This Data Processing Addendum (“DPA”) is incorporated into and forms part of the Terms and Conditions and/or any ordering document referencing this DPA (together, the “Agreement”) between:
Processor: ARYAXAI RESEARCH AND DEVELOPMENT LABS INC (operating Lexsi.ai) (“Lexsi”, “Processor”, “we”, “us”)
Address: ARYAXAI RESEARCH AND DEVELOPMENT LABS INC, Attn: Privacy Team, 3828 Kennett Pike, Suite 212, Greenville, DE 19807-2331
and
Customer: the entity accepting this DPA (“Customer”, “Controller”, “you”).
This DPA applies to the extent Lexsi Processes Personal Data on Customer’s behalf in providing the Services.
1) Definitions
1.1 “Applicable Data Protection Laws” means laws applicable to the Processing of Personal Data under the Agreement, including (where applicable) the EU GDPR, UK GDPR, Swiss data protection law, and U.S. state privacy laws such as CCPA/CPRA.
1.2 “Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject”, “Sub-processor”, and “Personal Data Breach” have the meanings given in Applicable Data Protection Laws.
1.3 “Customer Personal Data” means Personal Data included in Customer Content or otherwise provided to the Services that Lexsi Processes on behalf of Customer.
1.4 “Customer Content” means data, files, text, prompts, datasets, or other content submitted to the Services by or for Customer.
2) Roles of the Parties
2.1 Customer is Controller. Customer determines the purposes and means of Processing Customer Personal Data and is responsible for compliance with Applicable Data Protection Laws (including having a lawful basis and providing required notices).
2.2 Lexsi is Processor. Lexsi Processes Customer Personal Data only as a Processor on behalf of Customer as described in this DPA.
3) Processing Instructions
3.1 Documented instructions. Lexsi will Process Customer Personal Data only:
(a) to provide, secure, and support the Services under the Agreement;
(b) in accordance with Customer’s documented instructions, which include the Agreement, this DPA, and Customer’s use/configuration of the Services; and
(c) as required by law (in which case Lexsi will notify Customer unless legally prohibited).
3.2 Unlawful instructions. If Lexsi reasonably believes an instruction violates Applicable Data Protection Laws, Lexsi will notify Customer and may suspend the affected Processing until resolved.
4) Confidentiality
Lexsi will ensure that personnel authorized to Process Customer Personal Data are bound by confidentiality obligations and access Customer Personal Data only on a need-to-know basis.
5) Security
5.1 Security measures. Lexsi will implement appropriate technical and organizational measures to protect Customer Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, or alteration, taking into account the risks presented by the Processing.
5.2 Customer responsibilities. Customer is responsible for securing its own systems, devices, credentials, and access to the Services (including safeguarding API keys and user accounts).
(See Schedule 2 for a concise security summary.)
6) Sub-processors
6.1 General authorization. Customer authorizes Lexsi to use Sub-processors to Process Customer Personal Data for providing the Services.
6.2 Flow-down terms. Lexsi will impose data protection obligations on Sub-processors that are no less protective than those in this DPA.
6.3 Responsibility. Lexsi remains responsible for its Sub-processors’ performance of their obligations under this DPA, subject to the Agreement’s liability terms.
6.4 Updates. Lexsi may update its Sub-processor list as its business evolves. Where required, Lexsi will provide notice of material changes (for example, by updating this DPA or a published list) and allow Customer to object on reasonable data protection grounds.
(See Schedule 3 for the current Sub-processors.)
7) Data Subject Requests; Assistance
7.1 Requests. If Lexsi receives a Data Subject request regarding Customer Personal Data, Lexsi will (to the extent legally permitted) notify Customer and will not respond directly except on Customer’s documented instructions or as required by law.
7.2 Assistance. Taking into account the nature of the Processing and information available to Lexsi, Lexsi will provide reasonable assistance to Customer with Data Subject requests, breach notifications, DPIAs, and regulator inquiries related to the Services. Lexsi may charge reasonable fees for assistance that goes beyond what is required to provide the Services, where permitted by law.
8) Personal Data Breach
8.1 Notification. Lexsi will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data.
8.2 Details and mitigation. Lexsi will provide information reasonably necessary for Customer’s compliance obligations (to the extent available) and will take reasonable steps to contain, investigate, and remediate the breach.
9) Return and Deletion
9.1 Upon termination. Upon termination or expiration of the Agreement, Lexsi will delete or return Customer Personal Data in accordance with the Agreement, unless retention is required by law.
9.2 Backups. Customer Personal Data may remain in backups for a limited period consistent with Lexsi’s backup and disaster recovery practices, and will remain protected during that period.
10) International Transfers
10.1 Safeguards. Where cross-border transfers of Customer Personal Data require safeguards under Applicable Data Protection Laws, Lexsi will use appropriate transfer mechanisms (such as Standard Contractual Clauses and, where applicable, the UK Addendum), completed using this DPA’s Schedules.
11) Special Categories of Personal Data
Customer may submit Special Categories of Personal Data (and/or data relating to criminal convictions/offences) only with Customer’s prior written permission to Lexsi that:
(a) identifies the relevant Special Categories;
(b) confirms Customer has a valid lawful basis and satisfies applicable legal requirements; and
(c) (where appropriate) agrees on additional safeguards (for example, enhanced access controls, encryption, minimization, and retention limits).
12) CCPA/CPRA (If Applicable)
To the extent CCPA/CPRA applies to Customer Personal Data, Lexsi will act as a “service provider” / “processor” (as applicable) and:
(a) will not sell or share Customer Personal Data;
(b) will Process Customer Personal Data only to provide the Services and as otherwise permitted by law; and
(c) will not retain, use, or disclose Customer Personal Data outside the direct business relationship with Customer except as permitted by law.
13) Audit and Compliance Information
Upon reasonable request, Lexsi will make available information reasonably necessary to demonstrate compliance with this DPA (which may include security summaries and third-party assurance materials if available), subject to confidentiality and reasonable limits to protect security and other customers.
14) Liability; Precedence
14.1 Liability. Liability under this DPA is subject to the Agreement’s limitations of liability, except where prohibited by law.
14.2 Precedence. If SCCs apply, they prevail over this DPA to the extent of any conflict regarding international transfers; otherwise, this DPA prevails over conflicting terms in the Agreement for data protection matters.
15) Contact
Privacy Team (Processor):
ARYAXAI RESEARCH AND DEVELOPMENT LABS INC, Attn: Privacy Team
3828 Kennett Pike, Suite 212, Greenville, DE 19807-2331
Email: privacy@lexsi.ai
Schedule 1: Processing Details
Subject matter: Provision of the Lexsi.ai Services (including evaluation workflows, explainability tooling, diagnostics, user management, and support).
Duration: For the term of the Agreement plus limited periods for deletion/return, backups, and legal compliance.
Nature of Processing: Collection, storage, analysis, retrieval, transmission, and deletion as necessary to provide and secure the Services.
Purpose: To provide, maintain, secure, and support the Services; prevent abuse; and comply with legal obligations.
Categories of Data Subjects: Customer’s Authorized Users and individuals whose data Customer includes in Customer Content.
Categories of Personal Data: Account identifiers (name/email), authentication and access logs, usage telemetry, support communications, and any Personal Data included in Customer Content.
Schedule 2: Security Measures
Lexsi maintains a security program that may include: access controls (least privilege), encryption in transit, secure credential management, monitoring/logging, vulnerability management, backup and recovery practices, and personnel confidentiality obligations. Measures evolve over time and are designed to reduce risks appropriate to the Processing.
Schedule 3: Sub-processors
The following Sub-processors may Process Customer Personal Data to deliver the Services:
- Amazon Web Services (AWS)
Purpose: Cloud infrastructure hosting, storage, backups, and related processing needed to run the Services.
Typical data: Customer Content (as stored), account data, logs. - Intercom
Purpose: Customer support communications (in-app chat/helpdesk), onboarding/support messaging.
Typical data: Contact details, support content, conversation metadata. - HubSpot
Purpose: Customer relationship management and communications related to the Services (e.g., account management, onboarding, product communications where enabled/used).
Typical data: Contact and account data, communication history. - Mailchimp
Purpose: Email campaigns and user notifications (including product communications and, where applicable, marketing communications).
Typical data: Contact details, email engagement data, communication preferences.
Note: Some communications (especially marketing) may be sent based on user preferences/consent settings and may also be governed by Lexsi’s Privacy Policy and applicable marketing laws (e.g., CAN-SPAM, PECR/ePrivacy where applicable).