Back to Home

Data Processing Agreement

Last updated: May 8, 2026

1. Scope & Purpose

This Data Processing Agreement (DPA) governs the processing of personal data by Lalax Systems on behalf of its customers, in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data Processing Details

The details of data processing are as follows:

  • Categories of data subjects: Users, customers, and end-users of our platform
  • Types of personal data: Name, email, IP address, usage data, payment information
  • Processing purposes: Service delivery, authentication, billing, support, analytics
  • Processing location: United States and European Union data centers

3. Data Processor Obligations

Lalax Systems as a data processor shall:

  • Process personal data only on documented instructions from the data controller
  • Ensure confidentiality of personnel authorized to process data
  • Implement appropriate technical and organizational security measures
  • Notify the controller of any personal data breaches without undue delay
  • Assist the controller in complying with data subject rights requests

4. Sub-processors

We engage authorized sub-processors including: OpenAI (AI model inference), Anthropic (AI model inference), Stripe (payment processing), Clerk (authentication). Customers will be notified of any sub-processor changes.

5. Data Subject Rights

We assist our customers in fulfilling data subject rights under GDPR, including: right of access, rectification, erasure, restriction of processing, data portability, and objection to processing.

6. Security Measures

We maintain the following security measures:

  • Encryption at rest and in transit (TLS 1.3)
  • Access controls and multi-factor authentication
  • Regular security audits and penetration testing
  • Incident response and disaster recovery procedures
  • Staff training on data protection

7. Data Retention & Deletion

Personal data is retained only as long as necessary to provide services. Upon termination, data is deleted within 90 days unless legal retention obligations apply.

8. Governing Law

This DPA is governed by the laws of Spain and the European Union. Any disputes shall be resolved in the courts of Madrid, Spain.