Data Processing Agreement
This Data Processing Agreement ("DPA") supplements the LightLink Terms of Service and forms the agreed terms under which LightLink (the "Processor") processes personal data on behalf of the Customer (the "Controller") for purposes of the Service.
1. Definitions
Terms have the meanings given to them in the EU General Data Protection Regulation (GDPR) and analogous laws where applicable (UK GDPR, CCPA, PDP Bill).
2. Subject matter and duration
Subject matter: workforce-tracking and analytics services. Duration: for the term of the Customer's subscription, plus a 30-day data preservation window post-termination.
3. Nature and purpose
Processing is necessary to provide the Service contracted by the Controller, including: capturing activity data, generating reports, sending notifications, billing, and AI-assisted analytics where enabled.
4. Categories of data subjects
- The Controller's employees, contractors, or other personnel who use the agent.
- The Controller's administrators who use the admin panel.
5. Categories of personal data
| Category | Examples |
|---|---|
| Identification | Name, employee ID, email, phone |
| Employment | Department, designation, joining date |
| Activity | App usage, URL domains, mouse/keyboard counts |
| Visual | Screenshots (auto-blurred for sensitive apps when enabled) |
| Technical | Device hostname, OS, IP address, agent version |
| Authentication | Hashed passwords, OTP secrets, session tokens |
6. Sub-processors
We use a small set of vetted sub-processors to deliver the Service:
| Sub-processor | Purpose | Region |
|---|---|---|
| Anthropic | AI Assistant + anomaly detection (only when Customer enables) | USA |
| Razorpay | Payment processing for INR billing | India |
| Let's Encrypt | TLS certificate issuance | USA |
| WhatsAPI (whatsapi.live.pwtech.pw) | WhatsApp delivery (when Customer enables alerts) | India |
We give 30 days' notice to the Customer admin email before adding or replacing a sub-processor.
7. Security measures
See the Security Practices page for details. Summary:
- TLS 1.2+ encrypted transit on all endpoints (Let's Encrypt cert renewed automatically).
- Per-tenant database isolation — no shared tables between Customers.
- Audit log of all mutations to sensitive records, viewable by tenant admins.
- Role-based access control with least-privilege defaults.
- Encrypted backups with tested restore procedures.
- Source-code review for all changes touching authentication or data access.
8. Data subject rights
We assist the Controller in responding to data-subject requests (access, rectification, erasure, portability, restriction, objection):
- Employees can self-serve access and portability via the in-app Privacy Center (one-click JSON download).
- Erasure requests must be issued by the Controller; we delete data within 14 days of receipt.
- For complex requests, contact dpo@lightlink.uludeveloper.top.
9. Personal-data breach notification
We notify the Controller's admin contact within 72 hours of confirming a breach affecting their data, with the information required by GDPR Art. 33(3).
10. Audit rights
Controllers may, at their cost and with reasonable notice, audit our processing once per year — typically by reviewing this DPA, the Security Practices page, and the audit log inside the admin panel. Onsite audits are available for Enterprise plans.
11. Returning or deleting data
On termination, we either return all data (JSON archive on request) or delete it within 30 days, per the Controller's instruction. Backups are purged within 90 days of the deletion.
12. International transfers
Where Personal Data is transferred outside the country of origin (e.g. to Anthropic in the USA for AI features), we rely on Standard Contractual Clauses or equivalent safeguards.
13. Liability
Each party's liability under this DPA is subject to the limitations set out in the Terms of Service.
14. Contact
Data Protection Officer: dpo@lightlink.uludeveloper.top