Data Processing Agreement

Version 1.0 · Last updated 29 April 2026 · Effective 29 April 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between [ENTITY_NAME] ("Processor", "we") and the customer ("Controller", "you") using the LIA service. It applies whenever the Controller is established in the European Economic Area (EEA), United Kingdom, or Switzerland, or when EU GDPR applies extraterritorially to the Controller's processing.

1. Definitions

Terms in this DPA have the meaning given to them in Regulation (EU) 2016/679 ("GDPR"). "Personal Data" means any information relating to an identified or identifiable natural person.

2. Subject Matter and Duration

The Processor shall process Personal Data on behalf of the Controller solely for the purpose of providing the LIA Service as described in the Terms of Service. This DPA remains in force for the duration of the service contract and any data retention periods that follow termination.

3. Nature and Purpose of Processing

Processing is limited to operations necessary for delivering the LIA Service:

• User account management (authentication, billing)
• Chat messages dispatched to AI inference providers
• Bridge session telemetry (DAW name, version, timestamps)
• Customer support communications

4. Categories of Personal Data and Data Subjects

Categories of Data Subjects: Controller's authorised users (developers, musicians, contractors).

Categories of Personal Data: email addresses, hashed passwords (Supabase Auth), display names, payment metadata (no card details), chat messages, usage logs, IP addresses (hashed before storage).

5. Obligations of the Processor

1. Process Personal Data only on documented instructions from the Controller, including transfers to third countries (Art. 28(3)(a) GDPR).
2. Ensure persons authorised to process Personal Data are bound by confidentiality.
3. Implement appropriate technical and organisational security measures (Art. 32 GDPR), see §9.
4. Engage Sub-processors only with prior general written authorisation (see §8).
5. Assist the Controller in responding to data subject rights requests (Art. 15-22 GDPR).
6. Notify the Controller without undue delay of any Personal Data breach (Art. 33 GDPR), see §10.
7. At the Controller's choice, delete or return all Personal Data after the end of services (Art. 28(3)(g) GDPR).
8. Make available all information necessary to demonstrate compliance and allow audits (Art. 28(3)(h) GDPR).

6. Obligations of the Controller

The Controller represents that it has obtained all necessary lawful bases (Art. 6 GDPR) for the Personal Data processed under this DPA, and has informed Data Subjects in accordance with Art. 13/14 GDPR.

7. International Data Transfers

The Service is hosted in the European Union (Frankfurt, Germany. Hostinger / supabase.com EU region). Personal Data is processed within the EEA. Where Sub-processors process data outside the EEA (e.g., AI inference providers in the United States), transfers are governed by:

• EU-US Data Privacy Framework (DPF), where the recipient is certified;
• Standard Contractual Clauses (SCCs), Module 2 (Controller to Processor), 2021 EU Commission Decision 2021/914.

No Personal Data is transferred to jurisdictions without an EU adequacy decision or appropriate safeguards.

8. Sub-processors

The Controller authorises the Processor to engage Sub-processors. The current list of Sub-processors is available at /api/legal/subprocessors (logged-in endpoint, Art. 15 GDPR right of access). The Processor will notify the Controller of any intended changes at least 30 days in advance, allowing the Controller reasonable time to object.

9. Security Measures (Art. 32 GDPR)

• Encryption in transit: TLS 1.3 for all client-server traffic
• Encryption at rest: AES-256 for database storage (managed by Supabase)
• Access control: role-based, MFA for administrative access
• Network isolation: services bound to loopback or Tailscale network where possible (defence-in-depth)
• Logging: audit trail for all administrative actions
• Incident response: documented runbook for security events

10. Personal Data Breach Notification

The Processor will notify the Controller without undue delay (and in any case within 72 hours of becoming aware) of any breach affecting Personal Data processed under this DPA. The notification will include:

• Nature and approximate scope of the breach
• Categories and approximate number of Data Subjects and records affected
• Measures taken or proposed to mitigate the breach
• Contact details of the privacy officer for further information

11. Termination

Upon termination of the service contract, and at the Controller's written request, the Processor shall delete or return all Personal Data. Backup copies shall be deleted at the next normal backup rotation cycle (maximum 90 days).

12. Liability

Liability under this DPA is governed by the limitations set out in the Terms of Service, except where such limitation conflicts with GDPR Art. 82 (right to compensation).

13. Governing Law and Jurisdiction

This DPA is governed by the laws of the Republic of Italy. The competent court is the court of the Controller's registered office, or where this is outside the EEA, the court of [SEDE_LEGALE], Italy.

14. Contact

For all matters related to this DPA: [email protected]