Data Processing Agreement
Last updated: April 19, 2026
This DPA applies to business customers whose use of Lictor is subject to the GDPR, UK GDPR, the Swiss FADP, or a comparable regime. It supplements our Terms of Service and Privacy Policy.
1. Roles
With respect to personal data processed on behalf of Customer, Lictor acts as a processor and Customer acts as the controller. Where Lictor determines the purposes and means of processing (e.g. for account administration, fraud prevention, product improvement), Lictor acts as an independent controller for that narrow purpose.
2. Scope and subject-matter
- Subject-matter: providing the Lictor advertising-management service to Customer.
- Duration:for the term of the Customer's subscription plus any post-termination retention period set out in our Privacy Policy.
- Nature of processing: storage, retrieval, analysis, and transmission to connected advertising platforms.
- Categories of data subjects:Customer's authorized users, and end customers whose information Customer uploads to the service.
- Categories of personal data:contact information, authentication data, product photos that may include individuals' likenesses, and ad campaign metadata.
3. Customer instructions
Lictor will process personal data only on documented instructions from Customer, including with regard to transfers to a third country, unless required to do so by applicable law. Customer's use of the product interface constitutes those instructions.
4. Sub-processors
Customer authorizes Lictor to engage sub-processors to provide the service. Our current sub-processors include:
- Supabase Inc. (database, auth, storage) — US / EU regions
- Stripe, Inc. (payments) — US / EU regions
- Railway Corp. (application hosting) — US
- Vercel Inc. (application hosting) — US / EU regions
- Google LLC (Vertex AI / Gemini — creative generation) — US / EU
- Anthropic PBC (Claude — copy generation) — US
- Fal.ai (Seedance video generation) — US
Each sub-processor is bound by contractual obligations materially equivalent to those in this DPA. We'll give Customer reasonable advance notice of any new sub-processor and an opportunity to object.
5. Confidentiality
Lictor ensures that personnel authorized to process personal data are bound by confidentiality obligations.
6. Security
Lictor maintains appropriate technical and organizational measures to protect personal data, including:
- AES-256-GCM encryption of platform access tokens at rest.
- TLS for all data in transit.
- Least-privilege access controls on production systems.
- Server-side audit logging of token access.
- Regular review and rotation of access credentials.
7. Data-subject rights
Lictor will provide Customer with reasonable assistance responding to data-subject requests (access, rectification, erasure, portability, objection, restriction). Customer may self-serve most of these through the dashboard.
8. Personal-data breach notification
Lictor will notify Customer without undue delay (and in any event within 72 hours) after becoming aware of a personal-data breach affecting Customer data.
9. International transfers
Where Customer data is transferred out of the EEA / UK / Switzerland to a jurisdiction without an adequacy decision, the parties will rely on the EU Standard Contractual Clauses (and the UK IDTA / Swiss addendum as applicable), incorporated by reference.
10. Deletion
On termination of the services, Lictor will delete personal data within the retention window defined in our Privacy Policy, or return it to Customer if Customer requests in writing before the retention window expires.
11. Audit
Lictor will make available to Customer, on reasonable written request, information necessary to demonstrate compliance with this DPA. Audits beyond what's reasonable are at Customer's expense and subject to confidentiality.
12. Execution
By using the service in a capacity subject to GDPR / UK GDPR / FADP, Customer is deemed to have entered into this DPA with Lictor. Customers who require a countersigned copy should contact legal@getlictor.com.