Home  /  Legal  /  DPA

Legal · DPA

Data Processing Addendum

Available without a sales call. Plain-English summary on this page; full document linked below.

Download DPA (PDF) Download SCCs (EU/UK) Send a redline

Summary in plain English

If you're reviewing this for a household, a family office, or a small business: here's what matters.

  • You're the controller; we're the processor. You decide what to share with Lossless. We process it on your behalf.
  • Storage region: US-WEST1 by default; EU customers can choose EU-WEST3 at signup. We don't move your data between regions without your consent.
  • Encryption: AES-256 at rest with per-user keys; TLS 1.3 in transit.
  • AI model providers (Anthropic, OpenAI) operate under zero-retention API tiers. Your prompts and responses are not stored or trained on.
  • Sub-processors are listed publicly. Adding one requires 30 days' notice and a privacy review.
  • Breach notification within 72 hours of confirmation. We publish a full post-mortem after every confirmed incident.
  • Audits: SOC 2 Type II, available under NDA. ISO 27001 in 2026.
  • Return/deletion: primary purge within 24 hours of request; backup purge within 30 days; written confirmation when both stages complete.

1. Scope

This DPA forms part of the agreement between you (the "Customer," acting as data controller) and Lossless, Inc. ("Lossless," acting as data processor) for the provision of the Lossless service. It supplements the Terms of Service and privacy policy.

2. Roles

Customer is the controller of personal data they connect to Lossless. Lossless processes that data only on Customer's documented instructions, which include the scope of each connector and any in-product permission toggles.

3. Nature of processing

Lossless processes personal data to: (a) read from Customer-authorized data sources, (b) extract structured records, (c) link records across sources, (d) make those records available to the Customer through chat, chronology, and the records browser, and (e) export them on request.

4. Sub-processors

The current list is at /legal/subprocessors and incorporated by reference. Categories at time of writing: cloud infrastructure (Google Cloud, AWS), authentication (WorkOS, Stytch), payments (Stripe), AI inference (Anthropic, OpenAI — zero-retention tiers), transactional email (Postmark).

We will notify Customers at least 30 days before adding a new sub-processor. If you object, you may terminate without penalty.

5. Security measures

  • Encryption at rest with per-user keys (AES-256) and in transit (TLS 1.3).
  • Role-based access control with append-only audit logs available on request.
  • SOC 2 Type II program; report available under NDA.
  • Access to production data is gated by signed access tickets that expire in 24 hours.
  • Quarterly penetration testing; results summary available under NDA.

6. International transfers

For Customers in the EU/UK, Lossless relies on the EU Standard Contractual Clauses and the UK International Data Transfer Addendum, copies of which are downloadable above. EU-resident data is stored in EU-WEST3 by default for EU customers.

7. Breach notification

Lossless will notify Customer in writing within 72 hours of confirming a personal-data breach affecting Customer data. The notification will include known facts, suspected scope, and remediation in progress. We publish post-incident reports on the blog.

8. Audits

Customer may request a copy of our SOC 2 Type II report under NDA. For Customers with a contractual right to audit, Lossless will respond to reasonable audit requests once per year, with 30 days' notice.

9. Return and deletion

On termination, Customer may export all data via the in-product export tool (JSON + original files). After confirmation, Lossless will delete: primary copies within 24 hours; backup copies within 30 days. Audit logs are retained for 7 years to comply with financial and security obligations.

Need a redlined DPA?

We accept reasonable changes. We'll send a redline back within 5 business days for most asks.

Email legal Read security