Products
Products
Data Processing Addendum
Last updated: September 13, 2025
Table of Contents
Scope and Roles
Processing Instructions
Details of Processing
3.1 Purpose
3.2 Data Subjects
3.3 Categories of Data
3.4 Special CategoriesCustomer Responsibilities
Confidentiality and Personnel
Security Measures
Sub-processors
Assistance
Personal Data Breach
Return and Deletion
Audits and Information
International Transfers
US State Privacy Addendum
Liability and Precedence
This DPA forms part of the agreement between Seeking Sigma Inc. dba “Lyra” (“Lyra” or “Processor”) and the customer that accepted Lyra’s Terms and Conditions or a separate master agreement (“Customer” or “Controller”).
1. Scope and roles
Customer is the Controller. Lyra is the Processor for Personal Data processed to provide the Services.
2. Processing instructions
Lyra will process Personal Data only on documented instructions from Customer, including with respect to international transfers, unless required by law. Lyra will notify Customer if it believes an instruction conflicts with applicable law.
3. Details of processing
Purpose. Provide AI-native meeting and collaboration Services, including recording, transcription, AI summaries, analytics, hosting, and support.
Data subjects. Customer’s users, meeting participants invited by Customer, and other individuals whose data Customer submits.
Categories of data. Identifiers and contact details, account and usage data, meeting audio, video, transcripts, and user content as enabled by Customer.
Special categories. Not intended. Customer will not submit sensitive data unless the parties agree in writing.
4. Customer responsibilities
Customer is responsible for the accuracy, quality, and legality of Personal Data and the means by which it acquired Personal Data. Customer is responsible for obtaining and recording any required notices and consents for recording, transcription, and processing of meeting content.
5. Confidentiality and personnel
Lyra limits access to personnel with a need to know, ensures confidentiality obligations, and provides security training.
6. Security measures
Lyra maintains appropriate technical and organizational measures designed to protect Personal Data, including encryption in transit and at rest, access controls, least privilege, logging and monitoring, vulnerability management, secure SDLC, business continuity, and incident response. A current summary is available on request and may be updated to maintain or improve protection.
7. Sub-processors
Customer authorizes Lyra to engage the sub-processors listed on Lyra’s Sub-processors page and any updates. Lyra imposes data protection terms providing at least the same level of protection as this DPA. Lyra will provide notice of changes by updating the page. Customer may object in writing within 10 days. If the parties cannot resolve an objection, Customer may suspend the affected Services.
8. Assistance
Taking into account the nature of processing, Lyra will assist Customer with data subject requests and with obligations under Articles 32 to 36 GDPR or analogous laws, including security, breach notifications, DPIAs, and consultations.
9. Personal Data breach
Lyra will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Data. Initial notice target is within 72 hours, with updates as more information becomes available.
10. Return and deletion
Upon termination or expiry of the Services, Lyra will delete or return Personal Data at Customer’s choice, unless retention is required by law. Default backup retention is up to 30 days.
11. Audits and information
On written request no more than once per 12 months, Lyra will make available information necessary to demonstrate compliance, including third-party reports such as SOC. Remote audits and report reviews will satisfy this section unless law requires on-site inspection. Audits must occur during business hours, under confidentiality, and not unreasonably disrupt operations.
12. International transfers
Where Lyra processes Personal Data subject to European Data Protection Laws outside an adequate jurisdiction, the parties incorporate the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914) as follows. Module 2 (Controller to Processor) applies. Clause 7 docking clause applies. Clause 9(a) option 2 with 10 days prior notice. Clause 11 does not apply. Clause 17 Irish law. Clause 18 courts of Ireland. The annexes are completed by this DPA and the Services description.
For the UK, the IDTA Addendum to the EU SCCs applies. For Switzerland, the Swiss Addendum applies. Lyra will provide a transfer impact assessment summary on request and will notify Customer if it can no longer comply.
13. US state privacy addendum
For Personal Data subject to US state privacy laws, including the CPRA, Lyra acts as a “service provider” or “processor.” Lyra will process Personal Data only to provide the Services, will not “sell” or “share” Personal Data, will not combine Personal Data with other data except as permitted for the Services or by law, and will assist Customer with consumer requests as required.
14. Liability and precedence
Each party’s liability under this DPA is subject to the limitations in the underlying agreement. If there is a conflict, this DPA controls for processing of Personal Data.
Annex I. Parties and processing
Controller. Customer entity under the agreement.
Processor. Seeking Sigma Inc., 131 Continental Dr, Suite 305, Newark, DE 19713, support@lyra.so.
Subject matter and duration. Provision of Services for the term and limited backup retention.
Nature and purpose. As described in section 3.
Categories and data subjects. As described in section 3.
Annex II. Technical and organizational measures (summary)
Access governance with SSO and MFA via WorkOS. Encryption at rest and in transit. Network segmentation and firewalls. Logging, alerting, and monitoring. Secure SDLC with GitHub and CI/CD via Vercel. Vulnerability management and patching. Role-based access and least privilege. Key management. Employee security training. Vendor risk management with Vanta. Incident response and business continuity plans. Data hosting in GCP US by default.
Annex III. Authorized sub-processors
AssemblyAI, Daily, ElevenLabs, GitHub, Google Cloud Platform, Google Workspace, HubSpot, Intercom, Linear, Mixpanel, OpenAI, Stripe, Tiptap, Vanta, Vercel, WorkOS.
Data Processing Addendum
Last updated: September 13, 2025
Table of Contents
Scope and Roles
Processing Instructions
Details of Processing
3.1 Purpose
3.2 Data Subjects
3.3 Categories of Data
3.4 Special CategoriesCustomer Responsibilities
Confidentiality and Personnel
Security Measures
Sub-processors
Assistance
Personal Data Breach
Return and Deletion
Audits and Information
International Transfers
US State Privacy Addendum
Liability and Precedence
This DPA forms part of the agreement between Seeking Sigma Inc. dba “Lyra” (“Lyra” or “Processor”) and the customer that accepted Lyra’s Terms and Conditions or a separate master agreement (“Customer” or “Controller”).
1. Scope and roles
Customer is the Controller. Lyra is the Processor for Personal Data processed to provide the Services.
2. Processing instructions
Lyra will process Personal Data only on documented instructions from Customer, including with respect to international transfers, unless required by law. Lyra will notify Customer if it believes an instruction conflicts with applicable law.
3. Details of processing
Purpose. Provide AI-native meeting and collaboration Services, including recording, transcription, AI summaries, analytics, hosting, and support.
Data subjects. Customer’s users, meeting participants invited by Customer, and other individuals whose data Customer submits.
Categories of data. Identifiers and contact details, account and usage data, meeting audio, video, transcripts, and user content as enabled by Customer.
Special categories. Not intended. Customer will not submit sensitive data unless the parties agree in writing.
4. Customer responsibilities
Customer is responsible for the accuracy, quality, and legality of Personal Data and the means by which it acquired Personal Data. Customer is responsible for obtaining and recording any required notices and consents for recording, transcription, and processing of meeting content.
5. Confidentiality and personnel
Lyra limits access to personnel with a need to know, ensures confidentiality obligations, and provides security training.
6. Security measures
Lyra maintains appropriate technical and organizational measures designed to protect Personal Data, including encryption in transit and at rest, access controls, least privilege, logging and monitoring, vulnerability management, secure SDLC, business continuity, and incident response. A current summary is available on request and may be updated to maintain or improve protection.
7. Sub-processors
Customer authorizes Lyra to engage the sub-processors listed on Lyra’s Sub-processors page and any updates. Lyra imposes data protection terms providing at least the same level of protection as this DPA. Lyra will provide notice of changes by updating the page. Customer may object in writing within 10 days. If the parties cannot resolve an objection, Customer may suspend the affected Services.
8. Assistance
Taking into account the nature of processing, Lyra will assist Customer with data subject requests and with obligations under Articles 32 to 36 GDPR or analogous laws, including security, breach notifications, DPIAs, and consultations.
9. Personal Data breach
Lyra will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Data. Initial notice target is within 72 hours, with updates as more information becomes available.
10. Return and deletion
Upon termination or expiry of the Services, Lyra will delete or return Personal Data at Customer’s choice, unless retention is required by law. Default backup retention is up to 30 days.
11. Audits and information
On written request no more than once per 12 months, Lyra will make available information necessary to demonstrate compliance, including third-party reports such as SOC. Remote audits and report reviews will satisfy this section unless law requires on-site inspection. Audits must occur during business hours, under confidentiality, and not unreasonably disrupt operations.
12. International transfers
Where Lyra processes Personal Data subject to European Data Protection Laws outside an adequate jurisdiction, the parties incorporate the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914) as follows. Module 2 (Controller to Processor) applies. Clause 7 docking clause applies. Clause 9(a) option 2 with 10 days prior notice. Clause 11 does not apply. Clause 17 Irish law. Clause 18 courts of Ireland. The annexes are completed by this DPA and the Services description.
For the UK, the IDTA Addendum to the EU SCCs applies. For Switzerland, the Swiss Addendum applies. Lyra will provide a transfer impact assessment summary on request and will notify Customer if it can no longer comply.
13. US state privacy addendum
For Personal Data subject to US state privacy laws, including the CPRA, Lyra acts as a “service provider” or “processor.” Lyra will process Personal Data only to provide the Services, will not “sell” or “share” Personal Data, will not combine Personal Data with other data except as permitted for the Services or by law, and will assist Customer with consumer requests as required.
14. Liability and precedence
Each party’s liability under this DPA is subject to the limitations in the underlying agreement. If there is a conflict, this DPA controls for processing of Personal Data.
Annex I. Parties and processing
Controller. Customer entity under the agreement.
Processor. Seeking Sigma Inc., 131 Continental Dr, Suite 305, Newark, DE 19713, support@lyra.so.
Subject matter and duration. Provision of Services for the term and limited backup retention.
Nature and purpose. As described in section 3.
Categories and data subjects. As described in section 3.
Annex II. Technical and organizational measures (summary)
Access governance with SSO and MFA via WorkOS. Encryption at rest and in transit. Network segmentation and firewalls. Logging, alerting, and monitoring. Secure SDLC with GitHub and CI/CD via Vercel. Vulnerability management and patching. Role-based access and least privilege. Key management. Employee security training. Vendor risk management with Vanta. Incident response and business continuity plans. Data hosting in GCP US by default.
Annex III. Authorized sub-processors
AssemblyAI, Daily, ElevenLabs, GitHub, Google Cloud Platform, Google Workspace, HubSpot, Intercom, Linear, Mixpanel, OpenAI, Stripe, Tiptap, Vanta, Vercel, WorkOS.
Data Processing Addendum
Last updated: September 13, 2025
Table of Contents
Scope and Roles
Processing Instructions
Details of Processing
3.1 Purpose
3.2 Data Subjects
3.3 Categories of Data
3.4 Special CategoriesCustomer Responsibilities
Confidentiality and Personnel
Security Measures
Sub-processors
Assistance
Personal Data Breach
Return and Deletion
Audits and Information
International Transfers
US State Privacy Addendum
Liability and Precedence
This DPA forms part of the agreement between Seeking Sigma Inc. dba “Lyra” (“Lyra” or “Processor”) and the customer that accepted Lyra’s Terms and Conditions or a separate master agreement (“Customer” or “Controller”).
1. Scope and roles
Customer is the Controller. Lyra is the Processor for Personal Data processed to provide the Services.
2. Processing instructions
Lyra will process Personal Data only on documented instructions from Customer, including with respect to international transfers, unless required by law. Lyra will notify Customer if it believes an instruction conflicts with applicable law.
3. Details of processing
Purpose. Provide AI-native meeting and collaboration Services, including recording, transcription, AI summaries, analytics, hosting, and support.
Data subjects. Customer’s users, meeting participants invited by Customer, and other individuals whose data Customer submits.
Categories of data. Identifiers and contact details, account and usage data, meeting audio, video, transcripts, and user content as enabled by Customer.
Special categories. Not intended. Customer will not submit sensitive data unless the parties agree in writing.
4. Customer responsibilities
Customer is responsible for the accuracy, quality, and legality of Personal Data and the means by which it acquired Personal Data. Customer is responsible for obtaining and recording any required notices and consents for recording, transcription, and processing of meeting content.
5. Confidentiality and personnel
Lyra limits access to personnel with a need to know, ensures confidentiality obligations, and provides security training.
6. Security measures
Lyra maintains appropriate technical and organizational measures designed to protect Personal Data, including encryption in transit and at rest, access controls, least privilege, logging and monitoring, vulnerability management, secure SDLC, business continuity, and incident response. A current summary is available on request and may be updated to maintain or improve protection.
7. Sub-processors
Customer authorizes Lyra to engage the sub-processors listed on Lyra’s Sub-processors page and any updates. Lyra imposes data protection terms providing at least the same level of protection as this DPA. Lyra will provide notice of changes by updating the page. Customer may object in writing within 10 days. If the parties cannot resolve an objection, Customer may suspend the affected Services.
8. Assistance
Taking into account the nature of processing, Lyra will assist Customer with data subject requests and with obligations under Articles 32 to 36 GDPR or analogous laws, including security, breach notifications, DPIAs, and consultations.
9. Personal Data breach
Lyra will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Data. Initial notice target is within 72 hours, with updates as more information becomes available.
10. Return and deletion
Upon termination or expiry of the Services, Lyra will delete or return Personal Data at Customer’s choice, unless retention is required by law. Default backup retention is up to 30 days.
11. Audits and information
On written request no more than once per 12 months, Lyra will make available information necessary to demonstrate compliance, including third-party reports such as SOC. Remote audits and report reviews will satisfy this section unless law requires on-site inspection. Audits must occur during business hours, under confidentiality, and not unreasonably disrupt operations.
12. International transfers
Where Lyra processes Personal Data subject to European Data Protection Laws outside an adequate jurisdiction, the parties incorporate the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914) as follows. Module 2 (Controller to Processor) applies. Clause 7 docking clause applies. Clause 9(a) option 2 with 10 days prior notice. Clause 11 does not apply. Clause 17 Irish law. Clause 18 courts of Ireland. The annexes are completed by this DPA and the Services description.
For the UK, the IDTA Addendum to the EU SCCs applies. For Switzerland, the Swiss Addendum applies. Lyra will provide a transfer impact assessment summary on request and will notify Customer if it can no longer comply.
13. US state privacy addendum
For Personal Data subject to US state privacy laws, including the CPRA, Lyra acts as a “service provider” or “processor.” Lyra will process Personal Data only to provide the Services, will not “sell” or “share” Personal Data, will not combine Personal Data with other data except as permitted for the Services or by law, and will assist Customer with consumer requests as required.
14. Liability and precedence
Each party’s liability under this DPA is subject to the limitations in the underlying agreement. If there is a conflict, this DPA controls for processing of Personal Data.
Annex I. Parties and processing
Controller. Customer entity under the agreement.
Processor. Seeking Sigma Inc., 131 Continental Dr, Suite 305, Newark, DE 19713, support@lyra.so.
Subject matter and duration. Provision of Services for the term and limited backup retention.
Nature and purpose. As described in section 3.
Categories and data subjects. As described in section 3.
Annex II. Technical and organizational measures (summary)
Access governance with SSO and MFA via WorkOS. Encryption at rest and in transit. Network segmentation and firewalls. Logging, alerting, and monitoring. Secure SDLC with GitHub and CI/CD via Vercel. Vulnerability management and patching. Role-based access and least privilege. Key management. Employee security training. Vendor risk management with Vanta. Incident response and business continuity plans. Data hosting in GCP US by default.
Annex III. Authorized sub-processors
AssemblyAI, Daily, ElevenLabs, GitHub, Google Cloud Platform, Google Workspace, HubSpot, Intercom, Linear, Mixpanel, OpenAI, Stripe, Tiptap, Vanta, Vercel, WorkOS.
Ready to take meetings
to the next level?
What we’ll cover
Automatic notes and follow-ups from every call
How Lyra saves teams hours each week
Quick demo of the platform
Ready to take meetings
to the next level?
What we’ll cover
Automatic notes and follow-ups from every call
How Lyra saves teams hours each week
Quick demo of the platform