About This Agreement
This Data Processing Agreement ("DPA") forms part of the agreement between you ("Customer", "Controller") and LynxPrompt ("Processor") for the provision of services. By using LynxPrompt, you automatically accept this DPA. Business customers may request a signed copy by emailing [email protected].
1. Definitions
For the purposes of this DPA, the following terms have the meanings set out below:
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
- "Controller" means the entity that determines the purposes and means of Processing Personal Data (you, the Customer).
- "Processor" means the entity that Processes Personal Data on behalf of the Controller (LynxPrompt / GeiserCloud).
- "Subprocessor" means any third party engaged by the Processor to Process Personal Data.
- "Data Subject" means the individual to whom Personal Data relates.
- "GDPR" means Regulation (EU) 2016/679 (General Data Protection Regulation).
2. Scope and Roles
This DPA applies to the Processing of Personal Data by LynxPrompt in connection with providing the Services.
Customer Role: Data Controller – You determine why and how Personal Data is processed when using LynxPrompt.
LynxPrompt Role: Data Processor – We process Personal Data only on your behalf and according to your instructions.
3. Data Processing Details
Subject Matter
The provision of the LynxPrompt platform for creating, storing, sharing, and purchasing AI IDE configuration files and prompts.
Duration of Processing
For the duration of your use of LynxPrompt services, plus any retention period required by law or as specified in our Privacy Policy.
Nature and Purpose
- Account creation and authentication
- Storing and managing user-created blueprints
- Processing marketplace transactions
- Subscription management and billing
- Customer support and service communications
Types of Personal Data
- Account identifiers (email, name, profile picture)
- OAuth provider identifiers (GitHub ID, Google ID)
- User-generated content (blueprints, configurations)
- Usage data (pages visited, features used)
- Payment information (processed by Stripe)
- Team membership data (for Teams subscribers)
Categories of Data Subjects
- Users who create LynxPrompt accounts
- Team members (for Teams subscriptions)
- Marketplace buyers and sellers (if applicable to your use)
4. Processor Obligations
LynxPrompt, as Processor, agrees to:
- Process Personal Data only on documented instructions from the Controller, unless required by EU or Member State law
- Ensure that persons authorized to Process Personal Data have committed to confidentiality
- Implement appropriate technical and organizational security measures as described in our Security page
- Only engage Subprocessors with prior authorization and equivalent data protection obligations
- Assist the Controller in responding to Data Subject requests (access, rectification, erasure, etc.)
- Assist the Controller in ensuring compliance with security, breach notification, and impact assessment obligations
- Delete or return all Personal Data upon termination of services, unless retention is required by law
- Make available information necessary to demonstrate compliance and allow for audits
5. Controller Obligations
The Customer, as Controller, agrees to:
- Ensure that there is a valid legal basis for the Processing of Personal Data
- Provide clear and documented instructions for Processing
- Be responsible for the accuracy, quality, and legality of Personal Data provided to LynxPrompt
- Inform LynxPrompt of any Data Subject requests it receives that require LynxPrompt's assistance
- Ensure compliance with applicable data protection laws regarding the Personal Data
6. Subprocessors
The Customer authorizes LynxPrompt to engage the following categories of Subprocessors:
| Subprocessor | Purpose | Location |
|---|---|---|
| GitHub (Microsoft) | OAuth authentication | USA (SCCs) |
| OAuth authentication | USA/EU (SCCs) | |
| Stripe | Payment processing | USA/EU (SCCs, PCI-DSS) |
| Anthropic | AI processing (Teams only) | USA (SCCs) |
| Cloudflare | CDN, DDoS protection | Global (SCCs) |
A complete list of Subprocessors with details is maintained in our Privacy Policy, Section 6. LynxPrompt will notify customers of any new Subprocessors via email or website notice before engagement.
7. International Data Transfers
Personal Data may be transferred outside the European Economic Area (EEA) only to Subprocessors listed above. Such transfers are protected by:
- Standard Contractual Clauses (SCCs): EU-approved contractual provisions ensuring adequate protection
- Supplementary Measures: Encryption in transit and at rest, access controls, and other technical measures
- Adequacy Decisions: Where applicable, reliance on EU adequacy decisions
8. Security Measures
LynxPrompt implements the following technical and organizational measures:
- Encryption of data in transit using TLS 1.3
- EU-based data storage for all primary databases
- Access controls with least-privilege principles
- Regular security updates and vulnerability management
- Secure authentication (OAuth 2.0, passkeys, CSRF protection)
- Network segmentation with databases not exposed to internet
- Regular backups with secure storage
Full details are available on our Security page.
9. Data Subject Rights
LynxPrompt will assist the Controller in responding to Data Subject requests, including:
- Right of access
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to restriction of processing
- Right to data portability
- Right to object
Requests can be submitted to [email protected] and will be addressed within 30 days.
10. Personal Data Breach Notification
In the event of a Personal Data breach, LynxPrompt will notify the Controller without undue delay (and in any event within 72 hours of becoming aware) with the following information:
- Nature of the breach
- Categories and approximate number of Data Subjects affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
11. Audit Rights
LynxPrompt will make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits. Audit requests should be submitted to [email protected] with reasonable notice (minimum 30 days).
12. Term and Termination
This DPA is effective as long as LynxPrompt processes Personal Data on behalf of the Controller. Upon termination:
- LynxPrompt will delete or return all Personal Data within 30 days, unless retention is required by law
- The Controller may request a copy of their data in a portable format before deletion
- Certain data may be retained for legal compliance (e.g., tax records for 7 years)
13. Governing Law
This DPA is governed by the laws of Spain. The courts of Cartagena (Murcia), Spain shall have jurisdiction over any disputes arising from this DPA, unless mandatory law provides otherwise.
14. Contact Information
Data Processor:
Sergio Fernández Rubio (GeiserCloud)
Calle Tierno Galván 25
30203 Cartagena, Murcia, Spain
Privacy inquiries: [email protected]
Legal/DPA inquiries: [email protected]
Need a Signed Copy?
Business customers who require a countersigned DPA for their records can request one by emailing [email protected] with your company name and the email address of the authorized signatory. We will send you a PDF for countersignature within 5 business days.
Related Documents
- Privacy Policy – Full details on data collection and processing
- Security – Technical and organizational security measures
- Terms of Service – General terms of use