Data Processing Agreement

Last Updated: December 10, 2025

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between VRLY Ventures LLC, d/b/a Lyynx ("Processor," "we," "us") and you ("Controller," "Customer," "you") for the provision of Services as defined in our Terms of Service.

This DPA applies to the extent that we process Personal Data on your behalf as a Processor in connection with providing the Services. This DPA is designed to ensure compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR).

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Processor on behalf of Controller in connection with the Services.
  • "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, or erasure.
  • "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
  • "Subprocessor" means any third party engaged by Processor to process Personal Data on Controller's behalf.
  • "Data Protection Laws" means all applicable laws relating to the processing of Personal Data, including GDPR, CCPA, and other relevant regulations.
  • "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

3. Scope and Roles

3.1 For the purposes of Data Protection Laws, you are the Controller and we are the Processor of Personal Data submitted to the Services by you or on your behalf.

3.2 This DPA applies to Personal Data that we process on your behalf, including:

  • Reference contact information (names, emails, job titles, testimonials)
  • Company information and profiles
  • User account data for your team members
  • Content uploaded to the Services

3.3 The nature, purpose, and duration of processing are described in Annex 1 attached to this DPA.

4. Controller Obligations

You represent and warrant that:

  • You have obtained all necessary consents and authorizations for the processing of Personal Data
  • You have provided appropriate privacy notices to Data Subjects
  • Your processing instructions comply with applicable Data Protection Laws
  • You have a lawful basis for processing the Personal Data
  • You will inform us promptly of any changes affecting our ability to comply with Data Protection Laws

5. Processor Obligations

We shall:

  • 5.1 Process Personal Data only on your documented instructions, unless required by law
  • 5.2 Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
  • 5.3 Implement appropriate technical and organizational security measures as described in Annex 2
  • 5.4 Comply with the conditions for engaging Subprocessors as set out in Section 7
  • 5.5 Assist you in responding to Data Subject requests to exercise their rights
  • 5.6 Assist you in ensuring compliance with your security, breach notification, and data protection impact assessment obligations
  • 5.7 Delete or return Personal Data upon termination, at your choice, unless required by law to retain it
  • 5.8 Make available information necessary to demonstrate compliance with this DPA

6. Security Measures

6.1 We implement and maintain appropriate technical and organizational measures to protect Personal Data against Security Incidents. These measures are described in Annex 2 and on our Security page.

6.2 We regularly assess and test the effectiveness of our security measures.

6.3 We may update security measures from time to time, provided that updates do not materially decrease the overall level of security.

7. Subprocessors

7.1 You authorize us to engage Subprocessors to process Personal Data on your behalf, subject to the requirements of this Section.

7.2 Our current list of Subprocessors is available at Subprocessor List.

7.3 We will notify you of any intended changes to Subprocessors by updating our Subprocessor List. You may object to a new Subprocessor by notifying us within 14 days. If you reasonably object, we will work to address your concerns or offer alternatives.

7.4 We ensure that Subprocessors are bound by data protection obligations substantially similar to those in this DPA.

7.5 We remain liable for the acts and omissions of our Subprocessors.

8. Data Subject Rights

8.1 We will assist you in fulfilling your obligations to respond to Data Subject requests, including requests to access, correct, delete, or port their Personal Data.

8.2 If we receive a request directly from a Data Subject, we will promptly notify you unless prohibited by law.

8.3 We will provide reasonable technical and organizational assistance to enable you to respond to requests within applicable timeframes.

9. Security Incidents

9.1 We will notify you without undue delay (and in any event within 72 hours) after becoming aware of a Security Incident affecting Personal Data.

9.2 Notification will include:

  • Description of the nature of the incident
  • Categories and approximate number of Data Subjects affected
  • Categories and approximate number of records affected
  • Likely consequences of the incident
  • Measures taken or proposed to address the incident
  • Contact point for further information

9.3 We will cooperate with you in investigating and mitigating the effects of any Security Incident.

10. International Transfers

10.1 Personal Data may be transferred to, stored, and processed in the United States and other countries where we or our Subprocessors operate.

10.2 For transfers from the EU/EEA to countries without adequacy decisions, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission.

10.3 The SCCs are incorporated into this DPA by reference. You may request a copy by contacting us.

10.4 We implement supplementary measures as necessary to ensure transferred data receives adequate protection.

11. Audits

11.1 Upon reasonable request and subject to confidentiality obligations, we will make available information necessary to demonstrate compliance with this DPA.

11.2 We will allow for and contribute to audits conducted by you or an auditor mandated by you, subject to:

  • Reasonable advance notice (at least 30 days)
  • Reasonable scope and duration
  • Confidentiality of audit findings
  • Non-interference with our business operations
  • Costs borne by you

11.3 We may satisfy audit requests by providing relevant certifications, audit reports, or other documentation.

12. Term and Termination

12.1 This DPA becomes effective when you accept our Terms of Service and continues until termination of the Services.

12.2 Upon termination:

  • We will delete or return all Personal Data within 30 days of your request, unless required by law to retain it
  • We will provide certification of deletion upon request
  • Obligations relating to confidentiality and data protection survive termination

13. Liability

Liability under this DPA is subject to the limitations set forth in the Terms of Service. Each party is liable for damages caused by its breach of this DPA or Data Protection Laws.

14. Contact

For questions about this DPA or data protection matters, contact:

VRLY Ventures LLC
d/b/a Lyynx
1346 How Lane, Unit 7
North Brunswick Township, NJ 08901

Email: compliance@lyynx.com

Annex 1: Details of Processing

Nature and Purpose of Processing

Processing of Personal Data to provide the Lyynx customer reference management platform, including storage, organization, retrieval, and display of reference contacts, testimonials, and related content.

Categories of Data Subjects

  • Customer employees and team members
  • Reference contacts (customer's clients)
  • Prospects viewing references

Categories of Personal Data

  • Identity data: names, job titles, photographs
  • Contact data: email addresses, phone numbers
  • Professional data: company name, industry, role
  • Content data: testimonials, case studies, video testimonials
  • Usage data: login history, feature usage, interactions

Duration of Processing

For the term of the agreement plus the retention periods specified in Section 12.

Annex 2: Security Measures

We implement the following technical and organizational security measures:

Technical Measures

  • Encryption of data in transit (TLS 1.2+)
  • Encryption of data at rest
  • Secure authentication mechanisms
  • Access controls and role-based permissions
  • Regular security assessments and penetration testing
  • Intrusion detection and monitoring
  • Regular backups with encryption
  • Firewalls and network segmentation

Organizational Measures

  • Employee security training and awareness
  • Confidentiality agreements for personnel
  • Access limited to authorized personnel
  • Incident response procedures
  • Business continuity and disaster recovery plans
  • Vendor security assessments
  • Regular policy reviews and updates

For more details, see our Security page.