Data Processing Agreement
Last updated: 17 May 2026
1. Parties and scope
This Data Processing Agreement (the “DPA”) forms part of the agreement between:
-
The Tenant — the natural or legal person that holds an Autonodal account
and is the
controllerof the personal data processed under this DPA; and -
The Processor — Lake X Labs S.L.
(the “Company”), a Spanish Sociedad Limitada with its principal
place of business at Can Rabia Street, 3 — Building B, 2nd Floor, 08017 Barcelona,
Spain, and Spanish tax identification number B67101642,
operating the Autonodal platform (the “Service”) as a
processoracting on the Tenant’s documented instructions.
This DPA governs the processing of personal data carried out by the Processor on behalf of the Tenant in the course of providing the Service, in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation, or “GDPR”), the UK GDPR, and other applicable data protection laws.
2. Subject matter, nature, and purpose of processing
The Processor processes personal data on behalf of the Tenant solely for the purpose of operating the Service: maintaining the Tenant’s account, ingesting and indexing relationship-graph data from sources the Tenant connects (Gmail metadata, Google Contacts, Google Calendar, LinkedIn export, Telegram, calendar systems, CRM exports, billing systems), surfacing market signals matched to the Tenant’s contact graph, generating intelligence outputs (dispatches, dossiers, briefs), and supporting features the Tenant explicitly enables.
3. Categories of personal data
The Processor processes the following categories of personal data on behalf of the Tenant:
- Identifiers — name, email address, phone number, LinkedIn profile URL
- Professional context — current and prior job titles, employers, sector, geography, education
- Communication metadata — sender / recipient addresses, timestamps, subject lines, and structural metadata from inbound and outbound messages connected to the Tenant’s account; never message bodies as a primary use, and content only where the Tenant has explicitly enabled a feature that requires it
- Calendar metadata — meeting times, attendees, locations, titles, and recurrence patterns from connected calendars
- Derived signals — proximity scores, relationship strengths, engagement scores, and other mathematical derivations computed from the categories above
- Account and billing data — the Tenant’s own login email, role within the Service, and any commercial relationship attributes
4. Categories of data subjects
- The Tenant’s own users, employees, and team members
- Individuals in the Tenant’s professional network (contacts, prospects, candidates, clients, advisors, investors, and other relationships)
5. Duration of processing
The Processor processes personal data for the duration of the Tenant’s active subscription to the Service, plus a deletion window of up to thirty (30) days following the termination or deletion of the Tenant’s account, as set out in the Privacy Policy and the Data Deletion Policy.
6. Sub-processors
The Processor engages the following sub-processors to operate the Service. Each is bound by a written data processing agreement that imposes obligations equivalent to those of this DPA.
| Sub-processor | Purpose | Processing location | Transfer mechanism |
|---|---|---|---|
Railway Corp. railway.com |
Application hosting, container runtime, primary database (PostgreSQL) | United States | Standard Contractual Clauses (SCCs) per Commission Implementing Decision 2021/914 |
Qdrant Solutions GmbH qdrant.tech |
Vector database for semantic search and relationship indexing | European Union (Frankfurt, Germany) | Intra-EEA — no SCCs required |
OpenAI, OpCo, LLC openai.com |
Text embedding generation (Limited Use; never trained on Tenant data) | United States | Standard Contractual Clauses (SCCs) per Commission Implementing Decision 2021/914 |
Anthropic, PBC anthropic.com |
Signal extraction and analysis via Claude API (Limited Use; never trained on Tenant data) | United States | Standard Contractual Clauses (SCCs) per Commission Implementing Decision 2021/914 |
Resend, Inc. resend.com |
Transactional email delivery (welcome, daily brief, account notifications) | United States | Standard Contractual Clauses (SCCs) per Commission Implementing Decision 2021/914 |
Google LLC google.com |
OAuth identity verification + Gmail / Contacts / Calendar API access (read-only, scoped, under the Limited Use policy) | European Union and United States | Standard Contractual Clauses (SCCs) per Commission Implementing Decision 2021/914 for US transfers |
The Processor will provide the Tenant with at least thirty (30) days’ notice prior to engaging any additional sub-processor, by email to the address on file, allowing the Tenant to object on reasonable grounds related to data protection.
7. International data transfers
Where personal data is transferred outside the European Economic Area (EEA) or the United Kingdom to a country not deemed by the European Commission or the UK Secretary of State to provide an adequate level of protection, the Processor relies on:
- Standard Contractual Clauses (SCCs) as adopted by the European Commission under Commission Implementing Decision (EU) 2021/914 of 4 June 2021, in the appropriate module for processor-to-sub-processor transfers (Module 3), and
- Where the UK GDPR applies, the International Data Transfer Addendum (IDTA) issued by the UK Information Commissioner’s Office, or the UK Addendum to the EU SCCs.
The Processor has assessed the legal regime of each receiving jurisdiction and applies supplementary measures (encryption in transit and at rest, contractual data minimisation, and feature-level transfer controls) where appropriate to ensure an essentially equivalent level of protection.
8. Security measures
The Processor implements appropriate technical and organisational measures to protect personal data, including:
- Encryption in transit — TLS 1.2+ for all client and inter-service connections
- Encryption at rest — AES-256 for primary database storage and backups
- Access controls — role-based access on the platform; multi-factor authentication required for administrative access
- Tenant isolation — row-level security policies enforced at the database, ensuring no tenant can read another tenant’s data
- Logging and monitoring — audit logs of administrative actions and data access; alerts on anomalous behaviour
- Personnel — access on a need-to-know basis; written confidentiality obligations
- Vulnerability management — dependency monitoring and timely patching of identified vulnerabilities
- Incident response — defined process for detection, containment, notification, and remediation
9. Personal data breach notification
In the event of a personal data breach affecting the Tenant’s data, the Processor will notify the Tenant without undue delay and in any event within seventy-two (72) hours of becoming aware. The notification will include, to the extent known, the nature of the breach, categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to mitigate the breach.
10. Data subject rights and assistance
The Processor will, taking into account the nature of the processing, assist the Tenant by appropriate technical and organisational measures, insofar as possible, in fulfilling the Tenant’s obligations to respond to requests from data subjects exercising their rights under Articles 15–22 of the GDPR, including the rights of access, rectification, erasure, restriction, portability, and objection.
Where a data subject contacts the Processor directly regarding personal data processed on behalf of the Tenant, the Processor will refer the request to the Tenant without responding to the substance of the request, except where required by law.
11. Audits
Upon reasonable written notice, no more than once per twelve-month period (or more frequently if required by a supervisory authority or following a personal data breach), the Tenant may audit the Processor’s compliance with this DPA. The Processor may satisfy this obligation by providing relevant certifications, audit reports, or written responses to a documented audit questionnaire, in lieu of an on-site audit, where appropriate.
12. Return or deletion of personal data
Upon termination of the Tenant’s subscription, the Processor will, at the Tenant’s written choice, return all personal data to the Tenant in a commonly used machine-readable format, or delete the data and certify the deletion in writing, in each case within thirty (30) days of the request, save to the extent that applicable law requires retention.
13. Term and termination
This DPA takes effect on the date the Tenant accepts the Autonodal Terms of Service and remains in effect for as long as the Processor processes personal data on behalf of the Tenant. Termination of the underlying service agreement automatically terminates this DPA, save for provisions that by their nature survive termination.
14. Governing law and jurisdiction
This DPA is governed by the laws of Spain, without prejudice to any mandatory provisions of the GDPR or the data protection laws applicable to the Tenant’s jurisdiction. Disputes arising out of or in connection with this DPA will be subject to the exclusive jurisdiction of the competent courts of Barcelona, Spain.
15. Contact
Data protection enquiries, sub-processor objections, audit requests, and exercise of data subject rights on behalf of the Tenant’s controllers should be addressed to:
This document is the operative Data Processing Agreement between Lake X Labs S.L. and Tenants of the Autonodal Service. It complements but does not replace the Privacy Policy, Terms of Service, or Data Deletion Policy. Where this DPA conflicts with another document with respect to data protection, this DPA controls.