Data Processing Agreement
Effective date: March 14, 2026 · Last updated: March 14, 2026
1. Parties & Background
1.1 Parties
This Data Processing Agreement ("DPA") is entered into between:
- Lambda Cognition Ltd, a company registered in England and Wales with its registered office at 71-75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom (the "Processor"); and
- The entity that has entered into a subscription agreement for the DoraLytics Service (the "Controller").
1.2 Background
This DPA supplements and forms part of the Terms of Service between the Processor and the Controller. It governs the processing of personal data by the Processor on behalf of the Controller in connection with the provision of the DoraLytics platform.
This DPA is intended to ensure compliance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK General Data Protection Regulation ("UK GDPR").
2. Definitions
In this DPA, the following terms have the meanings set out below. Terms not defined here shall have the meanings given to them in the GDPR or the Terms of Service.
- "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller in connection with the Service.
- "Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
- "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
- "Controller" means the entity that determines the purposes and means of Processing of Personal Data.
- "Processor" means Lambda Cognition Ltd, which processes Personal Data on behalf of the Controller.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Data Protection Laws" means the GDPR, the UK GDPR, and any applicable EU or EEA member state laws implementing or supplementing the GDPR, as amended from time to time.
- "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
- "Supervisory Authority" means an independent public authority established by an EU/EEA member state or the UK pursuant to Data Protection Laws.
- "Standard Contractual Clauses" ("SCCs") means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission.
3. Scope and Purpose of Processing
3.1 Purpose
The Processor shall process Personal Data solely for the purpose of providing, maintaining, and supporting the DoraLytics Service as described in the Terms of Service, and in accordance with the Controller's documented instructions.
3.2 Types of Personal Data
The categories of Personal Data processed under this DPA include:
- User account data - names, email addresses, job titles, and organisational roles of the Controller's authorised users;
- Compliance-related data - data uploaded by the Controller for DORA compliance management, which may include employee names, ICT vendor contact details, incident records containing personal identifiers, and governance documentation.
3.3 Categories of Data Subjects
- Employees and contractors of the Controller;
- Contact persons at the Controller's ICT third-party service providers;
- Other individuals whose Personal Data the Controller uploads to the Service in the course of compliance management.
3.4 Duration
Processing shall continue for the duration of the Controller's subscription to the Service, plus a 30-day data retention period following termination to facilitate data export, as described in Section 11.
4. Processor Obligations
The Processor shall:
4.1 Instructions
Process Personal Data only on documented instructions from the Controller, including with respect to transfers of Personal Data outside the EU/EEA, unless required to do so by applicable law - in which case the Processor shall inform the Controller of that legal requirement before processing, unless prohibited from doing so.
4.2 Confidentiality
Ensure that all persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.3 Security Measures
Implement and maintain appropriate technical and organisational measures in accordance with Article 32 of the GDPR to ensure a level of security appropriate to the risk, as detailed in Section 5 of this DPA.
4.4 Data Subject Rights
Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subject rights under Chapter III of the GDPR.
4.5 Data Protection Impact Assessments
Assist the Controller with data protection impact assessments (DPIAs) and prior consultations with Supervisory Authorities under Articles 35 and 36 of the GDPR, where required, taking into account the nature of processing and the information available to the Processor.
4.6 Demonstrating Compliance
Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and this DPA.
4.7 Audits
Allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to the terms set out in Section 10.
5. Technical and Organisational Measures
The Processor implements and maintains the following technical and organisational measures to protect Personal Data:
5.1 Encryption
- In transit: All data transmitted between the Controller's users and the Service is encrypted using TLS 1.2 or higher.
- At rest: All Personal Data stored within the Service is encrypted using AES-256 encryption.
5.2 Access Control
- Role-based access control (RBAC) restricting access to Personal Data to authorised personnel only;
- Multi-factor authentication (MFA) required for all administrative access;
- Principle of least privilege applied across all systems and personnel.
5.3 Infrastructure Security
- All primary data processing hosted within the EU/EEA (Hetzner Cloud, Helsinki, Finland);
- Logically isolated tenant environments ensuring separation of Controller data;
- Network segmentation and firewall protections.
5.4 Monitoring and Logging
- Comprehensive logging of access to Personal Data;
- Automated alerting for suspicious or anomalous access patterns;
- Log retention for a minimum of 12 months for audit and investigation purposes.
5.5 Backup and Recovery
- Daily encrypted backups of all Personal Data;
- Backup retention period of 30 days;
- Documented disaster recovery procedures with tested recovery objectives.
5.6 Personnel Security
- All staff with access to Personal Data receive regular data protection training;
- Confidentiality agreements in place for all personnel;
- Background checks conducted where permitted by law.
5.7 Incident Response
- Documented incident response plan covering detection, containment, eradication, and recovery;
- Designated incident response team;
- Post-incident review and remediation processes.
6. Sub-processors
6.1 General Authorisation
The Controller hereby provides general written authorisation for the Processor to engage Sub-processors for the processing of Personal Data in connection with the Service. The current list of authorised Sub-processors is set out in Annex B.
6.2 Notification of Changes
The Processor shall notify the Controller in writing at least 30 days before adding or replacing any Sub-processor, providing details of the proposed Sub-processor, its location, and the nature of processing to be performed.
6.3 Right to Object
The Controller may object to the appointment of a new Sub-processor within 15 days of receiving notification, by providing written reasons for the objection. If the parties cannot resolve the objection within a reasonable period, the Controller may terminate the affected portion of the Service or, where resolution is not possible, terminate the Subscription in accordance with the Terms of Service.
6.4 Sub-processor Obligations
The Processor shall ensure that each Sub-processor is bound by a written contract imposing data protection obligations no less protective than those set out in this DPA. The Processor remains fully liable to the Controller for the performance of each Sub-processor's obligations.
7. International Data Transfers
7.1 EU/EEA Processing
All primary processing of Personal Data is performed within the European Union / European Economic Area. The Processor's infrastructure is hosted by Hetzner Online GmbH in Helsinki, Finland.
7.2 Transfers Outside the EEA
Where any transfer of Personal Data outside the EEA is necessary for the provision of the Service (for example, through Cloudflare's content delivery network), the Processor shall ensure that such transfers are subject to appropriate safeguards, including:
- Standard Contractual Clauses (SCCs) as adopted by the European Commission;
- Adequacy decisions by the European Commission, where applicable;
- Supplementary technical and organisational measures as required by applicable guidance.
7.3 Cloudflare
Cloudflare, Inc. is a US-based entity. The Processor has configured EU data residency settings within Cloudflare's infrastructure and has entered into SCCs with Cloudflare to ensure appropriate safeguards for any Personal Data processed through their services.
8. Data Subject Rights
8.1 Assistance
The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests to exercise their rights under Chapter III of the GDPR, including the rights of access, rectification, erasure, restriction, data portability, and objection.
8.2 Redirection
If the Processor receives a request directly from a Data Subject, the Processor shall promptly redirect the Data Subject to the Controller and notify the Controller of the request without undue delay.
8.3 Response Timeframe
The Processor shall provide the Controller with reasonable assistance in responding to Data Subject requests within 5 business days of receiving a request from the Controller for such assistance.
9. Personal Data Breach
9.1 Notification
The Processor shall notify the Controller of any Personal Data Breach without undue delay, and in any event within 48 hours of becoming aware of the breach.
9.2 Notification Content
The notification shall include, to the extent available:
- A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned;
- The name and contact details of the Processor's point of contact;
- A description of the likely consequences of the breach;
- A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.
9.3 Cooperation
The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach. The Processor shall also assist the Controller in complying with its notification obligations to Supervisory Authorities and Data Subjects under Articles 33 and 34 of the GDPR.
10. Audit Rights
10.1 Right to Audit
The Controller may audit the Processor's compliance with this DPA by providing at least 30 days' written notice. Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's operations.
10.2 Frequency
The Controller may conduct a maximum of one audit per 12-month period, unless a Personal Data Breach has occurred or a Supervisory Authority requires an additional audit.
10.3 Alternative Assurance
In lieu of an on-site audit, the Processor may provide the Controller with a SOC 2 Type II report, ISO 27001 certification, or equivalent independent third-party audit report that covers the controls relevant to this DPA.
10.4 Costs
The costs of any audit shall be borne by the Controller, unless the audit reveals a material non-compliance by the Processor with its obligations under this DPA, in which case the reasonable costs of the audit shall be borne by the Processor.
11. Data Deletion and Return
11.1 Data Export
Upon termination or expiration of the Subscription, the Processor shall make all Personal Data available to the Controller for export in standard, machine-readable formats for a period of 30 days.
11.2 Deletion
After the 30-day export period, the Processor shall delete all Personal Data from its primary systems and certify such deletion in writing to the Controller upon request.
11.3 Backup Deletion
Copies of Personal Data contained in backup systems shall be deleted within an additional 30 days following deletion from primary systems, in accordance with the Processor's standard backup rotation schedule.
11.4 Early Deletion
The Controller may request immediate deletion of all Personal Data at any time by providing written notice to the Processor at [email protected]. The Processor shall comply with such request within 30 days and provide written confirmation of deletion.
12. Liability
12.1 Terms of Service
The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.
12.2 Regulatory Liability
Each party shall be liable for its own compliance obligations under Data Protection Laws. The Processor shall be liable for damages caused by processing that does not comply with the obligations of this DPA or where it has acted outside of or contrary to the Controller's lawful instructions.
13. Term and Termination
13.1 Duration
This DPA shall become effective on the date the Controller first accesses the Service and shall remain in effect for the duration of the Subscription.
13.2 Survival
This DPA shall survive termination of the Subscription until the Processor has completed the deletion of all Personal Data in accordance with Section 11.
13.3 Precedence
In the event of a conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the processing of Personal Data.
14. Governing Law
This DPA and any disputes arising out of or in connection with it shall be governed by and construed in accordance with the laws of England and Wales, consistent with the governing law provisions of the Terms of Service.
The courts of London, England shall have exclusive jurisdiction over any dispute arising from this DPA.
Annex A - Details of Processing
Processing Description
| Item | Details |
|---|---|
| Subject matter | Provision of the DoraLytics DORA compliance management platform |
| Duration of processing | Term of the Subscription + 30 days for data export |
| Nature and purpose | Storage, organisation, structuring, retrieval, consultation, use, and presentation of compliance-related data to facilitate the Controller's DORA compliance management |
| Types of Personal Data | Names, email addresses, job titles, organisational roles, vendor contact details, ICT incident records, and other Personal Data uploaded by the Controller |
| Categories of Data Subjects | Controller employees and contractors, ICT third-party vendor contact persons, other individuals included in compliance records uploaded by the Controller |
Annex B - Authorised Sub-processors
Current Sub-processors
As of the effective date of this DPA, the Processor engages the following Sub-processors:
| Sub-processor | Location | Purpose |
|---|---|---|
| Hetzner Online GmbH | Germany (processing in Helsinki, Finland) | Cloud infrastructure and hosting - all Customer data is stored and processed on Hetzner servers located in Helsinki, Finland (EU) |
| Cloudflare, Inc. | United States (EU data residency configured) | Content delivery network (CDN), DNS resolution, and DDoS protection - EU data residency settings applied; SCCs in place |
This list is maintained and updated in accordance with Section 6 of this DPA. The Controller will be notified of any changes at least 30 days in advance.
Contact
For questions or requests related to this DPA, please contact:
Lambda Cognition Ltd
71-75 Shelton Street, Covent Garden
London WC2H 9JQ, United Kingdom
Email: [email protected]