Skip to content
Get started
Get started

Lytical Data Processing Agreement

Effective Date: December 17, 2025

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

Controller: The Customer identified in the applicable Order Form or Terms of Service ("Customer", "Controller")

Processor: Lytical ("Lytical", "Processor"), a service provider offering website analytics services.

Together, the "Parties".

This DPA forms part of and supplements the Agreement between the Parties governing Customer’s use of Lytical’s services (the "Agreement").

2. Definitions

Unless otherwise defined in this DPA, all terms have the meaning given to them under applicable Data Protection Laws, including:

  • "Data Protection Laws" means all applicable privacy and data protection laws and regulations, including the EU General Data Protection Regulation (EU 2016/679) ("GDPR"), the UK GDPR, and any applicable U.S. state privacy laws to the extent applicable.

  • "Personal Data" means any information relating to an identified or identifiable natural person that Lytical processes on behalf of Customer as part of the Services.

  • "Processing", "Controller", "Processor", "Data Subject", "Supervisory Authority" have the meanings given in GDPR.

3. Subject Matter & Duration

Lytical processes Personal Data solely for the purpose of providing analytics and related services under the Agreement. Processing begins when the Customer first uses the Services and continues for the duration of the Agreement and any applicable data retention period.

4. Nature & Purpose of Processing

Lytical will process Personal Data as necessary to:

  • Provide the Services

  • Maintain and secure the Services

  • Improve functionality where permitted by law or Customer agreement

  • Provide support and customer success services

Lytical will not:

  • Sell Personal Data

  • Use Personal Data for advertising or profiling outside of Service performance

5. Types of Personal Data & Data Subjects

Categories of Data Subjects may include:

  • Website visitors

  • End users interacting with Customer digital properties

Categories of Personal Data may include:

  • Online identifiers (e.g., IP address, device identifiers)

  • Usage data (e.g., page interactions, events)

  • Technical and diagnostic data

Sensitive or special categories of data are not intended to be processed through the Services unless expressly agreed in writing.

6. Controller Instructions

Lytical will only process Personal Data in accordance with:

  1. Documented instructions from Customer

  2. The Agreement

  3. This DPA

  4. Applicable laws requiring additional processing (with notice to Customer unless prohibited)

Customer is responsible for ensuring instructions are lawful.

7. Security

Lytical shall implement appropriate technical and organizational security measures designed to:

  • Ensure confidentiality, integrity, and availability of Personal Data

  • Protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access

Such measures may include:

  • Encryption in transit and at rest

  • Access controls & authentication

  • Logging & monitoring

  • Secure development and operational practices

8. Subprocessors

Customer authorizes Lytical to engage Subprocessors necessary to provide the Services. Lytical shall:

  • Maintain a list of current Subprocessors

  • Impose data protection obligations equivalent to this DPA

  • Remain responsible for Subprocessor performance

Customer may request notification of new Subprocessors and object where legally permitted.

9. International Data Transfers

Where Lytical transfers Personal Data internationally, it shall ensure an appropriate transfer mechanism is in place, including where applicable:

  • Standard Contractual Clauses

  • UK International Data Transfer Addendum

  • Other approved safeguards

10. Data Subject Rights

Lytical shall assist Customer, to the extent reasonably possible, in fulfilling Data Subject rights requests including:

  • Access

  • Rectification

  • Erasure

  • Restriction

  • Portability

Requests received directly by Lytical will be referred to Customer unless prohibited by law.

11. Breach Notification

In the event of a Personal Data Breach, Lytical will notify Customer without undue delay after becoming aware and provide:

  • Nature of the breach

  • Categories and approximate number of affected Data Subjects

  • Likely consequences

  • Measures taken or proposed

12. Audits & Compliance

Upon reasonable written request, Lytical shall make available documentation necessary to demonstrate compliance. Customer may conduct audits subject to reasonable scheduling, confidentiality, and scope limitations.

13. Data Retention & Deletion

Upon termination of the Services, Lytical shall delete or return Personal Data unless retention is required by law. Routine backups may persist temporarily but will be deleted per retention schedule.

14. Liability & Indemnity

Liability is governed by the Agreement unless otherwise required by law. Nothing limits liability where prohibited by applicable Data Protection Laws.

15. Governing Law & Jurisdiction

This DPA is governed by the governing law of the Agreement, unless otherwise required by applicable privacy law.

16. Order of Precedence

If there is a conflict between this DPA and the Agreement, this DPA shall control to the extent of the conflict regarding data protection matters.

17. Execution

This DPA is deemed executed and effective as of the date the Agreement is executed and forms an integral part thereof.