Data Processing Agreement
The Art. 28 GDPR terms under which Matterlyt processes your data as a processor.
Last updated: June 2026
This Data Processing Agreement ("DPA") governs Matterlyt's processing of personal data on behalf of the customer, where Matterlyt acts as a processor under Art. 28 GDPR. It forms part of the agreement between the parties for the Matterlyt service and prevails over conflicting data-protection terms. To execute a signed copy, contact privacy@matterlyt.com.
Between: the Customer ("Controller"), the entity agreeing to the Matterlyt Terms of Service; and Lucido LLC, 7901 4th St N, Ste 300, St. Petersburg, FL 33702, USA, operating Matterlyt ("Processor").
1. Subject matter & roles
The Processor processes personal data on behalf of and under the documented instructions of the Controller, solely to provide the service. The Controller is the controller; Lucido LLC is the processor under Art. 28 GDPR.
2. Duration
This DPA applies for the term of the service agreement and until all customer personal data is returned or deleted per §11.
3. Nature, purpose & scope (Art. 28(3))
- Subject matter: provision of the Matterlyt security-questionnaire / trust-content automation service.
- Duration: the service term.
- Nature & purpose: storing, organising, retrieving, and AI-assisted drafting of answers from Controller-provided content; account and support operations.
- Types of personal data & categories of data subjects: see Annex 1.
4. Controller instructions
The Processor processes personal data only on the Controller's documented instructions (including this DPA and the service configuration), unless required by EU/member-state law (in which case it informs the Controller unless legally prohibited). The Processor will inform the Controller if, in its opinion, an instruction infringes the GDPR.
5. Confidentiality
Persons authorised to process personal data are bound by appropriate confidentiality obligations.
6. Security (Art. 32)
The Processor implements the technical and organisational measures set out in Annex 2 — Technical & Organisational Measures, appropriate to the risk.
7. Sub-processors (Art. 28(2),(4))
- The Controller provides general authorisation for the Processor to engage the sub-processors listed at matterlyt.com/legal/subprocessors.
- The Processor will give prior notice of additions or replacements, allowing the Controller to object on reasonable data-protection grounds within 14 days.
- The Processor imposes data-protection obligations on each sub-processor equivalent to those in this DPA and remains liable for their performance.
- Current sub-processors include Hetzner Online GmbH (EU hosting) and Cloudflare, Inc. — see the list for details and transfer safeguards.
- AI provider (bring-your-own-account): the AI model used to generate answers runs under the Controller's own AI-provider account and terms. That provider is the Controller's processor, not the Processor's sub-processor, and the Controller is responsible for its agreement (and any DPA) with that provider. The Processor transmits content to the Controller-configured endpoint using the Controller's credentials.
8. Data-subject rights
Taking into account the nature of the processing, the Processor assists the Controller with appropriate technical and organisational measures, insofar as possible, to respond to data-subject requests (Art. 12–23). If a request reaches the Processor directly, it forwards it to the Controller and does not respond itself unless instructed.
9. Assistance (Art. 32–36)
The Processor assists the Controller in ensuring compliance with security, breach-notification, DPIA, and prior-consultation obligations, taking into account the nature of processing and the information available to it.
10. Breach notification
The Processor notifies the Controller without undue delay after becoming aware of a personal-data breach affecting Controller data, with the information available, per the incident-response and breach-notification process in our Security Policy.
11. Return / deletion
On termination, at the Controller's choice, the Processor deletes or returns all customer personal data and deletes existing copies, unless EU/member-state law requires storage. Production data is deleted immediately on termination; database backups containing the data are purged within 5 days.
12. Audits (Art. 28(3)(h))
The Processor makes available the information necessary to demonstrate compliance and allows for and contributes to audits, including inspections, conducted by the Controller or an auditor it mandates — reasonably and subject to confidentiality, with 30 days' notice, no more than once per year unless required by a supervisory authority. The Processor may satisfy audit requests by providing third-party certifications or reports where available.
13. International transfers
Where the Processor or a sub-processor processes Controller data outside the EU/EEA, the transfer is governed by the EU Standard Contractual Clauses (Commission Decision 2021/914), incorporated by reference:
- Module Two (controller → processor) governs transfers from the Controller to Lucido LLC where the Controller is in the EU/EEA and Lucido LLC (US) imports the data.
- Module Three (processor → sub-processor) governs onward transfers from Lucido LLC to sub-processors as applicable.
- For the AI step (bring-your-own-account): content is transmitted to the Controller-configured AI endpoint using the Controller's own account. Any transfer at that step occurs under the Controller's own arrangement with its AI provider — not on the Processor's account. Where the Controller configures an EU-region or self-hosted endpoint, no third-country transfer occurs.
The SCC details (parties, competent supervisory authority, optional clauses) are completed in Annex 3 on execution.
14. Liability
Liability under this DPA is governed by, and subject to the limitations set out in, the service agreement between the parties.
15. AI processing — bring-your-own-account, no model training
The service uses a bring-your-own-account model: AI inference runs under the Controller's own AI-provider account. The Processor (a) does not use Controller personal data or content to train, fine-tune, or improve any AI/ML models, and (b) does not engage any AI provider as its own sub-processor for Controller content — it transmits content to the Controller-configured endpoint using the Controller's credentials. Whether the AI provider may use submitted data is governed by the Controller's own agreement with that provider (for example, the Anthropic commercial API does not train on submitted data by default and offers Zero Data Retention). The Controller is responsible for configuring its AI provider and any DPA with it.
Annex 1 — Details of processing
- Categories of data subjects: the Controller's own personnel and users of the service; individuals named or referenced in questionnaire content / uploaded documents (incidental).
- Types of personal data: names, business contact details, job roles, account and usage data; any personal data the Controller chooses to upload as questionnaire/knowledge-base content. No special-category data is intended; the Controller should not upload special-category data unless agreed.
- Frequency: continuous, for the service term.
- Retention: per §11.
Annex 2 — Technical & organisational measures
See our Security Policy, which sets out our technical and organisational measures.
Annex 3 — SCC completion
- Data exporter: the Controller. Data importer: Lucido LLC.
- Module(s): Two (and Three for onward transfers).
- Competent supervisory authority and any optional clauses are completed on execution, per the Controller's EU establishment or appointed EU representative.
- Technical measures: Annex 2.