Data Processing Agreement

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person. "Processing" means any operation performed on Personal Data. "Controller" refers to the Client. "Processor" refers to Lyra Advisory Inc.

2. Scope of Processing

Lyra processes Personal Data solely to provide the contracted bookkeeping, controller, and CFO services. Processing activities include: storing financial records, generating reports, managing invoices, and providing dashboard analytics.

3. Data Protection Measures

Lyra implements: encryption in transit (TLS 1.2+) and at rest, tenant-isolated data architecture, HMAC-signed session management, regular security assessments, access controls limited to authorized personnel, and automated input sanitization.

4. Sub-processors

Lyra uses the following sub-processors: Cloudflare (hosting and CDN), Intuit/QuickBooks (accounting platform), Xero (accounting platform), DigitalOcean (workflow automation hosting). We will notify you before adding new sub-processors.

5. Data Subject Rights

Lyra will assist the Controller in responding to data subject requests including: access, rectification, erasure, portability, and restriction of processing, within 30 days of request.

6. Breach Notification

Lyra will notify the Controller of any Personal Data breach within 72 hours of becoming aware. Notification will include: nature of the breach, categories of data affected, approximate number of records, and measures taken.

7. Data Return and Deletion

Upon termination, Lyra will return all Personal Data in a standard format and delete copies within 90 days, except where retention is required by law.