Data Processing Addendum (DPA)
This DPA forms part of the agreement between Lilypad Solutions and customers using our services.
Effective Date: November 24, 2025
This Data Processing Addendum (“DPA”) forms part of the agreement between Lilypad Solutions (“Processor”) and customers using our services (“Controller”).
1. Purpose
Lilypad processes Personal Data solely to deliver services requested by the customer.
2. Obligations of Lilypad (Processor)
- Process data only according to documented instructions
- Maintain industry-standard security
- Ensure staff are bound by confidentiality
- Notify you promptly of any confirmed data breach
- Assist with data subject rights when requested
- Support compliance with data protection laws (GDPR/CCPA where applicable)
3. Obligations of Customer (Controller)
- Provide only lawful data
- Ensure you have a legal basis to submit personal data
- Not upload sensitive or high-risk data unless required and approved
- Comply with applicable data protection laws
4. Subprocessors
Lilypad uses subprocessors to deliver the service. These include:
- Vercel
- MongoDB Atlas
- Stripe
- Analytics providers (for optional website tracking)
Lilypad ensures subprocessors operate under comparable data protection obligations. See our Subprocessors list.
5. Data Security
Security measures include encryption in transit (HTTPS), encrypted storage, access limitations, and secure hosting environments.
6. International Transfers
Data may be stored or processed in Canada, the USA, the EU, or other regions where subprocessors operate.
7. Breach Notification
If a confirmed breach occurs, Lilypad will notify you without undue delay.
8. Data Return & Deletion
Upon request or termination, data will be deleted or returned (where technically possible) unless required by law to retain.
9. Liability
Liability is limited according to the Terms & Conditions.