Data Processing Agreement

Draft -- pending legal review. This page is a template for review and does not constitute the binding DPA between Mostlylucid Ltd and any customer until counsel has finalised it. For an executed copy, email [email protected].

Last updated: 18 May 2026.

This Data Processing Agreement (DPA) supplements the StyloBot subscription between the customer (Controller) and Mostlylucid Ltd (Processor), a company registered in Scotland, United Kingdom. It is concluded under Article 28 of the UK GDPR (and the EU GDPR where applicable).

1. Roles

Controller: the StyloBot subscriber.
Processor: Mostlylucid Ltd, processing Personal Data on the Controller's behalf.

2. Subject Matter and Duration

The Processor provides bot-detection, license enforcement, and audit-log services on a multi-tenant SaaS basis. This DPA remains in effect for the duration of the underlying subscription and the retention period defined below.

3. Nature and Purpose of Processing

Detecting and classifying bot traffic against the Controller's websites and APIs.
Enforcing the Controller's license tier and feature entitlements.
Producing detection telemetry and audit logs for the Controller's review.

4. Categories of Data Subjects

End users and bots accessing the Controller's websites and APIs.

5. Categories of Personal Data

HMAC-SHA256 hashed identifiers derived from values such as IP addresses (no raw IPs persisted).
PII-stripped user-agent strings.
IP-derived geographic data at country level.
License-holder contact email (Controller's billing email).

6. Sub-processors

The current list of sub-processors is published at /legal/sub-processors and forms part of this DPA. We will notify Controller at least 30 days before adding or replacing a sub-processor.

7. International Transfers

Where Personal Data is transferred outside the UK or EEA, transfers are protected by the UK International Data Transfer Addendum (IDTA) and/or EU Standard Contractual Clauses (SCC) depending on the destination, plus adequacy decisions where they apply.

8. Security Measures

See /legal/security for the customer-facing summary. Key controls:

TLS 1.3 in transit; provider-managed encryption at rest for Postgres.
Keycloak-isolated user identity -- the application database holds zero user passwords.
Least-privilege per-service DB roles.
Secrets sourced from environment variables; never in source control.

9. Breach Notification

The Processor will notify the Controller of any Personal Data breach without undue delay, and in any event within 72 hours of becoming aware of the breach.

10. Audit Rights

The Controller may request a written audit report (security overview, sub-processor list, breach history) up to once per calendar year. On-site audits are available by prior agreement where required by the Controller's regulatory regime.

11. Return and Deletion

On termination of the underlying subscription, the Processor will delete all Personal Data within 30 days unless retention is required by law (e.g., financial records under UK Companies Act). On request before that window, an export is provided in machine-readable form.

12. Liability

The liability provisions of the underlying subscription apply to this DPA.

13. Governing Law

Scots law. Disputes subject to the courts of Scotland.

14. Contact

For DPA matters, email [email protected].