Data Processing Addendum
Last updated: July 12, 2026
This Data Processing Addendum (“DPA”) forms part of the agreement between Nestware Labs, LLC (“we”, the “processor”) and the customer organization (“you”, the “controller”) for the use of LotThread. It applies whenever we process personal data contained in your workspace on your behalf.
1. Roles and scope
You are the controller of the personal data in your workspace (member account details and any personal data in your operational records, such as customer contact emails); we process it only to provide the service. We are an independent controller for our own account records and billing.
2. Processing instructions
We process workspace personal data only on your documented instructions - operating the service, providing support you request, and complying with law. We do not sell it or use it for advertising.
3. Confidentiality and security
Personnel with access are bound by confidentiality obligations. We maintain technical and organizational measures appropriate to the risk, including encryption in transit, tenant isolation, access controls, and an append-only audit ledger, as described in our Privacy Policy.
4. Subprocessors
You authorize the subprocessors listed on our Subprocessors page. We remain responsible for their performance and will provide notice of material changes where required.
5. Data subject requests
Taking into account the nature of the processing, we assist you in responding to data subject requests: workspace administrators can export all workspace data and request permanent deletion directly in the product (Organization settings → Your data). If a data subject contacts us directly about data in your workspace, we will refer them to you where appropriate.
6. Personal data breaches
We will notify you without undue delay after becoming aware of a personal data breach affecting your workspace and provide information reasonably needed for your own notification obligations.
7. Deletion and return
On termination, or on your request at any time, you may export your workspace data in open formats. On a deletion request we permanently erase the workspace, including the audit ledger and member accounts, within 30 days, unless retention is required by law.
8. Audits and transfers
We will make available information reasonably necessary to demonstrate compliance with this DPA. For cross-border transfers we rely on appropriate safeguards such as Standard Contractual Clauses where required.
[Have a lawyer review this DPA and confirm it matches your obligations before relying on it with enterprise customers.]