Last Updated: February 2026

Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Lassare (the “Processor”) and the customer (the “Controller”) for the use of Lassare’s human-in-the-loop platform services.

1. Definitions

  • “Personal Data” means any information relating to an identified or identifiable natural person, including “personal information” as defined under CCPA.
  • “Processing” means any operation performed on Personal Data.
  • “Data Subject” means the individual to whom the Personal Data relates.
  • “Sub-processor” means any third party engaged by the Processor to process Personal Data.
  • “Applicable Data Protection Law” means all applicable laws relating to data protection and privacy, including:
    • EU General Data Protection Regulation (GDPR) 2016/679
    • UK General Data Protection Regulation (UK GDPR)
    • California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
    • Other applicable state, federal, or international privacy laws

2. Scope of Processing

2.1 Subject Matter

The Processor provides a human-in-the-loop platform enabling approval workflows, question routing, and notification management for AI agents. Processing occurs when the Controller uses these services.

2.2 Nature and Purpose

Processing is performed to:

  • Deliver questions from AI agents to users via configured channels (Slack, Microsoft Teams, Email)
  • Manage user accounts and access permissions
  • Process billing and subscriptions

2.3 Types of Personal Data

The following categories of Personal Data may be processed:

CategoryData ElementsRetention
Account DataEmail address, full name, avatar URLDuration of account + 30 days
Authentication DataOAuth tokens (encrypted), session identifiersDuration of account
Ask Query ContentQuestion text delivered via Slack (as submitted by Controller’s agents)Deleted after delivery; Slack message deleted per Controller preference (immediate, 1 hour, or 24 hours)
Usage DataAPI request counts, feature usage, timestamps12 months
Billing DataStripe customer reference (no card details stored)7 years (legal requirement)

2.4 Categories of Data Subjects

  • Controller’s employees and contractors using the Portal
  • Individuals whose data is included in questions routed through the service (determined by Controller)

3. Controller Obligations

The Controller shall:

  • Ensure lawful basis for processing under Applicable Data Protection Law
  • Provide clear instructions to the Processor
  • Ensure Data Subjects are informed about the processing
  • Not submit special category data (sensitive personal information) without explicit agreement
  • Respond to Data Subject requests within statutory timeframes

4. Processor Obligations

4.1 Processing Instructions

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller
  • Inform the Controller if an instruction infringes Applicable Data Protection Law
  • Not process Personal Data for purposes other than providing the services
  • Not sell Personal Data or share it for cross-context behavioral advertising (CCPA/CPRA)

4.2 Confidentiality

The Processor ensures that persons authorized to process Personal Data:

  • Have committed to confidentiality or are under statutory obligation
  • Receive appropriate training on data protection requirements

4.3 Security Measures

The Processor implements the following technical and organizational measures:

Encryption:

  • Data encrypted in transit (TLS 1.2+)
  • Data encrypted at rest (AES-256 via AWS KMS)
  • Callback secrets and OAuth tokens encrypted with customer-specific keys

Access Control:

  • Multi-tenancy isolation (company_id-based data segregation)
  • Role-based access control (Admin, Developer, Coder roles)
  • AWS IAM policies with least-privilege access

Infrastructure:

  • Hosted on AWS (US regions)
  • AWS Cognito for authentication
  • DynamoDB with point-in-time recovery
  • CloudWatch logging with configurable retention

Monitoring:

  • Audit logging of administrative actions
  • Circuit breaker patterns for notification delivery
  • Automated security scanning in CI/CD pipeline

4.4 Sub-processors

The Controller grants general authorization for the Processor to engage Sub-processors listed in Section 9. The Processor shall:

  • Inform the Controller of intended changes to Sub-processors
  • Provide 30 days’ notice before engaging new Sub-processors
  • Ensure Sub-processors are bound by equivalent data protection obligations
  • Remain liable for Sub-processor compliance

4.5 Data Subject Rights

The Processor shall assist the Controller in responding to Data Subject requests for:

  • Access to Personal Data
  • Rectification of inaccurate data
  • Erasure (“right to be forgotten” / “right to delete”)
  • Data portability
  • Restriction of processing
  • Objection to processing
  • Opt-out of sale/sharing (CCPA/CPRA - Lassare does not sell data)

Requests should be directed to: hello@lassare.com

4.6 Data Breach Notification

The Processor shall:

  • Notify the Controller without undue delay (within 72 hours) of a Personal Data breach
  • Provide information necessary for the Controller to meet its breach notification obligations
  • Document all breaches including facts, effects, and remedial action taken

4.7 Deletion and Return

Upon termination of services:

  • Personal Data will be deleted within 30 days of account deletion
  • Controller may request data export before account deletion via the Portal
  • Billing records retained for 7 years as required by law
  • Encrypted backups purged according to AWS retention policies

5. International Transfers

Personal Data may be transferred outside the European Economic Area (EEA) or United Kingdom to:

  • United States (AWS US regions, Slack, Stripe)

Such transfers are protected by:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs
  • Adequacy decisions where applicable
  • Supplementary measures including encryption and access controls

6. Jurisdiction-Specific Terms

6.1 European Union (GDPR)

For Personal Data subject to GDPR:

  • Processor acts as a “processor” under Article 28
  • Controller remains the “controller” as defined in Article 4(7)
  • Standard Contractual Clauses (Module 2: Controller to Processor) are incorporated by reference

6.2 United Kingdom (UK GDPR)

For Personal Data subject to UK GDPR:

  • This DPA constitutes a valid data processing agreement under UK GDPR Article 28
  • The UK International Data Transfer Addendum is incorporated for transfers outside the UK

6.3 California (CCPA/CPRA)

For Personal Information of California residents:

  • Processor acts as a “Service Provider” under CCPA/CPRA
  • Processor will not sell or share Personal Information
  • Processor will not retain, use, or disclose Personal Information except as necessary to perform services
  • Processor will comply with CCPA/CPRA obligations applicable to Service Providers

6.4 Other US States

For Personal Data subject to other US state privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, etc.):

  • Processor will process data only as instructed by Controller
  • Processor will assist Controller in meeting obligations under applicable state laws

7. Audit Rights

The Controller may:

  • Request evidence of compliance with this DPA
  • Request third-party audit reports (SOC 2 Type II when available)
  • Conduct audits with reasonable notice (minimum 30 days)

The Processor shall make available information necessary to demonstrate compliance.

8. Liability

Each party’s liability under this DPA is subject to the limitations set forth in the Terms of Service.

9. Sub-processors

The following Sub-processors are authorized to process Personal Data:

Sub-processorPurposeLocationData Processed
Amazon Web Services (AWS)Cloud infrastructure, compute, storage, authentication, email delivery (SES)United StatesAll service data
StripePayment processingUnited States/EUBilling references (no card data)
Slack Technologies (Salesforce)Notification deliveryUnited StatesNotification content, user identifiers
Microsoft CorporationTeams notification deliveryUnited States/EUNotification content, user identifiers

Current Sub-processor list available at: https://lassare.com/en/dpa

10. Duration

This DPA shall remain in effect for the duration of the Controller’s use of the services and until all Personal Data is deleted in accordance with Section 4.7.

11. Governing Law

This DPA is governed by the laws of Italy, consistent with the Terms of Service. Any disputes shall be subject to the exclusive jurisdiction of the Tribunale di Cagliari, Italy. For EU data subjects, disputes may alternatively be brought before courts in the EU member state of the data subject’s habitual residence.

Contact

For questions about this DPA or to exercise rights under this agreement:

Data Protection Contact: hello@lassare.com

Company: Stooj S.r.l. Registered Office: Quartu Sant’Elena (CA), Sardinia, Italy VAT (P.IVA): 03932870920

Questions about this document? hello@lassare.com