Data Processing Addendum
This addendum governs the processing of personal data in connection with the Services.
DATA PROCESSING ADDENDUM
Effective Date: March 19, 2026
This DPA forms part of and is incorporated into Loon's Terms of Service (the "Agreement"). By entering into the Agreement, you agree to the terms of this DPA. Should you require a separately executed copy of this DPA, please contact privacy@loonbio.com.
This Data Processing Addendum ("DPA") governs the processing of Your Personal Data by Loon Inc. and its affiliates ("Loon," "we," "us," or "our") in connection with the services provided under the Agreement.
In the event of a conflict between the Agreement and this DPA, this DPA governs with respect to the processing of Your Personal Data.
DEFINITIONS
"Collected Personal Data" means Personal Data collected by us that is required for you and your Users to register for and access the Service, and for contact, notification, and other legitimate business purposes.
"Data Protection Laws"means applicable data protection and privacy laws, including, to the extent applicable: the EU General Data Protection Regulation 2016/679 ("GDPR"); the UK GDPR and the UK Data Protection Act 2018; the Swiss Federal Act on Data Protection; the California Consumer Privacy Act ("CCPA"); and any other applicable data protection legislation.
"Security Incident" means a breach of our security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Your Personal Data.
"Service(s)" means the services and software provided by us to you as described in the Agreement.
"Standard Contractual Clauses"or "SCCs" means the Controller-to-Processor Clauses (Module Two) approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
"Sub-processor" means any third party engaged by us to process Your Personal Data on your behalf.
"Third Country" means a country outside the EEA not recognized by the European Commission as providing an adequate level of data protection.
"Uploaded Personal Data" means Personal Data uploaded by you or your Users to the Service.
"Users" means you or individuals you authorize to use the Service or Software under active subscriptions.
"Your Personal Data" means Uploaded Personal Data and Collected Personal Data, collectively.
All other capitalized terms not defined herein have the meanings given in the GDPR or the Agreement, as applicable.
1. SCOPE AND ROLES
1.1 This DPA applies when Your Personal Data is processed by us in connection with the Service. With respect to Uploaded Personal Data, you are the controller and we are the processor. With respect to Collected Personal Data, we act as an independent controller.
1.2 You acknowledge that we do not access Uploaded Personal Data without your express consent. You are solely responsible for the lawfulness and protection of data you upload to the Service.
1.3 You shall not upload any categories of data prohibited under the Agreement. Any such upload constitutes a material breach of the Agreement and this DPA.
2. DETAILS OF PROCESSING
| Element | Description |
|---|---|
| Subject matter | Uploaded Personal Data and Collected Personal Data |
| Duration | For the term of the Agreement |
| Purpose | Provision of the Service(s) under the Agreement |
| Nature of processing | Collection, storage, organization, retrieval, use, deletion, and such other processing as necessary to provide the Service in accordance with your documented instructions |
| Categories of data subjects | Employees, contractors, end users, or other individuals whose data you have lawfully obtained |
| Types of personal data | Uploaded Personal Data as determined by you; Collected Personal Data as described in our Privacy Policy |
3. YOUR INSTRUCTIONS
3.1 We shall process Your Personal Data only on your documented instructions, including with respect to international transfers, unless required by applicable law. The Agreement and this DPA constitute your complete instructions at the time of execution.
3.2 We will promptly inform you if, in our opinion, an instruction would result in a violation of Data Protection Laws.
4. CONFIDENTIALITY
We shall restrict access to Your Personal Data to authorized personnel who require access to perform the Services. Such personnel shall be bound by appropriate confidentiality obligations.
5. SECURITY
We shall implement and maintain appropriate technical and organizational measures to protect Your Personal Data, taking into account the state of the art, costs of implementation, the nature of the processing, and the risks to data subjects. A description of our security measures is set out in Annex II.
6. SUB-PROCESSORS
6.1 General authorization. You grant us general written authorization to engage Sub-processors.
6.2 Sub-processor obligations. We shall impose data protection obligations on each Sub-processor that are no less protective than those in this DPA.
6.3 Liability. We remain liable to you for the acts and omissions of our Sub-processors with respect to Your Personal Data.
7. DATA SUBJECT REQUESTS
If we receive a request from you or one of Your Users relating to Your Personal Data, we shall promptly forward the request to you and, where appropriate, provide commercially reasonable assistance to help you respond. You authorize us to acknowledge receipt of such requests on your behalf.
8. SECURITY INCIDENT NOTIFICATION
Upon becoming aware of a Security Incident affecting Your Personal Data, we shall notify you without undue delay, providing: (a) the nature of the incident; (b) the categories and approximate number of data subjects and records affected; (c) contact details for further information; and (d) any other information required by applicable law.
9. AUDITS
Upon reasonable request, we shall make available to you information necessary to demonstrate compliance with this DPA, including relevant audit reports, certifications, or other compliance documentation.
10. INTERNATIONAL TRANSFERS
10.1 The SCCs shall apply to any transfer of Your Personal Data to a Third Country.
10.2 For transfers of Uploaded Personal Data, you are the data exporter (controller) and we are the data importer (processor) under Module Two of the SCCs.
10.3 You authorize us to store and process Your Personal Data in Canada and any country in which we or our Sub-processors maintain facilities, provided appropriate safeguards are in place.
11. RETURN AND DELETION OF DATA
11.1 Upon termination of the Agreement, or upon your written request, we shall return or delete all Your Personal Data within sixty (60) days, except to the extent we are required by applicable law to retain such data.
11.2 You acknowledge that we may be subject to legal retention obligations that require preservation of certain records beyond the termination of the Agreement.
12. TERM AND TERMINATION
This DPA shall remain in effect for the duration of the Agreement and shall automatically terminate upon termination or expiration of the Agreement, subject to any surviving obligations regarding return or deletion of data.
13. GENERAL
13.1 Entire agreement. This DPA, together with the Agreement and the SCCs incorporated by reference, constitutes the entire agreement between the parties regarding the processing of Your Personal Data.
13.2 Governing law. This DPA shall be governed by the laws of the Republic of Ireland, without regard to conflict of laws principles. For the purposes of the SCCs (Clauses 17 and 18), the governing law shall be the laws of the Republic of Ireland and disputes shall be resolved before the courts of Ireland.
13.3 Supervisory authority. The competent supervisory authority for the purposes of the SCCs is the Data Protection Commission of Ireland.
ANNEX I-A: LIST OF PARTIES
Data Exporter (You):
| Name | As specified in your Agreement with Loon |
| Address | As specified in your Agreement with Loon |
| Contact person | As specified in your Agreement with Loon |
| Data Protection Officer (if any) | As applicable |
| EU Representative (if any) | As applicable |
| Role | Controller of Uploaded Personal Data |
Data Importer (Loon) as Processor of Uploaded Personal Data
| Name | Loon Inc. |
| Address | 7 Bayview Station Rd, Ottawa, Ontario, K1Y 2C5, Canada |
| Contact person | Mara Rada |
| Role | Processor of Uploaded Personal Data |
Loon as Independent Controller of Collected Personal Data
| Name | Loon Inc. |
| Address | 7 Bayview Station Rd, Ottawa, Ontario, K1Y 2C5, Canada |
| Contact person | Mara Rada |
| Role | Independent Controller of Collected Personal Data |
| Applicable obligations | Sections 4, 5, and 13 of this DPA; all other obligations arising directly under applicable Data Protection Laws |
ANNEX I-B: DESCRIPTION OF TRANSFER
| Element | Description |
|---|---|
| Categories of data subjects | Employees, contractors, end users, or other individuals whose data you have lawfully obtained |
| Categories of personal data | Uploaded Personal Data as determined by you; Collected Personal Data per our Privacy Policy |
| Frequency of transfer | Continuous, depending on your use of the Service |
| Nature of processing | As described in Section 2 of this DPA |
| Purpose | Provision of the Services under the Agreement |
| Retention period | As specified in Section 11 of this DPA |
| Sub-processor transfers | Sub-processors process Your Personal Data for the duration of the Agreement per Section 6 |
ANNEX I-C: COMPETENT SUPERVISORY AUTHORITY
The competent supervisory authority is the Data Protection Commission of Ireland.
ANNEX II: TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
We maintain administrative, physical, and technical safeguards for the protection, confidentiality, security, and integrity of Your Personal Data, including but not limited to:
- Encryption of data in transit
- Access controls and least-privilege authentication
- Regular vulnerability assessments and penetration testing
- Incident response and business continuity procedures
- Employee security awareness training
We shall not materially decrease the overall security of the Service during the term of the Agreement.