs (A) to (C) are without prejudice to the obligation of the Data Importer to inform the Data Exporter promptly where it is unable to comply with these GDPR Model Clauses.

(2) Review of Legality and Data Minimization.

The Data Importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The Data Importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. 

(B) The Data Importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It should also make it available to the competent supervisory authority on request.

(C) The Data Importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

(s) Non-compliance with the GDPR Model Clauses and Termination.

(1) The Data Importer shall promptly inform the Data Exporter if it is unable to comply with Section 17 and the GDPR Model Clauses, for whatever reason.

(2) In the event that the Data Importer is in breach of the GDPR Model Clauses or unable to comply with the GDPR Model Clauses, the Data Exporter shall suspend the transfer of personal data to the Data Importer until compliance is again ensured or the contract is terminated.

(3) The Data Exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under the GDPR Model Clauses, where: (A) the Data Exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (2) and compliance with the GDPR Model Clauses is not restored within a reasonable time and in any event within one month of suspension; (B) the Data Importer is in substantial or persistent breach of Section 17 and the GDPR Model Clauses; or (C) the Data Importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under the GDPR Model Clauses. In these cases, it shall inform the competent supervisory authority of such non-compliance.

(4) Personal data that has been transferred prior to the termination of the contract pursuant to subparagraph (3) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The Data Importer shall certify the deletion of the data to the Data Exporter. Until the data is deleted or returned, the Data Importer shall continue to ensure compliance with the GDPR Model Clauses. In case of local laws applicable to the Data Importer that prohibit the return or deletion of the transferred personal data, the Data Importer warrants that it will continue to ensure compliance with the GDPR Model Clauses and will only process the data to the extent and for as long as required under that local law.

(5) Either Party may revoke its agreement to be bound by Section 17 and the GDPR Model Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. 

(t) Governing Law - Choice of Forum and Jurisdiction. Any dispute arising from the GDPR Model Clauses shall be resolved by the courts of the EU Member State in which the Data Exporter is located. A data subject may also bring proceedings against the Data Exporter or Data Importer before the courts of the Member State in which the data subject has his or her habitual residence. The Parties agree to submit themselves to the jurisdiction of said courts.

18. Data Protection Law – CCPA.

As of the last update of these Terms of Service, Lulo Solutions and Exlink are not subject to either the California Consumer Protection Act (“CCPA”), Cal. Civ. Code 1798.100 et seq., or the California Consumer Rights Act (“CCRA”).

19. Disclaimer of Warranty.

(a) Exlink, Exchange Services, and any other services of the Company are provided "AS IS," WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.

(b) The Company does NOT warrant that Exlink, Exchange Services, or any other services of the Company are or will be error-free, uninterrupted, or secure, or that any defects or errors will be corrected.

20. Limitation of Liability.

(a) In no event shall the Company be liable for any indirect, special, incidental, consequential, or punitive damages, including but not limited to lost profits or lost data, arising from or related to a Joinder Agreement, the Terms and Conditions, the EULA, or the use of Exlink, or any other products or services provided by the Company, even if the Company has been advised of the possibility of such damages.

(b) The Company’s total liability for any claims arising from, in connection with, or related to a Joinder Agreement, the Terms and Conditions, the EULA, or the use of Exlink, or any other products or services provided by the Company, whether in contract, tort, or otherwise, shall not exceed the amount of fees paid by the complaining individual or entity to the Company for use of Exlink during the twelve (12) consecutive month period immediately preceding the event giving rise to the claim.

21. Indemnification.

To the fullest extent permitted by law, Client indemnifies, protects, and holds harmless Lulo Solutions, its owners, members, managers, officers, employees, independent contractors, and affiliates (collectively, the “Lulo Indemnified Parties”) from and against any and all pending or threatened claims, damages, liabilities, causes of action, costs and expenses arising out of or in connection with breach of any of Client’s obligations, representations, or warranties under this Agreement or the Joinder Agreement.

22. Waiver.

No waiver of any provision of this Agreement, the Joinder Agreement, or the EULA shall be deemed, or shall constitute, a waiver of any other provision, whether or not similar, nor shall any waiver constitute a continuing waiver. No waiver shall be binding unless executed in writing by the Party making the waiver.

23. Assignment.

A Client or Authorized User may not assign its rights or duties under this Agreement, the Joinder Agreement, or the EULA, without the express written consent of the Company. The provisions of this Agreement shall be binding upon and inured to the benefit of the heirs, personal representatives, and permitted successors and assigns of the Parties. Client shall make the provisions of this Agreement known to, and this Agreement shall expressly bind, and Client shall be responsible for ensuring this Agreement binds, Client’s employees, agents, directors, officers, contractors, owners and business partners. Any provision hereof which imposes upon Client, an Authorized User, or Company an obligation after termination or expiration of this Agreement shall survive termination or expiration hereof and be binding upon Client, Authorized User, or Company, as the case may be. 

24. Default.

In the event of a default under this Agreement, the Joinder Agreement, or EULA, the defaulting party shall reimburse the non-defaulting party or parties for all costs and expenses reasonably incurred by the non-defaulting party or parties in connection with the default, including without limitation, reasonable attorney’s fees reasonably incurred. Additionally, in the event a suit or action is filed to enforce this Agreement, the Joinder Agreement, or EULA, or with respect to this Agreement, the Joinder Agreement, or EULA, the prevailing party or parties shall be reimbursed by the other party for all costs and expenses incurred in connection with the suit or action, including without limitation, reasonable attorney’s fees reasonably incurred. 

25. Force Majeure.

(a) None of the Parties shall be considered in breach of this Agreement to the extent that it is prevented or delayed from carrying out those obligations by a Force Majeure Event that arises after the Effective Date, and which was not reasonably foreseeable on or before the Effective Date by the Party asserting the Force Majeure Event (the “Asserting Party”).

(b) Force Majeure Event means any circumstance outside the reasonable control of the Asserting Party to the extent that (i) the Asserting Party cannot prevent, avoid, or remove such circumstance by exercise of reasonable diligence and good practices, and (ii) such circumstance materially and adversely affects the ability of the Asserting Party to perform its obligations under this Agreement. A Force Majeure Event includes, but is not limited to: fire, earthquake, or such other disasters or acts of God, explosion, acts of war (declared or undeclared), terrorism, insurrection, pandemic, epidemic, or any legal prohibition on the Asserting Party’s ability to conduct its business. Provided, however, that breakdown of plant or equipment (unless itself caused by a Force Majeure Event), or unavailability of funds, shall not constitute a Force Majeure Event.

 (c) The Asserting Party shall give notice to the other Party of a Force Majeure Event upon it being foreseen by, or becoming known to, the Asserting Party. If and to the extent that the Force Majeure Event prevents the Asserting Party from performing its obligations under this Agreement, it shall be relieved of its obligations to provide the services during the continuance of the Force Majeure Event.  

 (d) If a Force Majeure Event occurs and its effect continues for a period of at least one hundred twenty (120) days, any Party may give the other Party a notice of termination which shall terminate this Agreement fifteen (15) days after the giving of said notice.

26. Governing Law.

This Agreement shall be governed by and shall be construed in accordance with the laws of the State of New York without regard to its conflicts of law principles. For any disputes arising under or in connection with this Agreement, the Parties consent to the jurisdiction of any court of competent jurisdiction in New York County, New York, the US District Court for Southern District of New York, or other State or Federal court having jurisdiction over New York County, New York. Contractor consents to jurisdiction and venue of any of said courts.

27. Headings.

Headings in this Agreement are for convenience only and shall not be considered in construing this Agreement.  

28. Severability.

If any provision of this Agreement, the Joinder Agreement, or EULA is held to be invalid or unenforceable by a court of competent jurisdiction, the subject agreement shall be construed without regard to said provision. All other provisions of the subject Agreement shall remain in full force and effect.

29. Dispute Resolution, Binding Arbitration.

(a) Notwithstanding anything, any claim or dispute related to or connected with this Agreement that is not resolved by the Parties shall be subject to binding dispute resolution by a single arbitrator by arbitration administered by the American Arbitration Association (“AAA”), Manhattan, NY, in accordance with its Commercial Arbitration Rules as in effect on the Effective Date.

(1) A demand for arbitration shall be in writing delivered to the other Party or Parties involved in the subject dispute, and filed with the AAA Manhattan, NY, office. The Party filing a notice of demand for arbitration must assert in the demand all claims then known to the Party making such demand.

(2) A demand for arbitration shall be made no later than the date when the institution of legal or equitable proceedings based on the claim would be barred by the applicable statute of limitations in New York. For statute of limitations purposes, receipt of a written demand for arbitration by the AAA shall constitute the institution of legal or equitable proceedings based on the claim.

(b) The award rendered by the arbitrator shall be final, and judgment may be entered upon it in accordance with applicable law in any court having jurisdiction thereof.

(c) Arbitration filing fees and fees of the arbitrator shall be awarded to or among the participating Parties as determined in good faith by the arbitrator.

(d) The substantially successful Party or Parties shall be entitled to recover its reasonable attorney fees and costs from the other Party or Parties, determined by the Arbitrator in its sole discretion.

(e) The Parties shall continue to operate in compliance with this Agreement during the pendency of any Dispute Resolution proceeding pursuant to this Paragraph 26.

30. Merger. These Terms and Conditions, the Joinder Agreement, and the End User License Agreement (“EULA”), together, constitute the complete agreement of the Client and Authorized Users with respect to the subject matter of these documents. The Joinder Agreement may be amended only in writing signed by the Client and the Company. The Terms of Service and EULA may be amended by the Company by posting on its website under www.exlink.org/legal.

THE TERMS AND CONDITIONS and EULA are binding upon any Client or User that accesses or uses Exlink, anything on the Company website, or any other product or service of the Company. By such access or use, a Client and User agree to be bound by the Terms and Conditions and the EULA.