Data Processing Agreement
Preamble
This Data Processing Agreement ("DPA") specifies the data protection obligations of the parties arising from the processing carried out under the principal agreement — the LILY Alpha Programme Terms of Use (the "Principal Agreement") — pursuant to Art. 28 GDPR.
The parties to this DPA are: LILY Labs GmbH, Maudacherstraße 45, 67065 Ludwigshafen am Rhein, Germany, represented by Milan Wiedemann (Chief Executive Officer) — hereinafter "Processor" or "LILY Labs" — and the User admitted to the LILY Alpha Programme pursuant to § 3 of the Principal Agreement who has accepted this DPA during the onboarding process by explicit confirmation (click-wrap) — hereinafter "Controller" or "User".
Unless expressly defined otherwise, the definitions in the Principal Agreement apply. In the event of a conflict between this DPA and the Principal Agreement, the provisions of this DPA prevail on data protection matters.
§ 1 Subject Matter and Duration
(1) The subject matter of the processing is the provision of the LILY Services pursuant to the Principal Agreement, in particular the execution of User Applications on the Void server infrastructure including the required storage, processing and network services.
(2) Where the Controller processes personal data of third parties (in particular end users of their applications running on the Void) in the course of using the LILY Services, such processing is carried out by LILY Labs as processor within the meaning of Art. 28 GDPR on behalf of and on the instructions of the Controller.
(3) Processing commences when the Principal Agreement takes effect and ends upon its termination, at the latest upon the end of the alpha phase. The consequences of termination are governed by § 11 of this DPA and § 17 of the Principal Agreement.
§ 2 Nature and Purpose of Processing
(1) Processing activities include in particular: storage of compiled User Applications and associated configurations; execution of User Applications on the Void server infrastructure; collection of technical log data for error analysis and operational stability; provision of the associated management interface (dashboard); transmission of data between CLI, platform and Void; and deletion of data in accordance with contractual requirements.
(2) The purpose is the provision of the contractually agreed LILY Services and enabling the functionality of the Controller's User Application as intended by the Controller.
§ 3 Categories of Personal Data and Data Subjects
(1) The personal data processed under this DPA are determined by the Controller and introduced through their use of the LILY Services. These typically include: identification and contact data (e.g. name, email address); account and profile data of end users of the User Application; usage, log and connection data of the User Application; and content data where introduced by the Controller.
(2) The Controller expressly may not cause LILY Labs to process: special categories of personal data within the meaning of Art. 9 GDPR; personal data within the meaning of Art. 10 GDPR (criminal convictions and offences); data subject to professional or statutory confidentiality obligations; or classified information. Violation entitles LILY Labs to suspend processing and terminate the Principal Agreement for cause.
(3) Data subjects typically include: end users of the Controller's User Application; business partners and contacts of the Controller; employees of the Controller where relevant for internal applications; and test or dummy data where personal in nature.
§ 4 Obligations of the Processor
(1) LILY Labs processes personal data exclusively within the framework of this DPA, the Principal Agreement and on documented instructions from the Controller. No processing for own purposes takes place, except where required by applicable law; in such case LILY Labs shall inform the Controller before processing unless the law prohibits such notification.
(2) LILY Labs shall bind its employees and all persons engaged in processing to confidentiality and ensure their instruction on applicable data protection requirements (Art. 28(3)(b) GDPR). Confidentiality obligations survive termination of employment.
(3) LILY Labs shall implement the technical and organisational measures set out in Annex 2 of this DPA pursuant to Art. 32 GDPR and review them at appropriate intervals.
(4) LILY Labs shall assist the Controller, taking into account the nature of the processing and the information available to it, in fulfilling its obligations under Art. 32 to 36 GDPR (in particular data protection impact assessments and prior consultation with the supervisory authority).
(5) Contact for data protection matters: milan.wiedemann@lily.org
§ 5 Controller's Instructions
(1) LILY Labs processes personal data exclusively on documented instructions from the Controller. Instructions derive primarily from the Principal Agreement, this DPA and the configurations and actions carried out by the Controller via the LILY Services (CLI and platform).
(2) Instructions beyond the scope of the Principal Agreement require a separate agreement. LILY Labs is not obliged to implement individual special requests not covered by standard LILY Services features.
(3) Instructions shall be given in text form (email to milan.wiedemann@lily.org is sufficient). Verbal instructions must be confirmed in text form without delay.
(4) If LILY Labs considers that an instruction infringes applicable data protection law, it shall immediately inform the Controller. LILY Labs may suspend the instruction until confirmed or amended by the Controller.
§ 6 Sub-processors
(1) The Controller hereby grants LILY Labs general authorisation pursuant to Art. 28(2) GDPR to engage the sub-processors listed in Annex 1 of this DPA.
(2) LILY Labs shall notify the Controller at least thirty (30) days in advance of any intended change to the sub-processors engaged (addition or replacement). Notification is in text form (email to the Controller's registered address).
(3) The Controller may object to a change within fourteen (14) days of receipt for good cause. In the event of a justified objection, both parties are entitled to terminate the Principal Agreement with thirty (30) days' notice. If no objection is raised within the period, the change is deemed approved.
(4) LILY Labs shall conclude a contract with each sub-processor that corresponds to this DPA and contains in particular the obligations listed in Art. 28(3) GDPR. LILY Labs is liable for the sub-processors' compliance with data protection obligations.
(5) No transfer of personal data to sub-processors in third countries outside the EU/EEA takes place under this DPA. All sub-processors listed in Annex 1 process data exclusively in data centres within the European Union.
§ 7 Technical and Organisational Measures
LILY Labs implements the technical and organisational measures described in Annex 2 of this DPA to ensure a level of security appropriate to the risk within the meaning of Art. 32 GDPR. LILY Labs is entitled to adapt the measures to the state of the art provided the level of protection is not reduced. Material changes to the TOMs will be communicated to the Controller in text form.
§ 8 Assistance with Data Subject Rights
(1) LILY Labs shall assist the Controller, to the extent possible and necessary given the nature of the processing, in responding to data subject requests under Art. 12 to 23 GDPR (in particular access, rectification, erasure, restriction, portability and objection).
(2) Where a data subject contacts LILY Labs directly, LILY Labs shall forward the request to the Controller without delay and shall not respond itself.
(3) LILY Labs may charge a reasonable fee for assistance that exceeds the level owed under the Principal Agreement.
§ 9 Personal Data Breach Notification
(1) LILY Labs shall inform the Controller without undue delay, and at the latest within forty-eight (48) hours of becoming aware of a personal data breach within the meaning of Art. 4(12) GDPR occurring in the context of the processing under this DPA.
(2) The notification shall include, where available: a description of the nature of the breach; categories and approximate number of data subjects and records concerned; contact details of the responsible contact at LILY Labs; a description of the likely consequences; and a description of measures taken or proposed to address and mitigate the breach.
(3) Where information is not fully available at the time of the initial notification, LILY Labs shall provide it in stages as it becomes available.
(4) LILY Labs shall support the Controller in fulfilling its notification obligations to the supervisory authority (Art. 33 GDPR) and its communication obligations to data subjects (Art. 34 GDPR) to the extent required.
§ 10 Evidence and Audit Rights
(1) LILY Labs shall demonstrate compliance with the obligations set out in this DPA, in particular by: providing the current version of the TOMs (Annex 2); providing meaningful written information on specific data protection questions; and providing suitable certifications or attestations (e.g. ISO 27001, SOC 2) where available.
(2) The Controller is additionally entitled to have compliance audited by an independent, competent, mutually agreed external auditor bound by confidentiality. The Controller shall give at least four (4) weeks' advance notice in text form. Audits shall take place during LILY Labs's regular business hours and may not unreasonably impair operations. A maximum of one (1) audit per calendar year is permitted unless there is a specific reason for an additional audit.
(3) The costs of the audit, including the auditor's fees and the Controller's own personnel and material costs, are borne by the Controller. LILY Labs may charge a reasonable fee for its own cooperation effort.
(4) Where LILY Labs can provide equivalent evidence through certifications, attestations or audit reports of independent parties, the Controller shall accept these in priority.
§ 11 Return or Deletion after Termination
(1) The Controller may export personal data at any time during the term via the export function provided in the platform. No separate request to LILY Labs is required.
(2) After termination of the Principal Agreement, LILY Labs shall delete all personal data processed under this DPA including User Applications, deployments and associated configurations. Deletion is automated and takes place within a reasonable period after contract end.
(3) It is the Controller's responsibility to export any required data before contract end. There is no obligation to return data after termination.
(4) Where statutory retention obligations prevent deletion, the relevant data remain locked until the applicable period expires, after which they are deleted.
§ 12 Liability
§ 15 of the Principal Agreement applies correspondingly to the liability of the parties under or in connection with this DPA, except where mandatory statutory provisions (in particular Art. 82 GDPR) provide otherwise. In relation to data subjects, each party is liable in accordance with the applicable statutory provisions.
§ 13 Final Provisions
(1) The term of this DPA follows the term of the Principal Agreement. Obligations that by their nature survive termination (in particular confidentiality and deletion) remain unaffected.
(2) Amendments and additions to this DPA require text form. This also applies to the cancellation or amendment of this text form requirement.
(3) Should individual provisions of this DPA be or become wholly or partly invalid, the validity of the remaining provisions is unaffected.
(4) German law applies, excluding the UN CISG and conflict of law provisions. Exclusive place of jurisdiction is Ludwigshafen am Rhein to the extent permitted by law.
(5) In the event of a conflict between this DPA and the Principal Agreement, the provisions of this DPA prevail on data protection matters.
Annex 1 — Sub-processors
The following sub-processors are generally approved by the Controller pursuant to § 6 of this DPA. All sub-processors process personal data exclusively in data centres within the European Union.
IONOS SE — Montabaur, Germany — Karlsruhe / Frankfurt, Germany — Server infrastructure (Void), hosting.
Google Ireland Limited — Dublin, Ireland — EU data centres (europe-west) — Parts of server infrastructure (Void).
Note: Other service providers used by LILY Labs for its own business operations (e.g. Microsoft 365 for internal email, Resend for transactional user emails, PostHog EU Cloud for platform analytics, Plausible for website analytics) do not process Customer Data in the sense of Art. 28 GDPR and are therefore not part of this Annex. They are listed in the LILY Labs Privacy Policy.
Annex 2 — Technical and Organisational Measures (TOMs)
LILY Labs implements the following technical and organisational measures pursuant to Art. 32 GDPR. Measures are continuously adapted to the state of the art.
1. Physical access control. The server infrastructure is operated in certified data centres of sub-processors IONOS SE and Google Ireland Limited within the EU. These data centres implement comprehensive physical access controls (man-traps, CCTV, 24/7 security, access logging) per their certifications (incl. ISO 27001). LILY Labs itself has no premises with productive data processing; staff access is exclusively remote.
2. System access control. Unique personal login accounts per employee (no shared accounts in production); two-factor authentication (2FA) for all admin access to the Void server infrastructure; 2FA for employee accounts at cloud providers (Google Cloud Console, IONOS); hardware security keys (YubiKey) as additional factor for privileged access; VPN required for employee access to production systems; automatic account lockout on inactivity or departure.
3. Data access control. Role-based access control (RBAC); rights assigned on a need-to-know basis; regular review of permissions; logging of administrative access to the Void (audit logs).
4. Transmission control. TLS-encrypted transmission between CLI and Void and between browser and platform; TLS encryption of all employee access to production systems via VPN; data processing exclusively in EU data centres. Encryption of data at rest on the Void is not currently implemented; it is planned for a later stage. The Terms of Use expressly prohibit the processing of sensitive or special-category personal data.
5. Input control. Logging of administrative inputs and configuration changes in the production environment; versioning of infrastructure and configuration changes (infrastructure-as-code); audit logs retained for at least 90 days.
6. Processor control. Written DPAs pursuant to Art. 28 GDPR with all relevant sub-processors (IONOS, Google Cloud); careful selection and vetting of sub-processors; sub-processors are bound to TOMs meeting Art. 32 GDPR requirements.
7. Availability control. Infrastructure operated in geo-redundant data centres of sub-processors with established availability and recovery concepts; malware protection through appropriate technical measures. Regular automated backups of customer data stored on the Void are not performed during the Alpha Programme; users are required under the Alpha Terms to maintain their own backups. A backup strategy is planned for subsequent phases (Beta, GA).
8. Separation control. Logical separation (multi-tenancy) of different users' data on the Void server infrastructure; separation of production, test and development systems; unambiguous assignment of deployments and User Applications to a single user account.
9. Organisational measures. All employees bound to confidentiality (NDA clause in employment contract or separate confidentiality agreement); data protection and security training during employee onboarding; written security policy including internal policies (password policy, access rules, incident response principles); designated responsible contact for data protection matters (management); no data protection officer required under applicable thresholds — eligibility reviewed regularly.
10. Data protection management. Record of processing activities maintained pursuant to Art. 30 GDPR; established processes for handling data subject requests; incident reporting channels including obligation to promptly notify the Controller pursuant to § 9 of this DPA; regular review and further development of TOMs.