Home/Legal

Legal

Data Processing Addendum

Last updated: April 26, 2026

Version 1.0 · Effective April 26, 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Serviceor other written agreement (the "Agreement") between [Company Legal Name], a Delaware corporation having its principal place of business at [Company HQ Address] ("Lattice Graph", "Processor"), and the customer identified in the Agreement ("Customer", "Controller"), governing the processing of Personal Data by Lattice Graph on Customer's behalf in connection with the Service.

This DPA is incorporated into the Agreement and applies to the extent Lattice Graph processes Personal Data subject to the GDPR, UK GDPR, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act as amended ("CCPA/CPRA"), or other applicable data-protection laws ("Data Protection Laws"). In the event of a conflict between this DPA and the Agreement, this DPA controls with respect to data-protection matters.

1. Definitions

Capitalized terms not defined here have the meanings given in the Agreement or in the relevant Data Protection Laws. "Personal Data" means any information that is "personal data" under GDPR Article 4(1) or UK GDPR, "personal information" under CCPA/CPRA, or similarly defined under other Data Protection Laws, that Lattice Graph processes on behalf of Customer. "Sub-processor"means any third party engaged by Lattice Graph to process Personal Data on Customer's behalf. "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses adopted by the European Commission in Decision 2021/914 of 4 June 2021. "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

2. Roles and Scope

With respect to Personal Data processed under the Agreement, Customer is the Controller and Lattice Graph is the Processor. Where Lattice Graph processes Personal Data as a Controller for its own purposes (e.g., billing, account management, security), the Privacy Policy applies. The subject matter, duration, nature and purpose of the processing, the types of Personal Data, and the categories of Data Subjects are described in Annex I.

Lattice Graph will process Personal Data only on documented instructions from Customer, including those set out in the Agreement, this DPA, and the documented use of the Service through its standard interfaces. Lattice Graph will inform Customer if, in its opinion, an instruction infringes Data Protection Laws.

3. Lattice Graph Obligations

Lattice Graph will (a) comply with applicable Data Protection Laws in its processing of Personal Data on Customer's behalf; (b) ensure that personnel authorized to process Personal Data are bound by appropriate obligations of confidentiality; (c) implement and maintain appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk (see Annex II); and (d) assist Customer, taking into account the nature of processing, in responding to Data Subject requests, ensuring security, notifying Security Incidents, and conducting data-protection impact assessments.

CCPA service-provider terms.With respect to Personal Data subject to CCPA/CPRA, Lattice Graph is a "service provider" and (i) will not sell or share such Personal Data, (ii) will not retain, use, or disclose such Personal Data outside the direct business relationship with Customer or for any purpose other than performing the Service, (iii) will not combine such Personal Data with personal information from other sources except as permitted by CCPA/CPRA, and (iv) will notify Customer if it determines it can no longer meet these obligations.

4. Sub-processors

Customer grants Lattice Graph general authorization to engage Sub-processors, subject to this Section 4. The current list is set out in Annex III. Lattice Graph will impose on each Sub-processor data-protection obligations no less protective than those in this DPA and will remain liable for the acts and omissions of its Sub-processors as if they were its own.

Lattice Graph will provide Customer with notice of any intended addition or replacement of a Sub-processor at least thirty (30) days in advance. If Customer reasonably objects in writing on legitimate data-protection grounds within fifteen (15) days, the parties will work together in good faith to resolve the objection. If no resolution is reached, Customer may, as its exclusive remedy, terminate the Agreement upon written notice and receive a refund of any prepaid, unused fees attributable to the period after termination.

5. International Data Transfers

Where the processing involves the transfer of Personal Data from the EEA, UK, or Switzerland to a country not deemed adequate by the relevant authority, the transfer will be governed by the applicable Standard Contractual Clauses, which are incorporated into this DPA by reference and deemed executed on the effective date of this DPA, with Module Two (controller to processor) where Customer is a Controller and Module Three (processor to processor) where Customer is itself a processor; Clause 7 (docking) included; Clause 9 — Option 2 with the 30-day notice period in Section 4; Clause 11(a) optional language omitted; Clause 17 — Option 1 (Irish law); Clause 18 (Irish courts); Annexes I, II, III populated by the Annexes to this DPA.

For UK transfers, the UK International Data Transfer Addendum is incorporated by reference. For Swiss transfers, the SCCs are interpreted with appropriate adjustments (Swiss FDPIC; Swiss courts; Swiss law).

Lattice Graph has assessed and continues to assess the laws and practices of recipient countries and implements supplementary technical, organizational, and contractual measures, including encryption in transit and at rest, access controls, audit logging, and a policy of challenging any government request for Personal Data that exceeds what is permitted by applicable law.

6. Security Incidents

Lattice Graph will notify Customer without undue delay, and in any event within 72 hoursafter becoming aware of a confirmed Security Incident affecting Personal Data processed on Customer's behalf. The notice will, to the extent then known, describe the nature of the Incident, likely consequences, measures taken or proposed to address it and mitigate adverse effects, and a contact point for further information. Information may be provided in phases as it becomes available. A notice or assistance under this Section is not an acknowledgment of fault or liability.

7. Audits

Lattice Graph will make available to Customer all information reasonably necessary to demonstrate compliance, including the most recent SOC 2 Type II report (where available), responses to industry-standard security questionnaires (such as SIG or CAIQ), and the documentation referenced in Annex II.

Customer (or an independent third-party auditor mutually agreed by the parties and bound by appropriate confidentiality) may, no more than once per calendar year(except as required by a supervisory authority or following a confirmed Security Incident), conduct an audit of Lattice Graph's processing of Personal Data on Customer's behalf. Audits require at least thirty (30) days'prior written notice, will be conducted during normal business hours, will not unreasonably interfere with operations, will be at Customer's cost, and will be subject to Lattice Graph's reasonable confidentiality and security requirements. Audits do not include access to source code, security infrastructure, or to data of other customers. Where reasonable assurance can be provided through existing third-party audits, certifications, or questionnaire responses, the parties will use those in lieu of an on-site audit.

8. Return or Deletion of Personal Data

Within ninety (90) days after termination or expiration of the Service, Lattice Graph will, at Customer's choice, delete or return all Personal Data to Customer, and delete existing copies, except to the extent applicable law requires retention or where retention is necessary for backup, legal-hold, or audit purposes. Personal Data residing in routine backups will be deleted in the ordinary course according to Lattice Graph's backup-retention schedule (generally 30–35 days). Until deleted, such Personal Data remains subject to the confidentiality and security obligations of this DPA.

9. Liability

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Agreement, including the aggregate cap. Any claim brought under this DPA will be considered a claim under the Agreement for purposes of those limitations.

10. Term, Conflict, and Miscellaneous

This DPA takes effect on the effective date of the Agreement and remains in force as long as Lattice Graph processes Personal Data on Customer's behalf. Order of precedence: (i) the SCCs (where applicable); (ii) this DPA; (iii) the Agreement. Lattice Graph may amend this DPA from time to time as necessary to reflect changes in Data Protection Laws, Sub-processors, or operational practices, on at least 30 days' written notice. Sections 6, 7, 8, and 9 survive termination.

Annex I — Description of Processing

Parties. Data exporter (Controller): Customer, as identified in the Agreement. Data importer (Processor): [Company Legal Name], [Company HQ Address], [Company HQ State], United States. Contact: privacy@latticegraph.com.

Data Subjects.Customer's authorized end users (typically employees, contractors, and researchers within Customer's R&D organization), account administrators and billing contacts, and any natural person whose personal data Customer chooses to submit through the Service.

Categories of Personal Data. Identification and contact data (name, business email, organization, role); authentication data (hashed password held by Clerk, OAuth identifiers, MFA factors, session tokens); billing and tax data (customer ID, billing address, tax ID, masked payment method held by Stripe); usage and telemetry (timestamp, endpoint, status code, response time, IP address, SHA-256 hash of API key).

Sensitive data.None expected. Customer agrees not to submit special-category data (Article 9 GDPR) or other sensitive data through the Service except with Lattice Graph's prior written agreement.

Frequency. Continuous, for the duration of the Agreement.

Nature and purpose. Hosting, storage, transmission, authentication, billing, telemetry, usage metering, security, abuse prevention, support, and provision of the Service.

Duration. For the term of the Agreement, plus the retention periods stated in the Privacy Policy.

Competent supervisory authority (SCC purposes).The Irish Data Protection Commission, where Customer has not designated a Member State of establishment under GDPR Art. 56; otherwise, the supervisory authority of the Member State of Customer's main establishment.

Annex II — Technical and Organizational Measures

  • Encryption in transit: TLS 1.2 or later for all client connections and inter-service communication.
  • Encryption at rest: Database, object storage, and backups encrypted at rest using strong industry-standard ciphers.
  • Authentication: Identity managed by Clerk, with support for MFA, OAuth, and session expiration.
  • API key management: Plaintext API keys shown only once at issuance; stored only as SHA-256 hashes.
  • Access control: Principle of least privilege; role-based access; periodic access reviews.
  • Network security: Production environment isolated from development; firewalls; restricted ingress; internal service authentication.
  • Logging and monitoring: Authentication and administrative actions logged; security events monitored.
  • Vulnerability management: Regular dependency scanning and patching; periodic penetration testing or independent security review.
  • Backup and recovery: Regular backups with documented recovery procedures.
  • Confidentiality and training: Personnel bound by written confidentiality obligations and trained in security and privacy.
  • Incident response: 72-hour notification to controllers for confirmed Security Incidents.
  • Subprocessor management: Written agreements with subprocessors imposing data-protection obligations no less protective than this DPA.
  • Data minimization: No request bodies, query payloads, or response bodies stored in usage logs; only metering metadata is retained.
  • Physical security: Production infrastructure hosted at DigitalOcean data centers, which maintain 24/7 access control, biometric or badge access, and environmental monitoring.

Annex III — Approved Sub-processors

  • Clerk, Inc.— authentication, identity, session management (United States).
  • Stripe, Inc.— payment processing, subscription billing, tax (United States).
  • DigitalOcean, LLC— application hosting, managed PostgreSQL, object storage (United States).
  • Amazon Web Services, Inc. (Simple Email Service)— transactional email delivery (United States, where used).

Notifications of new or replacement Sub-processors are made in accordance with Section 4.

Contact: privacy@latticegraph.com · [Company Legal Name] · [Company HQ Address] · [Company HQ State], United States