Back to Seizn

Legal

Data Processing Agreement (DPA)

Review the policies that govern Seizn Author and related services.

Draft pending lawyer review

Data Processing Agreement (DPA)

Last updated: 2026-05-09

Status: This DPA is a working draft awaiting outside counsel review. The text is published so customers can evaluate Seizn's data-handling commitments. The final, signed DPA controls. For an executable copy on customer paper, contact [email protected].

1. Parties

This Data Processing Agreement ("DPA") forms part of the Master Services Agreement, Subscription Agreement, or equivalent terms ("Principal Agreement") between:

  • Customer (the "Controller"), the entity that has subscribed to Seizn Author or Seizn API/MCP services on its own behalf or on behalf of an Authorised Affiliate; and
  • Litheon LLC, a Wyoming limited liability company operating the Seizn services (the "Processor").

Where this DPA conflicts with the Principal Agreement on data processing matters, this DPA prevails.

2. Definitions

Capitalised terms not defined here have the meaning given in Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, the California Consumer Privacy Act as amended ("CCPA/CPRA"), and Korea's Personal Information Protection Act ("PIPA"). "Personal Data", "Processing", "Data Subject", "Controller", "Processor", and "Sub-processor" have the meanings given in those laws.

"Applicable Data Protection Law" means GDPR, UK GDPR, CCPA/CPRA, PIPA, and any other data protection or privacy law applicable to the Processing of Personal Data under the Principal Agreement.

3. Subject matter, duration, nature, and purpose

| Item | Description | |---|---| | Subject matter | Processing of Personal Data submitted by Controller through the Seizn services. | | Duration | The term of the Principal Agreement plus any retention period required by Applicable Data Protection Law. | | Nature & purpose | Hosting, storing, retrieving, and processing Personal Data to deliver the Seizn services Controller has subscribed to. | | Categories of Data Subjects | Controller's end users, employees, contractors, customers, and any individuals whose Personal Data Controller submits to Seizn. | | Categories of Personal Data | Account identifiers (email, name), authentication tokens, content submitted by Data Subjects, usage telemetry, and any Personal Data Controller chooses to store in Seizn-managed memory or content fields. | | Special category data | Not anticipated. Controller must not submit special category data (GDPR Art. 9) without a written addendum. |

4. Controller obligations

Controller (a) has and will maintain a lawful basis for the Processing it instructs; (b) is responsible for the accuracy and legality of the Personal Data it submits; (c) will provide notices and obtain consents required for Seizn to perform the services; and (d) will not instruct Processing that violates Applicable Data Protection Law.

5. Processor obligations (GDPR Art. 28(3))

Processor will:

  1. Process only on documented instructions. Process Personal Data only on Controller's documented instructions, including those given through Controller's use of the Seizn services and configuration settings, except where required by Applicable Data Protection Law (in which case Processor will inform Controller of the requirement before Processing, unless prohibited by law).
  2. Confidentiality. Ensure that personnel authorised to Process Personal Data are bound by written confidentiality obligations.
  3. Security. Implement and maintain the technical and organisational measures described in Annex II.
  4. Sub-processors. Engage Sub-processors only under §6 below.
  5. Data subject rights assistance. Provide reasonable assistance, by appropriate technical and organisational measures, for Controller to respond to Data Subject requests under Applicable Data Protection Law.
  6. DPIA & breach assistance. Assist Controller, taking into account the nature of Processing and information available to Processor, in complying with GDPR Art. 32–36, including data protection impact assessments and prior consultation with supervisory authorities.
  7. Breach notification. Notify Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Controller's Personal Data, with the information required by GDPR Art. 33(3).
  8. Return or deletion. At Controller's election, delete or return all Personal Data after the end of the provision of services, and delete existing copies, unless retention is required by Applicable Data Protection Law.
  9. Audit cooperation. Make available to Controller information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, in line with §8 below.

6. Sub-processors

Controller authorises Processor to engage the Sub-processors listed at https://www.seizn.com/en/legal/subprocessors ("Sub-processors page") to process Personal Data.

Processor will:

  • maintain the Sub-processors page as the up-to-date list;
  • give Controller at least thirty (30) days' prior notice of any new Sub-processor (via the Sub-processors page and, for customers on Studio tier and above, by email or in-app notice);
  • impose data protection obligations on each Sub-processor that are no less protective than those in this DPA;
  • remain liable for each Sub-processor's acts and omissions to the same extent Processor would be liable if Processor performed the Sub-processor's services directly.

If Controller objects in good faith to a new Sub-processor within thirty (30) days, the parties will work in good faith to resolve the objection. If no resolution is reached, Controller may terminate the affected service for material breach with a pro-rata refund of pre-paid fees for the unused term.

7. International transfers

Where Processing involves the transfer of Personal Data outside the European Economic Area, the United Kingdom, Switzerland, or other jurisdictions with comparable transfer rules:

  • The parties incorporate by reference the Standard Contractual Clauses ("SCCs") adopted by the European Commission in Decision (EU) 2021/914, Module Two (Controller-to-Processor), with Annexes I, II, and III populated as set out below.
  • For UK transfers, the parties incorporate the UK International Data Transfer Addendum to the EU SCCs (version B1.0).
  • For Swiss transfers, the SCCs apply with adaptations specified by the Swiss Federal Data Protection and Information Commissioner.

In the event of a conflict between this DPA and the SCCs, the SCCs prevail solely with respect to Restricted Transfers.

8. Audit rights

Once per twelve (12) month period, on at least thirty (30) days' written notice, Controller (or an independent third-party auditor bound by confidentiality and not a competitor of Processor) may audit Processor's compliance with this DPA. Audits will be conducted during business hours, will not unreasonably interfere with Processor's operations, and will be at Controller's expense.

For customers below the Studio tier, Processor satisfies its audit obligation by providing, on request: (a) Processor's most recent third-party security report when one is available; (b) a completed Cloud Security Alliance CAIQ or equivalent self-assessment; and (c) responses to reasonable written questions.

9. Personal Data breach

Processor's breach notification under §5(7) will include, to the extent known: (a) the nature of the Personal Data Breach; (b) the categories and approximate number of Data Subjects and records concerned; (c) likely consequences; and (d) measures taken or proposed. Processor will update Controller as additional information becomes available.

Where breach notification to a supervisory authority or to Data Subjects is required under PIPA Art. 34 (Korea), Processor will also assist Controller in meeting the seventy-two (72) hour notification window applicable in Korea.

10. Term, termination, return and deletion

This DPA terminates automatically when the Principal Agreement terminates or expires, except that obligations relating to confidentiality, audit cooperation, return/deletion, and limitation of liability survive.

Following termination, Processor will, at Controller's option exercised within thirty (30) days: (a) delete all Personal Data in Processor's possession; or (b) return Personal Data to Controller in a structured, commonly used, machine-readable format, and then delete it. Backups containing Personal Data will be cycled out within ninety (90) days under Processor's standard retention policy, during which they remain protected by this DPA's security obligations.

11. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Principal Agreement, except where Applicable Data Protection Law expressly precludes such limitation (e.g., direct claims by Data Subjects).

12. Order of precedence

In the event of conflict, the order of precedence is: (i) the SCCs (for matters they govern); (ii) this DPA; (iii) the Principal Agreement.

13. Governing law

This DPA is governed by the law specified in the Principal Agreement, except that the SCCs are governed by their own choice-of-law clause, and the UK Addendum by the laws of England and Wales.

14. Contact

Annex I — Parties and transfer description

Data exporter: Controller (the entity that subscribed to the Seizn services). Data importer: Litheon LLC (Processor) and the Sub-processors listed at /legal/subprocessors.

Frequency of transfer: Continuous, on Controller's instructions. Purpose: As described in §3 of this DPA. Period of retention: For the term of the Principal Agreement, plus any post-termination retention required by Applicable Data Protection Law. Competent supervisory authority: For EU transfers, the supervisory authority of the EU Member State in which the Controller is established. For UK transfers, the Information Commissioner's Office.

Annex II — Technical and organisational security measures

Processor implements the following measures, each detailed in Processor's security documentation and updated as the threat environment evolves:

  • Encryption. TLS 1.2+ in transit; AES-256 at rest for primary stores; envelope encryption for secrets.
  • Access control. Single sign-on, MFA enforced for production access; least-privilege RBAC; quarterly access reviews; just-in-time elevation for admin access.
  • Network security. WAF (Cloudflare), DDoS protection, rate limiting at the edge, segmented production VPCs, isolated CI runners.
  • Application security. Dependency scanning (Dependabot), static analysis (Semgrep, CodeQL), container scanning (Trivy), pre-merge code review on all changes, secret scanning.
  • Vulnerability management. Annual third-party penetration test; continuous internal vulnerability scanning; patched within published SLAs by severity.
  • Logging & monitoring. Centralised audit logs (90-day default retention); intrusion detection; security event alerting; self-hosted error tracking (GlitchTip on Hetzner DE).
  • Resilience. Daily encrypted backups with off-region copy (Cloudflare R2); documented recovery runbook; quarterly restore testing.
  • Personnel. Background checks where lawfully permitted; signed confidentiality agreements; mandatory annual security and privacy training.
  • Incident response. Documented runbook; on-call rotation; ≤72h customer notification target for confirmed Personal Data Breaches.
  • Sub-processor management. Pre-engagement security review; signed DPAs; ongoing monitoring of public security postures.

Annex III — Sub-processors

The current list of Sub-processors is maintained at https://www.seizn.com/en/legal/subprocessors. Material updates to that page constitute notice of new Sub-processors for purposes of §6 of this DPA.