Data Processing Agreement

1. Roles

Data Controller: The website operator who integrates LyraAuth and determines the purpose of processing.

Data Processor: Lyra Labs, who processes data on behalf of the Controller.

2. Subject Matter

Categories of personal data: challenge responses, session identifiers, browser user agent strings.

Purpose: Human verification and AI model training data collection.

3. Security Measures

• HTTPS encryption for all data in transit
• AES-256 encryption for data at rest
• Access controls limiting data access to authorized systems only
• Regular security reviews

4. Data Subject Rights

Lyra Labs will assist the Controller in responding to data subject requests (access, erasure, portability) within 72 hours of request.

5. Deletion

• Session data: deleted within 30 days of termination
• Anonymized training records: retained (no personal data linkage possible)
• Secret keys: invalidated immediately upon termination

6. Audit Rights

The Controller may audit Lyra Labs' compliance with this DPA once per year with 30 days' notice.

7. Acceptance

By registering for LyraAuth, the website operator accepts this DPA. For EU/UK deployments, have your legal counsel review this agreement.

Contact

[email protected]