Effective date: April 20, 2026
This Data Processing Agreement (“DPA”) forms part of the Terms of Servicebetween the customer (“Controller”) and Lovex AB(“Processor”) and governs the Processor’s processing of Personal Data on behalf of the Controller when the Controller uses the Service. Unless amended by a signed order form, this DPA is accepted by creating an account and using the Service in a Controller capacity. Capitalized terms not defined here have the meaning given in the GDPR.
1. Scope and roles
Where the Controller uses the Service to process Personal Data subject to the GDPR or a substantially similar law, the Controller is the controller and the Processor is a processor of that Personal Data. Each party complies with its own obligations under applicable data protection law.
2. Subject matter and duration
Subject matter:the Processor processes Personal Data solely to provide, secure, and support the Service in accordance with the Controller’s documented instructions.
Duration: for as long as the Controller uses the Service, plus any deletion period described in section 11.
Nature and purpose: hosting, transmission, storage, AI assistance, analytics strictly necessary to operate the Service, support, and security.
Types of Personal Data: account identifiers (name, email), authentication data, content the Controller or its users submit (messages, tasks, comments, attachments, files), technical data (IP, device), and usage telemetry.
Categories of Data Subjects:the Controller’s personnel, contractors, and end users.
3. Processor instructions
The Processor processes Personal Data only on the Controller’s documented instructions, including as described in the Terms of Service, the Privacy Policy, configuration made by the Controller within the Service, and any written instructions the Controller sends to hello@lovex.dev. The Processor informs the Controller if, in its opinion, an instruction infringes the GDPR or another applicable data protection law.
4. Confidentiality
The Processor ensures that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations.
5. Security
The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, where appropriate, the measures described in Annex B. The Processor reviews and updates these measures as the Service evolves.
6. Sub-processors
The Controller authorizes the Processor to engage the categories of sub-processors listed at /subprocessors, which forms Annex A to this DPA. The Processor gives at least 30 days’ notice of adding or replacing a sub-processor by updating that page and, where the Controller has subscribed to notifications, by email. The Controller may object to a new sub-processor on reasonable data protection grounds by notifying hello@lovex.devwithin the notice period; if the parties cannot agree, the Controller may terminate the affected portion of the Service as its sole remedy. The Processor remains liable for each sub-processor’s compliance with this DPA.
7. International transfers
Where the Processor or an authorized sub-processor transfers Personal Data outside the EEA, the transfer is covered by an adequacy decision (including the EU-U.S. Data Privacy Framework where the recipient is certified) or by the Standard Contractual Clauses adopted by the European Commission, with supplementary measures where required under the Schrems II judgment. The Controller grants the Processor a mandate under Clause 7 of the Standard Contractual Clauses to enter into those clauses on the Controller’s behalf with sub-processors where applicable.
8. Data subject rights
Taking into account the nature of the processing, the Processor assists the Controller by appropriate technical and organizational measures, insofar as possible, to respond to requests from Data Subjects exercising rights under Chapter III of the GDPR. Export and deletion self-service is available inside the Service; for requests that cannot be handled by self-service, the Controller may contact hello@lovex.dev.
9. Personal data breach
The Processor notifies the Controller without undue delay, and in any event within 72 hours of becoming aware, of a Personal Data Breach affecting the Controller’s Personal Data. The notification describes the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address it.
10. DPIAs and consultations
The Processor provides reasonable assistance to the Controller with data protection impact assessments and prior consultations with supervisory authorities under Articles 35 and 36 GDPR, taking into account the nature of the processing and the information available to the Processor.
11. Return and deletion
On termination of the Controller’s use of the Service, the Processor deletes or returns Personal Data at the Controller’s choice within 30 days, except where retention is required by law. Backups containing Personal Data are overwritten according to the Processor’s backup rotation, normally within 30 days, after which the data is no longer accessible. The Controller may also export and delete at any time from within the Service.
12. Audits
The Processor makes available to the Controller information reasonably necessary to demonstrate compliance with Article 28 GDPR, including summaries of applicable third-party audit reports and certifications, on request and subject to a confidentiality undertaking. The Controller may audit the Processor’s compliance with this DPA no more than once per twelve-month period on at least 30 days’ written notice, during business hours, subject to confidentiality, and at the Controller’s expense. Audits may not disrupt the Service or compromise the confidentiality of other customers’ data.
13. Liability
Each party’s liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. This section does not limit liability to Data Subjects under Article 82 GDPR or liability that cannot be limited under applicable law.
14. Conflicts and order of precedence
In the event of a conflict between this DPA and the Terms of Service, this DPA controls with respect to the processing of Personal Data. A signed order form that expressly amends this DPA controls over the online version for the customer it is signed with.
15. Governing law
This DPA is governed by the laws of Sweden. The courts of Stockholm, Sweden have exclusive jurisdiction over disputes, without prejudice to the rights of Data Subjects to bring claims before the courts of their habitual residence as permitted by the GDPR.
Annex A — Sub-processors
The current list of authorized sub-processors, their role, jurisdiction, and transfer safeguards is maintained at /subprocessors and is incorporated into this DPA by reference.
Annex B — Technical and organizational measures
The Processor maintains the following measures, appropriate to the risk, and reviews them at least annually:
- Encryption. TLS 1.2+ for data in transit; encryption at rest on managed storage provided by our hosting and database sub-processors.
- Access control. Role-based access, least privilege for personnel, mandatory multi-factor authentication for administrative access, hardware-backed credentials where available.
- Tenant isolation. Row-level security policies at the database layer; per-tenant scoping enforced in application code; separate schemas where applicable.
- Secrets management. Secrets stored in managed secret stores; no secrets in source control; rotation on personnel changes.
- Logging and monitoring. Application and access logs retained for security investigation; alerting on anomalous access and error rates.
- Backups. Automated, encrypted backups of production databases with tested restore procedures.
- Change management. Version control, peer review, automated tests, and staged deploys for changes to production systems.
- Vulnerability management. Dependency scanning, timely patching, coordinated disclosure process at hello@lovex.dev.
- Personnel. Confidentiality obligations, data protection training on onboarding, prompt access revocation on departure.
- Physical security. Handled by our hosting and database sub-processors in certified data centers.
- Incident response. Documented process for detection, containment, notification (section 9), and post-incident review.
Contact
Questions about this DPA, requests for a signed counterpart, or data protection requests: hello@lovex.dev.