Data Processing Addendum

Effective May 29, 2026

This Data Processing Addendum is part of the agreement between Livy and Customer. It applies when Livy processes personal data on Customer's behalf in connection with the services.

Roles

For personal data that Livy processes on Customer's behalf through the services, Customer acts as the controller, business, agency, or similar principal under applicable law, and Livy acts as the processor, service provider, contractor, or similar service recipient.

Livy may also process limited business-contact, billing, account, security, device, log, and usage information for its own legitimate business operations, service administration, legal compliance, fraud prevention, and security.

Processing instructions

Livy will process personal data only to provide, secure, support, troubleshoot, maintain, and improve the services; as configured by Customer; as stated in the agreement; on Customer's documented instructions; or as required by law.

Livy will not sell personal data or share it for cross-context behavioral advertising.

Livy will not retain, use, or disclose personal data outside the direct business relationship with Customer except as permitted by the agreement, this DPA, or applicable law.

No AI model training

Livy does not use Customer Data or personal data to train Livy's or a third party's general-purpose AI models. Livy will give Customer prior written notice and obtain Customer's explicit consent before changing this practice.

If Customer enables automated or AI-assisted features, Customer authorizes Livy to use AI service providers as subprocessors for those features. Livy will not authorize those providers to train general-purpose AI models on Customer Data or personal data.

Confidentiality

Livy will ensure that personnel authorized to process personal data are bound by confidentiality obligations and access controls appropriate to their roles.

Security measures

Livy will maintain reasonable administrative, technical, and physical safeguards designed to protect personal data against unauthorized access, loss, alteration, disclosure, or destruction.

Those safeguards may include, as appropriate to the services and the risk, access controls, authentication controls, encryption in transit and at rest, logging, backup and recovery measures, vulnerability management, vendor-management controls, and incident-response procedures.

Livy may pursue third-party security assessments, reports, or certifications over time. Unless expressly stated in an order form or security exhibit, Livy does not represent that the services meet any specific certification, audit standard, or security framework.

Subprocessors

Customer gives general written authorization for Livy to use subprocessors.

Livy will remain responsible for subprocessors' processing of personal data to the extent required by applicable law and the agreement.

Livy will publish the current subprocessor list on its subprocessor page and will provide email notice of material additions to Customer's named legal or privacy contact.

Customer may object to a new subprocessor on reasonable data-protection grounds within 15 days after notice. The parties will work in good faith on a reasonable alternative. If no reasonable alternative is available, Customer may terminate the affected services, and Livy will refund prepaid fees for the terminated portion of the unused term.

Requests, disclosures, and public records

Customer is responsible for responding to requests from data subjects, regulators, public-records requesters, litigants, and other third parties concerning Customer Data.

If Livy receives a request or legal demand relating to Customer Data, Livy will promptly notify Customer unless legally prohibited and will reasonably assist Customer at Customer's reasonable expense.

Nothing in this DPA reduces Customer's responsibility for open-meeting, public-records, retention, accessibility, or similar legal obligations.

Security incidents

Livy will notify Customer without undue delay after confirming a security incident involving personal data in Customer Data.

The notice will include information reasonably available to Livy, such as the nature of the incident, categories of affected data, likely consequences, and remediation steps being taken.

Livy will take reasonable steps to contain, investigate, and mitigate the security incident and will reasonably cooperate with Customer's response.

Livy will not notify affected individuals or regulators on Customer's behalf unless required by law or authorized by Customer in writing.

Audits and information

On reasonable written request and not more than once per year, Livy will provide information reasonably necessary to demonstrate compliance with this DPA, including summaries of security practices and available third-party assessments.

Any further audit right must be exercised during normal business hours, with reasonable notice, under confidentiality obligations, and only to the extent the requested information is not already provided through reports, certifications, or documentation.

Deletion and return

Customer may access Customer Data through the services during the subscription term and may request a bulk export from Livy at any time.

On termination or expiration of an order form, Customer may request a bulk export of personal data in Customer Data for 60 days unless the order form states a different period. Livy will deliver requested exports in a standard machine-readable format within a reasonable period.

After the export window ends, Livy will delete or return personal data in Customer Data, except where retention is required by law or reasonably necessary for backup, fraud prevention, security, audit, or dispute-resolution purposes.

Retained data remains subject to the agreement and this DPA.

International transfers

If applicable law requires specific transfer terms for cross-border processing of personal data, the parties will cooperate in good faith to adopt them through a short transfer addendum or updated DPA attachment.

Processing details

Subject matter: software services for public-agency meetings, agenda materials, records, public participation, workflow management, and related automated and AI-assisted features.

Duration: the subscription term plus any limited post-termination return, deletion, backup, audit, security, or legal-retention period.

Categories of data subjects: Customer users, public-agency staff, officials, body members, contractors, public participants, requesters, and website visitors.

Categories of personal data:

• identity and account data (such as names, email addresses, login credentials, roles, departments, body membership);
• activity and workflow data (such as approvals, votes, minutes, attendance, workflow status, internal notes);
• submission and content data (such as public submissions, attachments, comments, and related metadata);
• technical and log data (such as IP address, device information, diagnostic data, and usage information).

Detailed processing specifics for a given customer may be set out in the order form.

Sensitive data: only to the extent intentionally submitted by Customer, authorized users, or public participants. Unless expressly agreed otherwise, the services are not intended as a primary system for highly regulated data such as regulated health data, payment-card data, or criminal-justice data.

Changes to this DPA

Livy may update this DPA by posting an updated version. Material changes apply from the effective date stated with the updated DPA, subject to the agreement.

Contact

Questions about this DPA may be sent to support@livygov.com.