Data Processing Agreement
1. Scope and applicability
This Data Processing Agreement ("DPA") forms part of the agreement between the customer ("Controller") and lynox AI, operated by Brandfusion Burlet, Neue Jonastrasse 71, 8640 Rapperswil SG, Switzerland ("Processor") for the provision of lynox Managed Hosting services.
This DPA applies where the Processor processes personal data on behalf of the Controller in the course of providing the Managed Hosting service. It supplements the Terms of Service and Privacy Policy.
This DPA does not apply to self-hosted installations of lynox, where the user is both controller and operator of their own infrastructure.
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Art. 4(1) GDPR and Art. 5(a) nDSG.
- "Processing" means any operation performed on Personal Data, as defined in Art. 4(2) GDPR and Art. 5(d) nDSG.
- "Sub-processor" means a third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Services" means the lynox Managed Hosting service as described in the Terms of Service.
3. Roles of the parties
The Controller determines the purposes and means of processing Personal Data through their use of the Services. The Processor processes Personal Data solely on behalf of and under the documented instructions of the Controller.
4. Subject matter and duration
The subject matter of processing is the provision of AI-assisted business operations via the lynox Managed Hosting platform. Processing begins when the Controller's managed instance is provisioned and continues for the duration of the subscription agreement.
5. Nature and purpose of processing
The Processor processes Personal Data to provide the following services on behalf of the Controller:
- AI-assisted conversations and business communication analysis
- Memory extraction and knowledge graph construction
- CRM and contact management
- Workflow execution and task automation
- Email triage and content analysis
- File storage and retrieval
6. Types of personal data
The following categories of Personal Data may be processed depending on the Controller's use of the Services:
- Names and contact details (email addresses, phone numbers)
- Business communications (emails, messages, notes)
- Calendar entries and scheduling data
- File contents uploaded or referenced by the Controller
- CRM records (contact information, interaction history)
- Knowledge graph entities derived from the above
7. Categories of data subjects
- The Controller's employees and authorized users
- The Controller's customers, clients, and prospects
- The Controller's business partners and suppliers
- Any other individuals whose data the Controller processes through the Services
8. Processor obligations
In accordance with Art. 28(3) GDPR and Art. 9 nDSG, the Processor shall:
8.1 Instructions
Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes applicable data protection law.
8.2 Confidentiality
Ensure that all persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
8.3 Security measures
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Annex: Security Measures.
8.4 Sub-processors
Not engage another processor without prior specific or general written authorization of the Controller. In the case of general written authorization, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes. The current list of sub-processors is set out in Section 9.
8.5 Data subject rights
Assist the Controller, taking into account the nature of the processing, by appropriate technical and organizational measures, for the fulfillment of the Controller's obligation to respond to requests for exercising data subject rights under Chapter III GDPR and Art. 25-29 nDSG.
8.6 Assistance with compliance
Assist the Controller in ensuring compliance with obligations pursuant to Art. 32-36 GDPR (security, breach notification, data protection impact assessments, prior consultation), taking into account the nature of processing and the information available to the Processor.
8.6a Personal data breach notification
Processor shall notify Controller of a Personal Data Breach without undue delay and in any case within 72 hours of becoming aware, providing the information required under Art. 33(3) GDPR to the extent then known. Where information cannot be provided at the same time, it will be provided in phases without further undue delay.
8.7 Deletion or return
At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of Services, and delete existing copies unless applicable law requires storage of the Personal Data. See Section 12 for timelines.
8.8 Audits
Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. Audits shall be conducted with reasonable notice (at least 30 days) and during normal business hours, and shall not unreasonably interfere with the Processor's operations.
9. Sub-processors
The Controller hereby grants the Processor general authorization to engage the following sub-processors. The Processor shall notify the Controller at least 30 days in advance of any intended addition or replacement of sub-processors. The canonical, always-current list is maintained at /subprocessors and mirrored in the source repository at SUBPROCESSORS.md.
| Sub-processor | Purpose | Location | DPA in place |
|---|---|---|---|
| Anthropic, PBC | Primary LLM inference (Claude family, direct API) | United States | Yes — Anthropic DPA |
| Mistral AI SAS | LLM inference for chat, agent workflows, mail-triage classification, and memory consolidation (Mistral Large family, direct API; non-persistent server-side prompt cache, not used for training per Mistral terms). Selected as primary provider by EU-residency customers and as fallback by others. | France (EU) | Yes — Mistral Terms & DPA |
| Stripe, Inc. | Payment processing and subscription billing | United States / EU | Yes — Stripe DPA |
| Hetzner Online GmbH | Server infrastructure — shared tenant hosts (isolated container per customer); dedicated VPS available as Enterprise upgrade | Germany (EU) | Yes — Hetzner DPA |
| Brevo (Sendinblue SAS) | Transactional email delivery (SMTP relay) and contact list management | EU (France/Germany) | Yes — Brevo DPA |
| Cloudflare, Inc. | DNS, CDN, DDoS protection, tunnel relay | United States / EU (edge network) | Yes — Cloudflare DPA |
| Plausible Insights OÜ | Anonymous website analytics (no personal data) | EU (Estonia) | Yes — Plausible DPA |
| Self-hosted (Bugsink) | Error reporting (always active for managed instances) | EU (self-hosted) | No third-party transfer — self-hosted on EU infrastructure |
10. International data transfers
Where Personal Data is transferred to sub-processors located outside of Switzerland or the EU/EEA, the Processor ensures that appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) — EU Commission-approved SCCs (2021/914) are incorporated into all sub-processor agreements involving transfers to the United States or other non-adequate countries.
- Swiss-US Data Privacy Framework — Where applicable and where the sub-processor is certified, transfers may additionally rely on the Swiss-US Data Privacy Framework.
- Supplementary measures — Encryption in transit (TLS 1.3) and at rest (AES-256-GCM) are applied to all data transferred to or processed by sub-processors.
- Mistral AI in the EU — AI inference can be routed to Mistral AI's direct API, which is operated by an EU-based company (France) and processes requests within the EU. EU-residency customers select Mistral as their primary provider; other customers may use it as a fallback or for selected workloads.
11. Liability and indemnification
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of data protection law to the extent such liability cannot be limited under applicable law.
The Processor shall indemnify the Controller against all claims, damages, and expenses arising from the Processor's breach of this DPA or applicable data protection law, except to the extent that such claims arise from the Controller's instructions or the Controller's own breach of data protection law.
12. Term and termination
This DPA remains in effect for the duration of the Controller's subscription to the Managed Hosting service.
- Data export — Upon termination or expiration, the Controller may export all Personal Data from their managed instance within 30 days.
- Data deletion — After the 30-day export period, the Processor shall delete all Personal Data from the managed instance within 90 days, unless retention is required by applicable law.
- Confirmation — Upon request, the Processor shall provide written confirmation that all Personal Data has been deleted.
Annex: Technical and organizational security measures
The Processor implements the following measures to protect Personal Data processed on behalf of the Controller:
Encryption
- Conversation content and derived memory rest on per-tenant container volumes on Hetzner Cloud infrastructure (Nürnberg). Application-layer envelope encryption is applied to API keys, OAuth tokens and other credentials (AES-256-GCM with HKDF-SHA256 per-tenant key derivation). Application-layer encryption of conversation payloads and host-level disk encryption (LUKS) are on the production-hardening roadmap; until then, access is controlled by per-tenant Docker isolation, OS-level filesystem permissions, and audit-logged administrative access.
- Data in transit: TLS 1.3 for all connections
Tenant isolation
- Each Managed Hosting customer runs in an isolated Docker container with its own hardened root filesystem, its own encrypted vault, and its own database files. Multiple customer containers may share the same underlying tenant host (Hetzner Cloud).
- No shared databases, file systems, or application processes between tenants. Per-tenant vault key derivation (HKDF-SHA256) ensures secrets for one customer cannot be decrypted by any other tenant on the same host.
- Network-level isolation between customer containers via separate namespaces. No inbound traffic between tenants.
- A dedicated single-tenant VPS is available as an Enterprise option on request for customers with strict single-tenant requirements.
Access control
- No routine access: lynox AI staff do not access customer conversations, knowledge graphs, or files during normal operations
- Exception-based access: conversation data may be accessed solely in response to abuse reports, legal requests, or automated safety alerts (see Privacy Policy)
- API keys and vault secrets are never accessed — they remain encrypted and inaccessible to lynox AI staff
- Infrastructure access limited to provisioning and maintenance operations
- Multi-factor authentication required for all administrative access
Container hardening
- Read-only root filesystem
- No new privileges flag enabled
- Minimal base images with no unnecessary packages
- Tmpfs for temporary data only
Monitoring and audit trail
- Automated health monitoring for all customer instances
- Administrative actions on the control plane are logged
- Incident response procedures are maintained and reviewed periodically
Backup and recovery
- Crash-safe backup procedure (SQLite VACUUM INTO)
- Backup encryption with AES-256-GCM where enabled
- Configurable retention period (default: 30 days)
- Restore capability tested periodically
Regular testing and evaluation
- Continuous integration security pipeline (dependency scanning, secret detection, container vulnerability scanning)
- Security practices aligned with OWASP Top 10 guidelines
- Periodic backup restore tests
- Regular review of technical and organizational measures
13. EU representative
lynox AI is established in Switzerland, not in the EU/EEA. Pursuant to Art. 27 GDPR, we have appointed Prighter Group with its local partners as our EU representative and point of contact for data subjects in the European Union.
To exercise your privacy-related rights or contact our EU representative, please visit:
https://app.prighter.com/portal/13646667120
14. Contact
For all questions related to this DPA or data processing:
privacy@lynox.ai
15. Governing law
This DPA is governed by Swiss law. The exclusive place of jurisdiction is Rapperswil-Jona, Canton of St. Gallen, Switzerland. Where the Controller is subject to the GDPR, the provisions of the GDPR shall prevail in the event of any conflict with this DPA or the governing law.