Data Processing Agreement
1. Scope and applicability
This Data Processing Agreement ("DPA") forms part of the agreement between the customer ("Controller") and lynox AI, operated by Brandfusion Burlet, Neue Jonastrasse 71, 8640 Rapperswil SG, Switzerland ("Processor") for the provision of lynox Managed Hosting services.
This DPA applies where the Processor processes personal data on behalf of the Controller in the course of providing the Managed Hosting service. It supplements the Terms of Service and Privacy Policy.
This DPA does not apply to self-hosted installations of lynox, where the user is both controller and operator of their own infrastructure.
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Art. 4(1) GDPR and Art. 5(a) nDSG.
- "Processing" means any operation performed on Personal Data, as defined in Art. 4(2) GDPR and Art. 5(d) nDSG.
- "Sub-processor" means a third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Services" means the lynox Managed Hosting service as described in the Terms of Service.
3. Roles of the parties
The Controller determines the purposes and means of processing Personal Data through their use of the Services. The Processor processes Personal Data solely on behalf of and under the documented instructions of the Controller.
4. Subject matter and duration
The subject matter of processing is the provision of AI-assisted business operations via the lynox Managed Hosting platform. Processing begins when the Controller's managed instance is provisioned and continues for the duration of the subscription agreement.
5. Nature and purpose of processing
The Processor processes Personal Data to provide the following services on behalf of the Controller:
- AI-assisted conversations and business communication analysis
- Memory extraction and knowledge graph construction
- CRM and contact management
- Workflow execution and task automation
- Email triage and content analysis
- File storage and retrieval
6. Types of personal data
The following categories of Personal Data may be processed depending on the Controller's use of the Services:
- Names and contact details (email addresses, phone numbers)
- Business communications (emails, messages, notes)
- Calendar entries and scheduling data
- File contents uploaded or referenced by the Controller
- CRM records (contact information, interaction history)
- Knowledge graph entities derived from the above
7. Categories of data subjects
- The Controller's employees and authorized users
- The Controller's customers, clients, and prospects
- The Controller's business partners and suppliers
- Any other individuals whose data the Controller processes through the Services
8. Processor obligations
In accordance with Art. 28(3) GDPR and Art. 9 nDSG, the Processor shall:
8.1 Instructions
Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes applicable data protection law.
8.2 Confidentiality
Ensure that all persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
8.3 Security measures
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Annex: Security Measures.
8.4 Sub-processors
Not engage another processor without prior specific or general written authorization of the Controller. In the case of general written authorization, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes. The current list of sub-processors is set out in Section 9.
8.5 Data subject rights
Assist the Controller, taking into account the nature of the processing, by appropriate technical and organizational measures, for the fulfillment of the Controller's obligation to respond to requests for exercising data subject rights under Chapter III GDPR and Art. 25-29 nDSG.
8.6 Assistance with compliance
Assist the Controller in ensuring compliance with obligations pursuant to Art. 32-36 GDPR (security, breach notification, data protection impact assessments, prior consultation), taking into account the nature of processing and the information available to the Processor.
8.7 Deletion or return
At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of Services, and delete existing copies unless applicable law requires storage of the Personal Data. See Section 12 for timelines.
8.8 Audits
Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. Audits shall be conducted with reasonable notice (at least 30 days) and during normal business hours, and shall not unreasonably interfere with the Processor's operations.
9. Sub-processors
The Controller hereby grants the Processor general authorization to engage the following sub-processors. The Processor shall notify the Controller at least 30 days in advance of any intended addition or replacement of sub-processors.
| Sub-processor | Purpose | Location | DPA in place |
|---|---|---|---|
| Anthropic, PBC | LLM inference (Starter tier, direct API) | United States | Yes — Anthropic DPA |
| Amazon Web Services (AWS) | LLM inference via Bedrock (Managed EU tier, Frankfurt) | EU (Frankfurt, eu-central-1) | Yes — AWS GDPR DPA |
| Stripe, Inc. | Payment processing and subscription billing | United States / EU | Yes — Stripe DPA |
| Hetzner Online GmbH | Server infrastructure (dedicated VPS per customer) | Germany (EU) | Yes — Hetzner DPA |
| Brevo (Sendinblue SAS) | Transactional email delivery (SMTP relay) and contact list management | EU (France/Germany) | Yes — Brevo DPA |
| Cloudflare, Inc. | DNS, CDN, DDoS protection, tunnel relay | United States / EU (edge network) | Yes — Cloudflare DPA |
| Plausible Insights OÜ | Anonymous website analytics (no personal data) | EU (Estonia) | Yes — Plausible DPA |
| Self-hosted (Bugsink) | Error reporting (always active for managed instances) | EU (self-hosted) | No third-party transfer — self-hosted on EU infrastructure |
10. International data transfers
Where Personal Data is transferred to sub-processors located outside of Switzerland or the EU/EEA, the Processor ensures that appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) — EU Commission-approved SCCs (2021/914) are incorporated into all sub-processor agreements involving transfers to the United States or other non-adequate countries.
- Swiss-US Data Privacy Framework — Where applicable and where the sub-processor is certified, transfers may additionally rely on the Swiss-US Data Privacy Framework.
- Supplementary measures — Encryption in transit (TLS 1.3) and at rest (AES-256-GCM) are applied to all data transferred to or processed by sub-processors.
- Bedrock EU option — Controllers who select the Managed EU tier benefit from AI inference processed exclusively within the EU (AWS Frankfurt, eu-central-1), avoiding cross-border transfers for AI processing.
11. Liability and indemnification
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of data protection law to the extent such liability cannot be limited under applicable law.
The Processor shall indemnify the Controller against all claims, damages, and expenses arising from the Processor's breach of this DPA or applicable data protection law, except to the extent that such claims arise from the Controller's instructions or the Controller's own breach of data protection law.
12. Term and termination
This DPA remains in effect for the duration of the Controller's subscription to the Managed Hosting service.
- Data export — Upon termination or expiration, the Controller may export all Personal Data from their managed instance within 30 days.
- Data deletion — After the 30-day export period, the Processor shall delete all Personal Data from the managed instance within 90 days, unless retention is required by applicable law.
- Confirmation — Upon request, the Processor shall provide written confirmation that all Personal Data has been deleted.
Annex: Technical and organizational security measures
The Processor implements the following measures to protect Personal Data processed on behalf of the Controller:
Encryption
- Secrets at rest: AES-256-GCM encryption for API keys and credentials (vault)
- Key derivation: PBKDF2 with customer-specific vault keys
- Data in transit: TLS 1.3 for all connections
- Conversation data: stored unencrypted on the dedicated server to enable safety monitoring in response to abuse reports or legal requests (see Privacy Policy)
Tenant isolation
- Each Managed Hosting customer runs on a dedicated virtual server (Hetzner Cloud)
- No shared databases, file systems, or application processes between tenants
- Network-level isolation between customer instances
Access control
- No routine access: lynox AI staff do not access customer conversations, knowledge graphs, or files during normal operations
- Exception-based access: conversation data may be accessed solely in response to abuse reports, legal requests, or automated safety alerts (see Privacy Policy)
- API keys and vault secrets are never accessed — they remain encrypted and inaccessible to lynox AI staff
- Infrastructure access limited to provisioning and maintenance operations
- Multi-factor authentication required for all administrative access
Container hardening
- Read-only root filesystem
- No new privileges flag enabled
- Minimal base images with no unnecessary packages
- Tmpfs for temporary data only
Monitoring and audit trail
- Automated health monitoring for all customer instances
- Administrative actions on the control plane are logged
- Incident response procedures are maintained and reviewed periodically
Backup and recovery
- Crash-safe backup procedure (SQLite VACUUM INTO)
- Backup encryption with AES-256-GCM where enabled
- Configurable retention period (default: 30 days)
- Restore capability tested periodically
Regular testing and evaluation
- Continuous integration security pipeline (dependency scanning, secret detection, container vulnerability scanning)
- Security practices aligned with OWASP Top 10 guidelines
- Periodic backup restore tests
- Regular review of technical and organizational measures
13. EU representative
lynox AI is established in Switzerland, not in the EU/EEA. Pursuant to Art. 27 GDPR, we have appointed Prighter Group with its local partners as our EU representative and point of contact for data subjects in the European Union.
To exercise your privacy-related rights or contact our EU representative, please visit:
https://app.prighter.com/portal/13646667120
14. Contact
For all questions related to this DPA or data processing:
[email protected]
15. Governing law
This DPA is governed by Swiss law. The exclusive place of jurisdiction is Rapperswil-Jona, Canton of St. Gallen, Switzerland. Where the Controller is subject to the GDPR, the provisions of the GDPR shall prevail in the event of any conflict with this DPA or the governing law.