Data Processing Agreement
Version 1.0 | Last Updated: February 2026
This Data Processing Agreement ("DPA") forms part of the agreement between you ("Controller", "Customer") and Lifestream Dynamics ("Processor", "we", "us") for the Lifestream Vault service.
1. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person
- Data Controller: The entity that determines the purposes and means of processing Personal Data
- Data Processor: The entity that processes Personal Data on behalf of the Controller
- Data Subject: The identified or identifiable natural person to whom Personal Data relates
- Processing: Any operation performed on Personal Data, including collection, storage, retrieval, use, and deletion
- Sub-processor: Any third party engaged by the Processor to process Personal Data
2. Scope and Roles
2.1 Role of the Customer
You act as the Data Controller with respect to any Personal Data contained within documents you store in Lifestream Vault.
2.2 Role of Lifestream Dynamics
We act as the Data Processor, processing Personal Data only in accordance with your instructions as expressed through your use of the Service and as documented in this DPA.
3. Processing Instructions
3.1 Purpose
We process Personal Data solely to provide the Lifestream Vault service, including:
- Storing and synchronizing documents
- Indexing documents for search functionality
- Generating embeddings for AI features (when enabled)
- Delivering documents via sharing and publishing features
- Performing backups and disaster recovery
3.2 Duration
Processing continues for the duration of the service agreement plus any applicable retention period as described in our Privacy Policy.
3.3 Types of Personal Data
Personal Data processed may include any data you choose to store in documents, which could include names, contact information, notes, or any other content you upload.
4. Security Measures
We implement appropriate technical and organizational measures to protect Personal Data, including:
- Encryption at rest for stored documents and database records
- Encryption in transit via TLS for all network communications
- Access controls with role-based permissions and API key scoping
- Authentication security using argon2 password hashing and short-lived JWTs
- Network security including firewalls, rate limiting, and DDoS protection
- Monitoring and logging of access and security events
- Regular updates and security patching of infrastructure
- Employee access controls with principle of least privilege
5. Sub-processors
5.1 Authorized Sub-processors
We may engage the following categories of sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloud infrastructure provider | Server hosting and storage | Canada |
| AI service provider (Google Vertex AI) | AI chat and embedding generation | As per Google Cloud regions |
| Email service provider | Transactional emails (verification, notifications) | As specified |
5.2 Notification
We will provide 30 days' notice before engaging a new sub-processor. You may object to a new sub-processor by contacting us within 14 days of notification.
5.3 Sub-processor Obligations
All sub-processors are bound by data processing agreements that impose data protection obligations no less protective than those in this DPA.
6. Data Subject Rights
6.1 Assistance
We will assist you in responding to Data Subject requests to exercise their rights under applicable data protection laws, including rights of access, rectification, erasure, and portability.
6.2 Self-Service
Many Data Subject rights can be fulfilled directly through the Service:
- Access and Portability: Use the Data Export feature
- Erasure: Use the Delete Account feature
- Rectification: Edit your profile and documents directly
7. Data Breach Notification
7.1 Notification Timeline
In the event of a Personal Data breach, we will notify you without undue delay and in any event within 72 hours of becoming aware of the breach.
7.2 Notification Content
Breach notifications will include:
- Description of the nature of the breach
- Categories and approximate number of Data Subjects affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
8. International Transfers
8.1 Transfer Mechanisms
If Personal Data is transferred outside of Canada or the EEA, we ensure appropriate safeguards including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
- Additional supplementary measures as needed
8.2 Data Residency
Primary data storage is in Canada. AI processing may involve temporary transfer to other regions as determined by the AI service provider's infrastructure.
9. Audits
9.1 Right to Audit
You have the right to audit our compliance with this DPA. Audit requests should be submitted in writing with at least 30 days' notice.
9.2 Audit Scope
Audits may include review of security measures, processing records, and sub-processor agreements, subject to confidentiality obligations.
10. Term and Termination
10.1 Duration
This DPA remains in effect for the duration of your use of the Service.
10.2 Data Return and Deletion
Upon termination:
- You may export your data using the Data Export feature
- After the 30-day grace period, all Personal Data will be permanently deleted
- Backup copies will be deleted within 90 days of termination
11. Liability
Liability under this DPA is subject to the limitations set forth in the Terms of Service.
12. Contact
For DPA-related inquiries:
- Data Protection Officer: dpo@lifestreamdynamics.com
- General: legal@lifestreamdynamics.com