Lexborn

Data Processing Agreement (DPA)

Last updated: 2026-05-09

This Data Processing Agreement (the "DPA") is the standard processing agreement that Lexborn offers to business and enterprise customers ("Customer") who use the Service in a way that causes Lexborn to process personal data on their behalf. It is designed to satisfy Article 28 of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the equivalent provisions of the UK GDPR and the Swiss nFADP, and the requirements of the EU Standard Contractual Clauses adopted by Implementing Decision (EU) 2021/914.

This page is the template text. To execute the DPA against your entity, email hi@lexborn.app with your entity name, address, billing identifier, and signatory details, and we will counter-sign and return a PDF.

1. Parties

  • Lexborn — Bapusaheb Patil, trading as Nuits, a Finnish toiminimi with business identifier Y-tunnus 3584845-8, established in Finland ("Lexborn", "Processor"). Full legal-entity disclosure at /imprint.
  • Customer — the legal entity identified in the executed DPA cover sheet, acting as Controller in respect of the personal data described in Annex I.

Lexborn and Customer are each a "Party" and together the "Parties".

2. Definitions

Capitalised terms not defined here have the meaning given in the GDPR. "Personal data", "processing", "controller", "processor", "data subject", "personal-data breach", and "supervisory authority" have the meanings given in Article 4 GDPR. "Sub-processor" means any processor engaged by Lexborn to process personal data on Customer's behalf.

3. Subject matter and duration

This DPA governs Lexborn's processing of personal data on Customer's behalf for the purpose of providing the Service to Customer and Customer's authorised users, in accordance with the Terms of Service at /terms. The DPA takes effect on the date of execution and remains in force for as long as Lexborn processes personal data on Customer's behalf. Sections that by their nature should survive (confidentiality, return/deletion, audit, liability, governing law) survive termination.

4. Roles

In most direct-to-user use of the Service, Lexborn is the controller of end-user personal data and this DPA does not apply to that processing — the Privacy Policy does. For B2B integrations in which Customer enrols its own employees, students, or customers as users of the Service, Lexborn acts as Processor for the personal data those users submit, and Customer acts as Controller. The Parties may further agree, on the cover sheet, that certain data is processed in a controller-to-controller or joint-controller capacity, in which case the relevant clauses below apply mutatis mutandis.

5. Annex I — Categories of data subjects, personal data, and processing

5.1 Categories of data subjects

Customer's authorised end-users of the Service (e.g. employees, contractors, students, course participants).

5.2 Categories of personal data

  • Identifiers: name, email address, Clerk user ID, IP address (truncated), device/browser metadata.
  • Authentication metadata: sign-in timestamps, MFA enrolment status.
  • Voice and transcript data: streamed audio, real-time and stored transcripts.
  • Memory documents and learning state: structured summaries, flashcards, CEFR proficiency level.
  • Usage analytics: events, feature-flag exposure (consent-gated).
  • Billing metadata (where Customer is the payer): subscription identifiers, invoice metadata.

5.3 Sensitive data

The Service does not solicit special-category data within the meaning of Article 9(1) GDPR. Voice recordings are processed as ordinary personal data; we do not process them for the purpose of uniquely identifying a natural person and do not run speaker-identification, voiceprint-matching, or emotion-recognition. Transcripts may incidentally contain special-category data if a user volunteers it.

5.4 Nature and purpose of processing

Hosting, transcription, conversational response generation, learning-state inference, billing where applicable, security and abuse detection, and customer support, all in order to deliver the Service to Customer.

5.5 Duration

For the term of the contract plus the retention periods specified in §10 of the Privacy Policy and §11 below.

6. Annex II — Technical and organisational security measures

Lexborn applies the technical and organisational security measures described in Section 9 of the Privacy Policy, which is incorporated here by reference. These include in summary: HTTPS/TLS in transit; AES-256-equivalent encryption at rest at all sub-processors; Clerk-managed authentication with MFA; least-privilege architecture in Convex; vulnerability management and dependency monitoring; access logging; and a 72-hour breach-notification process.

On request and subject to a non-disclosure agreement, Lexborn will provide Customer with a more detailed security-controls summary suitable for vendor-risk-assessment processes.

7. Customer instructions

Lexborn processes personal data only on documented instructions from Customer, including with regard to transfers, unless required to do otherwise by EU or Member-State law. The Service-configuration choices Customer makes (region, retention settings, audio-retention defaults, sub-processor opt-outs where offered) constitute Customer's documented instructions. Lexborn will inform Customer if, in its opinion, an instruction infringes the GDPR or other applicable data-protection law.

8. Sub-processors

Customer authorises Lexborn to engage the sub-processors listed at /legal/subprocessors to process personal data on Customer's behalf. Lexborn imposes data-protection obligations on each sub-processor that are no less protective than those in this DPA, by way of a written sub-processor agreement.

Lexborn will give Customer at least 30 days' prior notice of any new sub-processor or material change to an existing sub-processor relationship, by email to the contact on file and by updating the public sub-processors page. If Customer reasonably objects on data-protection grounds, the Parties will discuss in good faith; if no resolution is reached, Customer may terminate the affected portion of the Service for cause and receive a pro-rated refund of any prepaid fees.

9. International transfers

Where personal data is transferred from the EEA, the United Kingdom, or Switzerland to a country outside those jurisdictions that does not benefit from an adequacy decision, the Parties rely on the European Commission's Standard Contractual Clauses Module 2 (controller-to-processor) and, where applicable, Module 3 (processor-to-processor), as adopted by Implementing Decision (EU) 2021/914, which are incorporated into this DPA by reference. Where a sub-processor is certified under the EU–U.S. Data Privacy Framework ("DPF") and its UK and Swiss extensions, the DPF additionally serves as a transfer mechanism. Lexborn carries out transfer-impact assessments in line with EDPB Recommendations 01/2020 and applies technical supplementary measures (encryption in transit and at rest, pseudonymisation where feasible).

The optional clauses of the Standard Contractual Clauses are completed as follows: Clause 7 (docking) is selected; Clause 9(a), Option 2 (general written authorisation) with 30 days' prior notice is selected; Clause 11(a) (independent dispute resolution) is not selected; Clause 17 governing law is the law of Finland; Clause 18 jurisdiction is the courts of Helsinki, Finland.

10. Audit and inspection

Lexborn will make available to Customer all information necessary to demonstrate compliance with Article 28 GDPR. On request and subject to confidentiality, Lexborn will provide:

  • the latest available SOC 2, ISO 27001, or equivalent reports of its sub-processors (e.g. OpenAI, Convex, Clerk, Vercel, Polar.sh);
  • written answers to a reasonable security questionnaire;
  • summary information about its own technical and organisational measures.

In addition, Customer may carry out a mandated audit or on-site inspection by mutual agreement, no more than once per calendar year, at Customer's expense, on at least 30 business days' written notice, during business hours, with reasonable scope, and subject to confidentiality. The audit must not unreasonably disrupt Lexborn's business or compromise the security or confidentiality of other customers' data. Where Customer is a regulated entity required by its supervisory authority to inspect more frequently, the Parties will agree a proportionate process in good faith.

11. Personal-data breach notification

Lexborn will notify Customer without undue delay and in any event within 72 hours of becoming aware of a personal-data breach affecting personal data processed on Customer's behalf. The notification will contain, to the extent then known:

  • the nature of the breach, including categories and approximate numbers of data subjects and records;
  • the likely consequences;
  • the measures taken or proposed to address the breach and to mitigate possible adverse effects;
  • a contact point for further information.

Lexborn will assist Customer in meeting Customer's own notification obligations under Articles 33 and 34 GDPR.

12. Assistance to Customer

Taking into account the nature of processing and the information available, Lexborn will assist Customer (where appropriate by appropriate technical and organisational measures) in fulfilling its obligations under Articles 32–36 GDPR, including data-subject requests, data-protection impact assessments, and prior consultation. Where Customer requests assistance that goes beyond the standard functionality of the Service, Lexborn may charge a reasonable fee at its then-current professional-services rates.

13. Confidentiality

Lexborn ensures that persons authorised to process personal data are bound by appropriate confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

14. Return or deletion of data

On termination of the contract, Lexborn will, at Customer's choice, delete or return all personal data processed on Customer's behalf, and delete existing copies, unless EU or Member-State law (including Finnish bookkeeping law) requires storage. Standard deletion follows the retention schedule in §6 of the Privacy Policy. On request, Lexborn will issue a written confirmation of deletion.

15. Liability

Each Party's liability under this DPA is subject to the limitations and exclusions in the Terms of Service at section 10. Nothing in this DPA limits or excludes liability that cannot lawfully be limited or excluded, including liability under Articles 82 GDPR for damages caused by processing.

16. Governing law and jurisdiction

This DPA is governed by the laws of Finland, excluding its conflict-of-laws rules and excluding the United Nations Convention on Contracts for the International Sale of Goods. The courts of Helsinki, Finland have exclusive jurisdiction, save that EU consumers retain the protective jurisdiction rights conferred by Regulation (EU) No 1215/2012.

17. Order of precedence

In case of conflict between (a) this DPA, (b) the Standard Contractual Clauses incorporated under §9, and (c) the Terms of Service, the order of precedence is: (b) > (a) > (c) for matters concerning data-transfer compliance, and (a) > (c) for other data-protection matters.

18. Execution

To execute, email hi@lexborn.app with your entity name, registered address, registration number, signatory name and role, and any cover-sheet customisation you require. We will counter-sign and return a PDF copy. Electronic signature (DocuSign, Dropbox Sign, qualified electronic signature under eIDAS Regulation (EU) No 910/2014) is acceptable.