Legal
Data Processing Agreement
For business customers. Last updated: April 2026.
1. Parties and Scope
This Data Processing Agreement forms part of the customer agreement between the customer as Controller and Corelyx as Processor. It applies when Corelyx processes personal data on behalf of a customer through the Corelyx workflow automation platform.
2. Subject Matter, Duration, Nature, and Purpose
The subject matter is processing personal data submitted to, generated by, or routed through customer-defined Corelyx workflows. Processing lasts for the term of the customer agreement plus the deletion or return period. The nature of processing includes collection, transmission, storage, retrieval, structuring, logging, deletion, and support access as needed to provide workflow automation, execution, approval gates, operational logging, support, security, and account administration.
3. Data Subjects and Data Categories
Data subjects may include platform users, customer employees, contractors, contacts, leads, support requesters, end customers, or other individuals contained in customer-configured workflows. Personal data may include names, email addresses, user IDs, account metadata, workflow payloads, CRM/contact fields, message metadata or content where configured, approval context, logs, and connector metadata. Special-category processing is not intended by default and requires customer-side legal assessment and safeguards.
4. Processing Instructions
Corelyx processes personal data only on documented customer instructions, including product configuration, workflow settings, the customer agreement, this DPA, and lawful written support requests. Corelyx will notify the customer if it believes an instruction infringes GDPR or applicable EU or Member State data protection law.
5. Processor Obligations
Corelyx will ensure authorized personnel are bound by confidentiality obligations, maintain appropriate technical and organizational measures, assist with data subject requests and DPIAs where reasonably required, and delete or return personal data after termination according to the deletion and return clause.
6. Controller Obligations
The customer remains responsible for maintaining a valid legal basis, configuring workflows lawfully, providing required notices to data subjects, avoiding unnecessary personal data or secrets in prompts and logs, and conducting DPIAs where required for high-risk workflows.
7. Security Measures
Corelyx maintains measures aligned with GDPR Article 32, including encryption in transit, encrypted infrastructure and secret storage, server-side credential handling, owner-scoped access controls, human approval gates, audit logging, retention jobs, vulnerability disclosure, dependency scanning, SAST, and incident response procedures.
8. Subprocessors
Corelyx may use subprocessors listed in the public subprocessor registry. Corelyx will impose materially equivalent data protection obligations on subprocessors and remains responsible for their performance. The public registry is available at /subprocessors. Specific disclosure: Corelyx currently routes platform key LLM calls through OpenRouter, Inc. (USA) using a Corelyx-managed API key. OpenRouter acts as a sub-processor for these calls. Corelyx does not currently hold a countersigned DPA with OpenRouter and is pursuing one. Until a signed DPA is in place, customers should not route special-category personal data or data subject to strict transfer restrictions through the Corelyx platform key. Customers may use their own Anthropic, OpenAI, or other provider API keys as an alternative.
9. Subprocessor Change Notice
Corelyx will provide at least 30 days' advance notice before adding or replacing a subprocessor that processes customer personal data, unless urgent security, availability, or legal requirements make advance notice impracticable. Customers may object on reasonable data protection grounds before the change takes effect.
10. International Transfers and EU Data Residency
Corelyx uses EU-first infrastructure and provides EU-only controls for eligible workflows. EU-only mode can restrict storage, logs, model providers, and workflow execution to approved EU/EEA infrastructure, but customer-selected integrations, model providers, email providers, analytics tools, billing providers, or account-level provider settings may still involve processing outside the EEA. Transfers outside the EEA require a lawful transfer mechanism such as Standard Contractual Clauses, an adequacy decision, or another GDPR Chapter V mechanism. LLM providers or subprocessors outside the EEA must have appropriate DPA/SCC coverage before production use with customer personal data.
11. Deletion and Return
Upon termination or written customer instruction, Corelyx will delete or return customer personal data within 30 days unless EU or Member State law requires retention. Deletion may occur through product self-service deletion, account deletion, database cascade deletion, Vault secret deletion, and subprocessor deletion requests or account cancellation where supported. Backup copies may persist until overwritten by normal backup rotation and remain protected during that period.
12. Data Subject Requests
Corelyx assists with data subject requests by providing account and workflow data export, machine-readable portability export, account deletion mechanisms, processing restriction flags, and audit records of submitted requests. The customer remains responsible for verifying identity and deciding the legally appropriate response where it determines the purpose and means of processing.
13. Personal Data Breach Notification
Corelyx will notify the customer without undue delay and, where feasible, within 24 hours after becoming aware of a personal data breach affecting customer personal data. The notice will include available information about the breach nature, affected data subjects and records, likely consequences, measures taken or proposed, and the Corelyx contact point.
14. Audit Rights
Upon reasonable written request, Corelyx will provide information necessary to demonstrate compliance, such as security policy, subprocessor registry, incident response policy, retention documentation, and relevant third-party audit reports if available. On-site or invasive audits require reasonable notice, confidentiality protections, scope limitations, and safeguards for other customers' data and Corelyx security.
15. DPIAs and Prior Consultation
Corelyx will provide reasonable assistance for DPIAs and supervisory-authority consultations where the assistance relates to processing performed by Corelyx and the customer cannot reasonably obtain the information itself.