Data Processing Addendum

This Data Processing Addendum ("DPA") supplements the Lammii Terms of Service and applies when Lammii processes personal data on behalf of customers ("Controller") subject to GDPR, UK GDPR, or comparable data protection laws.

1. Definitions

"Personal Data", "Processing", "Controller", "Processor", "Data Subject" have the meanings given in GDPR Art. 4. "Customer Data" means any Personal Data Lammii processes on Controller's behalf.

2. Roles

Customer is the Controller. Lammii is the Processor (or Sub-Processor where applicable). Each party will comply with applicable data protection laws.

3. Subject matter, duration, nature, purpose

• Subject matter: provision of the Lammii Service.
• Duration: term of the underlying agreement plus retention period in the Privacy Policy.
• Nature/purpose: hosting, processing, displaying Customer Data to deliver Service features (Wizard, Drops, Negotiator, Passport, etc.).
• Categories of Data Subjects: end users, audience contacts, brand contacts.
• Categories of Personal Data: identifiers (email, name), engagement data, payment metadata, content uploaded.

4. Lammii obligations

• Process Customer Data only on documented instructions from Controller.
• Ensure personnel processing data are bound by confidentiality.
• Implement appropriate technical and organizational measures (Annex II below).
• Assist Controller in responding to Data Subject rights requests.
• Notify Controller of personal data breaches within 72 hours.
• Delete or return all Customer Data upon termination.

5. Sub-processors

Authorized sub-processors are listed in our Privacy Policy. Lammii will give 30 days' notice of new sub-processors via email or in-app banner. Controller may object — if a satisfactory resolution can't be reached, Controller may terminate the affected portion of Service.

6. International transfers

Where Customer Data is transferred outside the EEA/UK, the parties incorporate the EU Standard Contractual Clauses (Module Two: Controller to Processor) and the UK International Data Transfer Addendum.

7. Security measures (Annex II)

• Encryption in transit (TLS 1.3) and at rest (AES-256).
• Row-level security on all customer data tables.
• Role-based access for personnel; least-privilege.
• Audit logs of administrative actions.
• Annual penetration testing.
• Vendor reviews for sub-processors.
• Backup with point-in-time recovery (Supabase).
• Incident response plan with 72-hour notification SLA.

8. Audit

Controller may audit Lammii's compliance once per year, on 30 days' written notice, during business hours, at Controller's expense, subject to confidentiality. Lammii may satisfy this obligation by providing third-party audit reports (SOC 2 Type II once available).

9. Liability

Liability under this DPA is subject to the limitations in the Lammii Terms of Service.

Contact

To execute a counter-signed DPA: dpa@lammii.com