Data Processing Agreement

This DPA forms part of our Terms of Service and applies whenever [Company Legal Name] (“my·lobbyist”, the Processor) processes personal data on behalf of a paying Customer (the Controller) through the my·lobbyist platform.

Trial users on the free tier are covered by the Privacy Policy, not this DPA. Customers on the Team and Consultancy plans can request a counter-signed copy by emailing dpa@mylobbyist.eu.

Capitalised terms not defined here have the meaning given in the GDPR or in our Terms of Service. In particular, Controller, Processor, Data Subject, Personal Data, Processing and Sub-processor shall have the meaning given to them in Regulation (EU) 2016/679 (GDPR).

Subject matter

Processing of Personal Data on behalf of the Controller in connection with the provision of the my·lobbyist platform.

Duration

For the term of the Customer's subscription, plus the limited deletion period set out in Section 11.

Nature & purpose

Hosting, indexing, retrieval and AI-assisted analysis of Customer-provided content and EU public-affairs data for the Controller's Authorized Users.

Data subjects

The Controller's Authorized Users and any individuals named in content the Controller submits to the platform.

Categories of personal data

Identification data (name, work email, role, country), authentication data, usage telemetry, and any personal data the Controller chooses to submit as content (e.g. names in briefs or questions).

The Controller determines the purposes and means of Processing and is responsible for ensuring it has a lawful basis for sharing Personal Data with my·lobbyist. my·lobbyist acts as Processor and will only Process Personal Data on documented instructions from the Controller, which are deemed given when the Controller uses the platform in accordance with the Terms of Service.

my·lobbyist ensures that anyone authorised to Process Personal Data is bound by appropriate confidentiality obligations and has received privacy and security training relevant to their role.

my·lobbyist implements appropriate technical and organisational measures as required by Article 32 GDPR, including:

• Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256, inherited from Google Cloud)
• Role-based access controls and least-privilege principles
• Multi-factor authentication for all administrative access
• Secrets management via Google Secret Manager — no credentials in source control
• Continuous logging and monitoring of production systems
• A documented incident response process with personal data breach handling
• Annual review of security controls and vendor posture
• Reliance on the certifications of our underlying infrastructure provider (Google: ISO 27001, ISO 27017/18, SOC 2 Type II)

The Controller hereby provides general written authorisation for my·lobbyist to engage the Sub-processors listed below. The list is current as of the “last updated” date above.

Google Cloud

Infrastructure hosting, storage and compute. EU region. Covered by the Google Cloud DPA and Google's SCCs.

Google Workspace

Internal email, document collaboration, identity for the my·lobbyist team. Customer Personal Data is not stored here in the ordinary course; only support correspondence may touch it.

Firebase (Google)

Authentication and limited app-side data for the platform, operated by Google as part of Google Cloud.

We do not engage any other Sub-processor for Processing of Customer Personal Data. If we add or replace a Sub-processor, we will notify the Controller at least 30 days in advance by email and via the in-product changelog. The Controller may object on reasonable, GDPR-related grounds; if we cannot resolve the objection, the Controller may terminate the affected subscription with a pro-rata refund.

Customer Personal Data is processed in the European Union by default. To the extent any Processing involves transfer of Personal Data outside the EEA — for example, support interactions with Google staff — such transfers rely on the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914 and the supplementary measures documented in the Google Cloud DPA, supplemented by an ongoing assessment of the destination country's legal framework where required.

my·lobbyist will, taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR.

In most cases the Controller can fulfil requests directly via the in-app data export and account management tools. Where that is not sufficient, the Controller can contact dpa@mylobbyist.eu and we will respond without undue delay.

my·lobbyist will notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting the Controller's Personal Data. The notification will include, to the extent then known:

• The nature of the breach, categories and approximate number of Data Subjects and records concerned
• The likely consequences
• The measures taken or proposed to address the breach and mitigate its effects
• The name and contact details of the relevant point of contact at my·lobbyist

On request, my·lobbyist will provide the Controller with the information reasonably necessary to demonstrate compliance with this DPA. This includes:

• Our most recent security questionnaire (SIG-Lite format or equivalent)
• The current Sub-processor list and the certifications of those Sub-processors
• Responses to specific questions relevant to the Controller's regulatory obligations

Where the Controller has a documented legal or regulatory obligation that requires more than the above, the parties will agree in advance on the scope, timing and cost of any audit activity, conducted under reasonable confidentiality obligations and in a manner that does not jeopardise the security of other customers.

On termination or expiry of the subscription, the Controller may export Customer Personal Data via the in-app export tools for a period of 30 days. After that period, my·lobbyist will delete Customer Personal Data from production systems within a further 30 days, and from rolling backups within the standard backup retention window (30 days).

We may retain Personal Data where required by applicable law (for example, billing records under tax law); in that case the retained data remains subject to this DPA's security and confidentiality obligations.

The limitation of liability set out in the Terms of Service applies to this DPA. In the event of any conflict between this DPA and the Terms of Service in respect of the Processing of Personal Data, this DPA prevails.

DPA requests

dpa@mylobbyist.eu

Privacy team

privacy@mylobbyist.eu

Legal entity

[Company Legal Name], [Registered Address], Brussels