Data Processing Agreement

"Personal Data" means any information relating to an identified or identifiable natural person as defined by GDPR Article 4(1).

"Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.

"Subprocessor" means any third party engaged by Lyrie to process Personal Data on behalf of the Controller.

"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

Lyrie processes Personal Data solely to provide the Services described in the Terms of Service. The categories of data subjects and types of Personal Data processed depend on which Lyrie products the Customer uses:

Lyrie WAF: IP addresses, HTTP headers, URL paths, query parameters, and request metadata of end users visiting Customer's protected domains. Processed for threat detection, blocking, and logging.

LyrieHEX & OMEGA Scanners: Domain names, IP addresses, server response data, certificate metadata, and discovered vulnerability details. Processed to generate security reports.

Lyrie AI Security & Privacy: Device identifiers (hashed), OS type, process metadata, file hashes, and threat detection events. Processed for endpoint protection.

Data Breach Monitoring: Email addresses submitted for monitoring. Processed to check against breach databases.

Captcha: IP addresses, browser fingerprint signals, and interaction patterns. Processed for bot detection. No personal data is stored beyond the verification session.

Lyrie shall:

• Process Personal Data only on documented instructions from the Controller, unless required by EU or Member State law.
• Ensure that persons authorized to process the Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in our Security Practices.
• Respect the conditions for engaging subprocessors as described in Section 6.
• Assist the Controller in fulfilling data subject access requests and rights under GDPR Articles 15–22.
• Assist the Controller in ensuring compliance with obligations under GDPR Articles 32–36 (security, breach notification, impact assessments, prior consultation).
• At the Controller's choice, delete or return all Personal Data after the end of the provision of Services, and delete existing copies unless EU or Member State law requires storage.
• Make available to the Controller all information necessary to demonstrate compliance with GDPR Article 28 obligations and allow for and contribute to audits, including inspections, conducted by the Controller or a mandated auditor.

The Controller shall:

• Ensure that it has a lawful basis for processing Personal Data and that all necessary consents or authorizations have been obtained.
• Provide documented instructions to the Processor regarding the processing of Personal Data.
• Be responsible for the accuracy, quality, and legality of the Personal Data provided to the Processor.
• Comply with all applicable data protection laws, including GDPR, in its use of the Services.

Lyrie shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Data Breach affecting the Controller's Personal Data.

The notification shall include:

• A description of the nature of the Data Breach, including the categories and approximate number of data subjects and records concerned.
• The name and contact details of the data protection point of contact.
• A description of the likely consequences of the Data Breach.
• A description of the measures taken or proposed to address the Data Breach, including measures to mitigate its possible adverse effects.

Notifications will be sent to the email address associated with the Controller's account and to the designated DPA contact if one has been provided.

The Controller provides general authorization for Lyrie to engage subprocessors. The current list of subprocessors is maintained at legal.lyrie.ai/subprocessors.

Lyrie shall:

• Notify the Controller of any intended changes to the list of subprocessors at least 30 days before the new subprocessor begins processing Personal Data.
• Provide the Controller with the opportunity to object to such changes. If the Controller objects and Lyrie cannot accommodate the objection, the Controller may terminate the affected Services.
• Impose data protection obligations on each subprocessor no less protective than those set out in this DPA through a written contract.
• Remain fully liable for the acts and omissions of its subprocessors.

If Personal Data is transferred outside the European Economic Area (EEA), Lyrie shall ensure that appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914).
• Transfer Impact Assessments where required.
• Supplementary measures as necessary to ensure the transferred data is afforded a level of protection essentially equivalent to that guaranteed within the EEA.

Enterprise customers may request region-locked data processing where all Personal Data remains within the EEA. Contact [email protected] for configuration.

The Controller has the right to audit Lyrie's compliance with this DPA. Audits may be conducted:

• No more than once per calendar year, with at least 30 days' written notice.
• During Lyrie's normal business hours and in a manner that does not unreasonably disrupt operations.
• By the Controller directly or by an independent third-party auditor mutually agreed upon, bound by confidentiality obligations.

Lyrie will also make available SOC 2 Type II reports, penetration test summaries, and compliance certifications upon request under NDA.

Upon termination of the Services or upon the Controller's written request:

• Lyrie will delete all Personal Data within 30 days, except where retention is required by applicable law.
• The Controller may request a machine-readable export of their data before deletion via the dashboard Data Controls or API.
• Lyrie will provide written confirmation of deletion upon request.
• Backup copies will be deleted within 90 days of the primary deletion in accordance with automated backup rotation schedules.

This DPA remains in effect for the duration of the Services agreement. Data processing obligations survive termination until all Personal Data has been deleted or returned.

Either party may terminate this DPA if the other party materially breaches its obligations and fails to cure the breach within 30 days of written notice.

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of data protection law to the extent such limitation is not permitted by applicable law.

For DPA-related inquiries:

OTT Cybersecurity LLC
Email: [email protected]
GDPR requests: [email protected]

To sign a DPA or request a custom data processing agreement for your organization, contact [email protected].