DATA PROCESSING AGREEMENT (DPA)
This Data Processing Agreement governs the processing of personal data by Lemnia LLC on behalf of customers who act as data controllers under applicable data protection law, including the EU General Data Protection Regulation (GDPR) and UK GDPR. This DPA is incorporated into and forms part of the Lymnus Terms of Service.
1. Definitions
"Controller" means the entity that determines the purposes and means of processing Personal Data (the customer using Lymnus).
"Processor" means the entity that processes Personal Data on behalf of the Controller (Lemnia LLC, as operator of Lymnus).
"Personal Data" has the meaning given to it in applicable Data Protection Laws.
"Data Protection Laws" means GDPR, UK GDPR, and any other applicable data protection or privacy laws.
"Processing" has the meaning given to it in applicable Data Protection Laws.
"Sub-processor" means any third party engaged by the Processor to process Personal Data.
"Security Incident" means any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
2. Scope and Role of the Parties
The parties acknowledge that, in connection with the provision of Lymnus services:
The Controller (Customer) determines the purposes and means of processing Personal Data uploaded to the Platform
The Processor (Lemnia LLC) processes such Personal Data only on documented instructions from the Controller, as set out in this DPA and the Terms of Service
Where Lemnia LLC processes personal data of its own (e.g., account data), it does so as an independent Controller under its Privacy Policy.
3. Controller's Instructions
The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or international organization, unless required to do so by applicable law. The Controller's use of the Platform constitutes its instruction to process Personal Data for the purposes described therein.
4. Processor Obligations
The Processor shall:
Process Personal Data only in accordance with the Controller's documented instructions
Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
Implement and maintain appropriate technical and organizational security measures as described in Annex II
Respect the conditions for engaging Sub-processors as described in Section 7
Taking into account the nature of processing, assist the Controller in fulfilling obligations to respond to data subject requests
Assist the Controller in ensuring compliance with security, breach notification, data protection impact assessment, and prior consultation obligations
At the choice of the Controller, delete or return all Personal Data after the end of the provision of services, unless applicable law requires storage
Make available all information necessary to demonstrate compliance with obligations under this DPA and allow for audits
5. Details of Processing
5.1 Subject Matter
The processing of Personal Data through the Lymnus platform for the purposes of providing data extraction, processing, synthetic data generation, report creation, AI chat, and automation services.
5.2 Duration
Personal Data will be processed for the duration of the subscription or until the Controller requests deletion.
5.3 Nature and Purpose of Processing
Storage, organization, extraction, transformation, analysis, generation, and transmission of Personal Data as requested by the Controller through the Platform.
5.4 Types of Personal Data
The types of Personal Data processed depend entirely on the content uploaded by the Controller. They may include: names, email addresses, contact information, financial records, health information, employment data, or any other data included in uploaded files or processed through integrations.
5.5 Categories of Data Subjects
The categories of data subjects depend on the content uploaded by the Controller and may include the Controller's employees, customers, partners, or other individuals.
6. Data Subject Rights
The Processor shall, taking into account the nature of processing, assist the Controller by appropriate technical and organizational measures in fulfilling the Controller's obligation to respond to requests from data subjects exercising their rights under Data Protection Laws. The Controller is responsible for receiving and validating such requests.
7. Sub-processors
7.1 General Authorization
The Controller provides general authorization for the Processor to engage Sub-processors. The Processor shall inform the Controller of intended changes concerning the addition or replacement of Sub-processors, thereby giving the Controller the opportunity to object. Notice will be provided via email or Platform notification at least 30 days in advance.
7.2 Current Sub-processors
The Processor currently engages the following categories of Sub-processors for services relevant to Personal Data processing:
Sub-processor | Purpose | Location |
|---|---|---|
Anthropic PBC | AI model inference (Claude) | United States |
OpenAI, LLC | AI model inference (GPT) | United States |
Google LLC | AI model inference (Gemini) | United States |
Amazon Web Services | Cloud infrastructure and storage | United States / Various |
Stripe, Inc. | Payment processing (billing data only) | United States |
7.3 Sub-processor Requirements
The Processor shall impose data protection obligations on Sub-processors equivalent to those set out in this DPA and shall remain fully liable to the Controller for the performance of the Sub-processors.
8. Security Measures
The Processor implements and maintains appropriate technical and organizational security measures to protect Personal Data, including those described in Annex II of this DPA.
9. Security Incidents
In the event of a Security Incident involving Personal Data processed under this DPA, the Processor shall:
Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the incident
Provide information about the nature of the incident, categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed
Cooperate with the Controller in investigating and remediating the incident
Notification to: contact@lymnus.com. The Controller is responsible for notifying supervisory authorities and data subjects as required by applicable law.
10. International Data Transfers
Where the processing of Personal Data involves transfers to countries outside the EEA or UK, the Processor shall ensure such transfers are made in compliance with Data Protection Laws, including by relying on Standard Contractual Clauses (SCCs) as adopted by the European Commission, or other appropriate safeguards.
11. Data Protection Impact Assessments
The Processor shall, where requested and reasonably practicable, provide assistance to the Controller in carrying out Data Protection Impact Assessments (DPIAs) and any required prior consultation with supervisory authorities.
12. Deletion and Return of Data
Upon termination of the relevant services or upon written request from the Controller, the Processor shall (at the Controller's choice) delete or return all Personal Data processed under this DPA, including copies, unless applicable law requires continued storage. The Processor will confirm deletion in writing within 30 days of the request.
13. Audit Rights
The Controller shall have the right, upon reasonable prior written notice of at least 30 days and no more than once per year, to carry out (or commission) audits to verify the Processor's compliance with this DPA, at the Controller's expense. The Processor may satisfy this obligation by providing relevant certifications, reports, or third-party audit results.
14. Liability
Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. In the event of conflicting terms, this DPA shall prevail over the Terms of Service solely with respect to data protection matters.
15. Governing Law
This DPA is governed by the laws of the State of Delaware, without prejudice to any mandatory provisions of EU or UK data protection law that may apply.
16. Updates
The Processor may update this DPA from time to time to reflect changes in Data Protection Laws or processing activities. Material changes will be notified to the Controller as described in the Terms of Service.
Annex I — Description of Processing
Controller: The customer entity subscribing to the Lymnus platform.
Processor: Lemnia LLC, operating the Lymnus platform.
Processing activities: See Section 5 above.
Annex II — Technical and Organizational Security Measures
Measures of pseudonymisation and encryption
Encryption of Personal Data in transit using TLS 1.2 or higher (HTTPS)
Encryption of Personal Data at rest using AES-256 or equivalent
Database credentials and API keys stored encrypted
Measures for ongoing confidentiality, integrity, availability, and resilience
Role-based access control (RBAC) limiting staff access to Personal Data on a need-to-know basis
Multi-factor authentication for administrative access to production systems
Regular automated backups with tested restore procedures
High-availability infrastructure to support service continuity
Measures for restoration of availability
Redundant infrastructure across availability zones
Incident response plan with defined recovery time and recovery point objectives
Processes for regular testing
Regular vulnerability scanning and penetration testing
Dependency and security patching processes
Access log monitoring and anomaly detection
Measures for user identification and authorization
Unique user accounts with strong password requirements
Two-factor authentication supported for all accounts
OAuth authentication with major identity providers
Session management with appropriate timeout controls
Measures for physical security
Physical security managed by cloud infrastructure provider (AWS) in accordance with their security standards and certifications (e.g., ISO 27001, SOC 2)
To request a signed DPA or for questions about this agreement, contact:
Email: contact@lymnus.com
Lemnia LLC
131 Continental Dr, Suite 305, Newark, Delaware 19713, United States