This Data Processing Agreement ("DPA") forms part of the Terms of Service between Lexonica Inc. ("Processor," "we," "us") and the customer ("Controller," "you") who uses the LexFlag platform (the "Service").
This DPA applies where and to the extent Lexonica processes Personal Data on behalf of the Controller in the course of providing the Service, and such processing is subject to applicable Data Protection Laws.
1. Definitions
- "Data Protection Laws" means GDPR, UK GDPR, PIPEDA, CCPA/CPRA, and any other applicable data protection legislation
- "Personal Data" means any information relating to an identified or identifiable natural person processed by Lexonica on behalf of the Controller through the Service
- "Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction
- "Sub-processor" means any third party engaged by Lexonica to process Personal Data on behalf of the Controller
- "Data Breach" means any unauthorized or unlawful access to, or acquisition, disclosure, or loss of, Personal Data
2. Scope and Roles
The Controller determines the purposes and means of processing Personal Data submitted to the Service. Lexonica acts solely as Processor, processing Personal Data on behalf of and under the documented instructions of the Controller, except where required by applicable law.
Lexonica shall have no independent responsibility for determining the purposes or legality of processing. The Controller retains sole responsibility for compliance with applicable Data Protection Laws with respect to Personal Data submitted to the Service, including the lawfulness of collection, the accuracy of data, the provision of required notices, and the obtaining of required consents.
Where Lexonica reasonably believes that a Controller's processing instruction infringes applicable Data Protection Laws, Lexonica shall promptly notify the Controller and may suspend processing of the affected Personal Data until the Controller provides clarification or amended instructions. Lexonica shall not be liable for any delay or failure to process resulting from such suspension.
3. Details of Processing
| Subject matter | Provision of the LexFlag risk assessment and entity screening platform |
|---|---|
| Duration | For the term of the Controller's use of the Service, plus any legally required retention period |
| Nature and purpose | Entity screening, risk assessment, due diligence analysis, report generation, and team collaboration |
| Types of Personal Data | Entity names, identifying information (addresses, dates of birth, national identifiers), country of incorporation or residence, ownership structures, screening results, and associated notes |
| Categories of Data Subjects | Individuals and representatives of entities submitted for screening by the Controller (e.g., customers, vendors, third parties of the Controller) |
Data Accuracy
Personal Data processed through the Service — particularly data obtained from third-party sanctions databases, adverse media sources, court records, and company registries — may be inaccurate, incomplete, outdated, or contain errors. Screening results may produce false positives or false negatives. Lexonica does not independently verify the accuracy of third-party data and makes no representations or warranties regarding such data. The Controller is solely responsible for independently verifying all processing outputs before making any compliance, legal, or business decision.
4. Controller Obligations
The Controller shall:
- Ensure it has a lawful basis under applicable Data Protection Laws for submitting Personal Data to the Service
- Provide any required notices to, and obtain any required consents from, Data Subjects whose Personal Data is processed through the Service
- Ensure that its instructions to Lexonica comply with applicable Data Protection Laws
- Be solely responsible for the accuracy, quality, legality, and relevance of the Personal Data submitted
- Respond to and fulfill all Data Subject requests relating to Personal Data the Controller has submitted to the Service
- Maintain its own compliance program and independent legal counsel as necessary for its regulatory obligations
The Controller assumes full responsibility and liability for the legality, accuracy, and use of Personal Data, including any decisions, actions, or outcomes based on processing performed by Lexonica through the Service. Lexonica does not guarantee that the Service or its processing activities will ensure the Controller's compliance with applicable Data Protection Laws. The Service is designed to assist — not replace — the Controller's own compliance programs, and does not constitute legal, regulatory, or compliance advice.
5. Processor Obligations
Lexonica shall:
- Process Personal Data only in accordance with the Controller's documented instructions, unless required by applicable law to do otherwise
- Ensure that persons authorized to process Personal Data are bound by appropriate confidentiality obligations
- Implement and maintain commercially reasonable technical and organizational security measures as described in our Privacy Policy
- Assist the Controller, at the Controller's cost and using commercially reasonable efforts, in responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection) to the extent technically feasible and proportionate
- Assist the Controller, at the Controller's cost and using commercially reasonable efforts, in ensuring compliance with obligations related to data protection impact assessments and prior consultations with supervisory authorities, where applicable and to the extent that such assistance relates to the processing performed by Lexonica
- At the Controller's choice, delete or return all Personal Data upon termination of the Service, except where retention is required by applicable law
- Make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA
Security Disclaimer
While Lexonica implements commercially reasonable security measures, Lexonica does not guarantee that the Service will be secure or free from unauthorized access, data breaches, vulnerabilities, or other security threats. The limitations of liability set out in Section 10 of this DPA and in the Terms of Service apply to all security-related matters. For the avoidance of doubt, Lexonica shall not be liable for Data Breaches caused by the Controller's own security practices, the Controller's failure to maintain the confidentiality of its credentials, or the independent actions of third parties beyond Lexonica's reasonable control.
6. Sub-processors
The Controller provides general written authorization for Lexonica to engage Sub-processors. Lexonica maintains the following Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing and subscription management | United States |
| SendGrid (Twilio Inc.) | Transactional email delivery | United States |
| Google LLC | reCAPTCHA (bot/abuse protection) | United States |
| OpenSanctions | Sanctions and watchlist data | European Union |
Lexonica will notify the Controller of any intended addition or replacement of Sub-processors by updating this page. If the Controller has a reasonable objection, the Controller may contact us within 30 days of notification. Where the objection cannot be resolved, the Controller may terminate the affected Service.
Lexonica shall impose on each Sub-processor data protection obligations no less protective than those in this DPA. However, Lexonica shall not be liable for the independent acts, omissions, or failures of Sub-processors, provided that Lexonica has complied with its Sub-processor selection and oversight obligations under this DPA. To the extent permitted by law, claims arising from a Sub-processor's independent acts or omissions shall be directed to the Sub-processor.
7. International Data Transfers
Where Personal Data is transferred to a jurisdiction outside the Controller's jurisdiction, Lexonica implements appropriate safeguards as described in Section 10 of our Privacy Policy, including Standard Contractual Clauses where required.
8. Data Breach Notification
Lexonica shall notify the Controller without undue delay (and in any event within 72 hours of becoming aware) of any Data Breach affecting Personal Data processed under this DPA. The notification shall include:
- A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and records affected
- The name and contact details of the point of contact for further information
- A description of the likely consequences of the Data Breach
- A description of the measures taken or proposed to address the Data Breach and mitigate its effects
9. Audits
Lexonica shall make available to the Controller, upon reasonable written request and subject to appropriate confidentiality obligations, information reasonably necessary to demonstrate compliance with this DPA. The Controller may conduct an audit (or appoint a qualified third-party auditor) no more than once per year, with at least 30 days' prior written notice, during normal business hours, and at the Controller's expense.
Audits shall be subject to the following conditions:
- Audits shall not include access to systems, data, or information belonging to other customers of Lexonica
- Auditors shall not have access to trade secrets, proprietary algorithms, security configurations, or source code
- Audits must not unreasonably disrupt Lexonica's normal business operations
- Third-party auditors must execute a confidentiality agreement acceptable to Lexonica before commencing any audit activities
- Lexonica may, at its sole discretion, satisfy audit requests by providing relevant third-party certifications, audit reports (e.g., SOC 2), or written attestations in lieu of on-site access
10. Liability and Indemnification
Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service.
Controller Indemnification. The Controller shall indemnify, defend, and hold harmless Lexonica, its officers, directors, employees, and agents from and against any and all claims, demands, damages, losses, liabilities, costs, and expenses (including reasonable legal fees) arising from or related to:
- The Controller's breach of applicable Data Protection Laws
- The Controller's breach of its obligations under this DPA
- The Controller's processing instructions that violate applicable law
- Any regulatory investigation, enforcement action, or third-party claim resulting from the Controller's use of the Service or the Personal Data submitted by the Controller
- The Controller's failure to maintain a lawful basis for processing, to provide required notices, or to obtain required consents
This indemnification obligation survives termination of this DPA and is in addition to (and does not limit) the indemnification obligations in the Terms of Service.
11. Term and Termination
This DPA remains in effect for the duration of the Controller's use of the Service. Upon termination, Lexonica shall delete or return all Personal Data within 90 days, unless retention is required by applicable law, in which case the retained data will continue to be protected under this DPA.
12. Governing Law
This DPA is governed by the same law that governs the Terms of Service (the laws of the Province of New Brunswick and the federal laws of Canada).
13. Contact
For questions about this DPA or to exercise rights related to data processing, please contact:
Lexonica Inc.
New Brunswick, Canada
Email: tim@lexonica.com
By using the LexFlag platform, you acknowledge that this Data Processing Agreement applies to your use of the Service where Lexonica processes Personal Data on your behalf.