Lydira

← /legal/dpa

EU GDPR DPA

For Customers established in the EEA. Incorporates EU Standard Contractual Clauses (2021/914) for transfers outside the Union.

jurisdiction · European Union / EEA · template v2026-Q2 · lang en

pending external legal review

This template has not yet been reviewed by external legal counsel. Execution requires counsel-reviewed revisions; contact legal@lydira.com .

1. When this DPA applies

Whenever Processor (Lydira LLC) processes personal data on behalf of Controller that falls within the scope of Regulation (EU) 2016/679 (“GDPR”). It supplements the Master Subscription Agreement and is incorporated by reference when the Customer’s primary establishment is in the EU or EEA.

2. Subject matter + duration

Subject matter: the provision of Lydira’s travel-agency CRM service. Duration: matches the term of the Master Subscription Agreement. On termination, §10 applies.

3. Data Subjects + categories of Personal Data

Data Subjects — Controller’s employees (advisors, managers); Controller’s end-customers (travellers); Controller’s business contacts (suppliers, referrers).

Personal Data categories — names, business contact info, travel itinerary details, payment method metadata (no card PAN — Stripe holds tokenised data), communication logs across email / SMS / WhatsApp, user account credentials (hashed), session + audit metadata.

Special-category data is not processed by design. If the Customer inputs such data into free-text fields, Processor processes it only under this DPA.

4. Processor obligations

  • Process only on Controller’s documented instructions.
  • Ensure confidentiality through binding obligations on authorised personnel.
  • Implement Art. 32 technical + organisational measures (see §8).
  • Engage Sub-processors only under §7’s conditions.
  • Assist Controller with DSAR fulfilment + breach notification within 72h.
  • Return or delete Personal Data on termination per §10.
  • Make compliance evidence available on request.

5. Sub-processors

Controller authorises the Sub-processors listed at /legal/subprocessors. Any change receives ≥ 30 days’ prior written notice. Controller may object on reasonable GDPR grounds; if unresolved, Controller may terminate the affected service and Processor refunds prepaid fees for the unused portion.

6. Security measures (Art. 32)

  • Encryption at rest (AES-256) + in transit (TLS 1.2+).
  • Principle of least privilege; production database access is restricted and gated through controlled access points.
  • Every record change is audit-logged, scoped to each account.
  • Application secrets are encrypted and rotated per environment.
  • Independent penetration testing and continuous vulnerability scanning (target cadence: at least annual).
  • Disaster-recovery objectives: RTO 4h / RPO 24h.

7. International transfers

Where personal data transfers outside the EEA, Processor relies on the EU Standard Contractual Clauses (2021/914) embedded in the DPAs of the vendors listed at /legal/subprocessors. Signed SCC copies available on request to security@lydira.com.

8. Return + deletion

Within 30 days of termination, Controller elects either full return (a complete database export plus an archive of stored files) or secure deletion. Deletion completes within 90 days inclusive of backup rotation.

9. Governing law

Governed by the laws of the Republic of Ireland. Disputes subject to the exclusive jurisdiction of the Irish courts, without prejudice to the mandatory jurisdiction of a Supervisory Authority.

To execute this DPA, contact legal@lydira.com. The full signable template is delivered under NDA during the Enterprise onboarding playbook (Day 1 kickoff).

← All DPA templates