This Data Processing Addendum (“DPA”) supplements the Terms of Servicebetween Attius Digital Art (“Lacudelph,” “Processor”) and the customer (“Controller”) and applies whenever Lacudelph processes Personal Data on behalf of the Controller in connection with the Service.
By subscribing to a paid Lacudelph plan, the Controller is deemed to have entered into this DPA. Where a separate signed DPA is required (procurement, regulated industries), contact us at /contact.
1. Definitions
- Personal Data, Controller, Processor, Sub-processor, Data Subject: as defined in the EU GDPR (Regulation 2016/679) and the Israeli Privacy Protection Law 5741-1981 with the 2024 amendment.
- Service: the Lacudelph platform as described at lacudelph.com.
- Customer Personal Data: Personal Data submitted by Controller or its end-users (interview participants) to the Service.
2. Roles and scope
Controller is the controller of Customer Personal Data and determines purposes and means of processing. Lacudelph is the processor, processing only on documented instructions from Controller, namely: to provide and operate the Service per the Terms.
3. Categories of data and data subjects
- Data subjects: Controller’s employees and workspace members; interview participants invited by Controller.
- Categories of Personal Data: name, email address, organisation membership, brief content, interview transcripts, derived extraction state, and final takeaway artefacts. IP addresses are processed only for rate-limiting and abuse prevention and are not retained beyond the rate-limit window (currently 1 hour).
- Special categories: not intentionally collected. Controller is responsible for not submitting special-category data through interview content unless they have a lawful basis under GDPR Art. 9.
4. Lacudelph obligations
- Process Customer Personal Data only on documented instructions from Controller (the Terms + the in-app configuration constitute those instructions).
- Ensure persons authorised to process Customer Personal Data are bound by confidentiality.
- Implement appropriate technical and organisational measures (see §7 Security).
- Assist Controller, taking into account the nature of processing, in fulfilling Controller’s obligation to respond to data-subject requests.
- Make available all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by Controller or another auditor mandated by Controller, on reasonable prior notice.
- Notify Controller without undue delay (and within 72 hours where feasible) after becoming aware of a Personal Data breach.
5. Sub-processors
Controller authorises Lacudelph to engage the following sub-processors to provide the Service. Lacudelph remains liable for sub-processor performance.
- Vercel Inc. (US/EU) — application hosting and serverless functions.
- Neon Inc. (US-East) — managed PostgreSQL database.
- Resend Inc. (US) — transactional email delivery.
- Anthropic PBC (US) — large-language-model provider for the conductor, meta-noticing, and takeaway generation. Contractually excludes Customer Personal Data from training under their Commercial Terms.
- Vercel AI Gateway (Vercel Inc., US/EU) — request-routing layer in front of LLM providers.
- Paddle.com Market Ltd. (UK; Merchant of Record) — payment processing and tax handling.
- Google LLC (US) — only when Controller’s end-users sign in via Google OAuth.
Lacudelph will give Controller prior notice of any new sub-processor by updating this list at this URL with a new “Last updated” date. Controller may object on reasonable grounds within 14 days; if the parties cannot agree a resolution, Controller may terminate the affected portion of the Service.
6. International transfers
Personal Data may be transferred to the United States, EU, and United Kingdom in the course of providing the Service. Where such transfers are subject to GDPR or UK GDPR, they are made pursuant to the European Commission’s Standard Contractual Clauses (Decision 2021/914) and (where applicable) the UK International Data Transfer Addendum, which are deemed incorporated by reference. Transfers from Israel rely on adequacy or contractual safeguards as required by the Israeli Privacy Protection Authority.
7. Security measures
- HTTPS-only access to the Service; HSTS enabled.
- Database access authenticated via rotating connection-string credentials.
- BYO-key tier API keys are encrypted at rest using AES-256-GCM with a server-side key separate from the session-signing secret. Plaintext keys are never logged.
- Session cookies are HttpOnly, Secure, and signed.
- Per-organisation daily LLM spend caps and per-IP rate limits to prevent runaway use and abuse.
- Logical multi-tenancy: every owning row carries an org_id; queries scope by org_id.
- No personal data is emitted to application logs.
8. Data subject rights
Lacudelph provides Controller with self-service tooling at /org/settings to delete account data, which cascades to briefs, interviews, transcripts, takeaways, and LLM-call telemetry. For requests Lacudelph receives directly from a data subject, Lacudelph will refer them to Controller, except where required by law to act otherwise.
9. Retention and deletion
Lacudelph retains Customer Personal Data for as long as the Controller’s account remains active. On account deletion, cascade deletion is initiated within 30 days, except for billing records retained as required by Israeli tax law (currently up to 7 years for invoices). On termination of the Service, Lacudelph will, at Controller’s choice, delete or return all Customer Personal Data within 30 days, save where retention is required by applicable law.
10. Liability
Each party’s liability under this DPA is subject to the limitations set out in the Terms of Service. This DPA does not modify those limitations except to the minimum extent required by applicable data-protection law.
11. Order of precedence
In the event of a conflict between this DPA and the Terms of Service, this DPA prevails with respect to the processing of Personal Data only.
12. Governing law
This DPA is governed by the laws of the State of Israel, without regard to conflict-of-law principles, except where mandatory local data-protection law applies.
13. Contact
For questions or to request a signed copy of this DPA, get in touch.