About this document
This Data Processing Agreement ("
DPA") supplements the Lacuna Labs Terms of Service for clients who process personal data using the platform in a business or institutional context, or who are subject to UK GDPR, EU GDPR, LGPD, or equivalent data protection legislation. It formalises the data sovereignty architecture of the platform and the respective obligations of the parties. To execute this DPA, contact
hello@lacunalabs.eu.
1. Parties and definitions
This Data Processing Agreement is entered into between:
Data Controller ("Client"): The organisation or individual identified in the subscription agreement or institutional contract with Lacuna Labs.
Data Processor ("Lacuna Labs"): Lacuna Labs Intelligence Ltd, , 71-75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom.
Definitions
"Personal Data"
Any information relating to an identified or identifiable natural person, as defined under applicable data protection law including UK GDPR Art. 4(1), EU GDPR Art. 4(1), and LGPD Art. 5(I).
"Processing"
Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
"Document Corpus"
The collection of files, documents, and text data processed by the Client using the Lacuna Labs platform.
"Local Processing"
Data processing that occurs exclusively within the Client's web browser, without transmission to external servers.
"Platform Personal Data"
Personal data processed by Lacuna Labs in connection with account management, billing, and service delivery — distinct from Document Corpus data, which is processed locally by the Client.
2. Subject matter and nature of processing
This DPA governs the processing of personal data by Lacuna Labs on behalf of the Client in connection with the provision of the Lacuna Labs Gap Intelligence Platform. The DPA applies exclusively to Platform Personal Data (account, billing, and contact information). Document Corpus data is subject to the Data Sovereignty Declaration in Section 3.
Categories of personal data processed:
- User account data: name, email address, password hash
- Billing data: payment confirmation, subscription status (payment and card data is processed exclusively by Paddle.com acting as Merchant of Record — Lacuna Labs does not receive or store card data)
- Communication records: email correspondence with Lacuna Labs
- Usage metadata: anonymised, aggregated platform usage statistics
Categories of data subjects: Authorised users of the Client's Lacuna Labs account.
Purpose of processing: Service delivery, account management, billing, support, and legal compliance.
Duration: For the term of the subscription and as required by applicable law thereafter.
3. Data sovereignty declaration
Architectural data sovereignty guarantee
The following declaration forms a material term of this Agreement and constitutes a formal warranty by Lacuna Labs to the Client.
Lacuna Labs warrants that the core analytical functions of the platform — including document ingestion, text extraction, corpus analysis, heat map generation, gap detection, word cloud rendering, connection graph computation, and BibTeX/RIS/CSV import — are performed exclusively within the Client's web browser using local computation. No document content, corpus text, file data, research material, or derivative analytical output (except as specified below) is transmitted to Lacuna Labs servers or any third party during these operations.
This architectural design provides the following data sovereignty guarantees:
- Commercial secrets: Proprietary research, competitive intelligence, trade secrets, and commercially sensitive strategies processed using the platform remain exclusively within the Client's computing environment.
- State and classified information: Documents subject to national security classifications, official secrets legislation, or equivalent legal protections may be processed without departure from the applicable information security regime, provided the Client operates the platform in offline mode (without the optional AI Advisor feature).
- Legal privilege: Documents protected by attorney-client privilege, legal professional privilege, or equivalent professional secrecy protections may be processed without risk of inadvertent disclosure to third parties.
- Research data: Unpublished research, pre-publication findings, clinical trial data, and confidential survey responses may be processed without transmission outside the Client's control.
Gap Intelligence Advisor — exception and opt-in disclosure
The optional AI Advisor feature, when activated by the user, transmits a statistical summary (term names and frequency statistics only — not document content) to a third-party AI provider selected by the user. This transmission:
- Requires explicit user activation and confirmation at each use;
- Displays the exact data to be transmitted for user review before transmission;
- Is entirely optional and may be disabled by institutional administrators;
- Never includes document content, file data, or corpus text;
- Is directed to a provider specified by the user using their own API credentials.
Clients operating under strict data sovereignty requirements should disable the AI Advisor feature for all users. Contact us to discuss institutional configuration options.
4. Controller obligations
The Client, as data controller, warrants that:
- It has a lawful basis for processing personal data using the platform;
- It has provided appropriate privacy notices to data subjects whose data it processes;
- It complies with all applicable data protection laws in its jurisdiction;
- It has appropriate authorisation to process any classified, privileged, or otherwise restricted information using the platform;
- It will not use the AI Advisor feature to process data subject to security classifications or legal privilege without first confirming compliance with applicable information security and professional conduct requirements.
5. Processor obligations
Lacuna Labs, as data processor with respect to Platform Personal Data, shall:
- Process Platform Personal Data only on documented instructions from the Client, unless required to do so by applicable law;
- Ensure that persons authorised to process personal data are bound by appropriate confidentiality obligations;
- Implement and maintain the technical and organisational measures set out in Annex A;
- Assist the Client in fulfilling its obligations to respond to data subject rights requests;
- Not transfer Platform Personal Data to a third country without appropriate safeguards;
- Maintain records of all categories of processing activities carried out on behalf of the Client;
- Notify the Client without undue delay upon becoming aware of a personal data breach affecting Platform Personal Data.
API keys and third-party services — supplementary provisions
Architectural clarification — third-party API flows
API keys configured by Client users are stored exclusively in browser localStorage and are never transmitted to or stored by Lacuna Labs. Third-party API calls are made directly from the user's browser to the external provider. Lacuna Labs is not a sub-processor in respect of data transmitted to third-party API providers.
Independent processor status of third-party API providers. Where Client users configure connections to third-party APIs (including AI providers, news APIs, patent databases, or academic databases), those providers receive data directly from the user's browser under the user's own credentials. Such providers are independent controllers or processors with respect to data they receive. They are not sub-processors of Lacuna Labs and are not subject to this DPA.
Client obligations regarding third-party APIs. The Client shall ensure that its users:
- Review and accept the terms of service and privacy policy of each third-party provider before use;
- Do not transmit classified, legally privileged, or specially sensitive personal data to third-party providers without appropriate authorisation and verification of the provider's data handling practices;
- Comply with applicable data protection law when transmitting any personal data to third-party providers through the platform.
AI Advisor — specific DPA provision. The AI Advisor feature transmits corpus term statistics (term names and frequency counts only — not document content) directly to the user-selected AI provider. This transmission falls outside the scope of Lacuna Labs' processing under this DPA. The Client is responsible for ensuring such use is consistent with its data protection obligations, including any requirement to conduct a Data Protection Impact Assessment (DPIA) under UK GDPR Art. 35 or EU GDPR Art. 35 before enabling the Advisor feature for institutional users.
7. Security measures
The technical and organisational measures implemented by Lacuna Labs are described in Annex A. These include, at minimum:
- TLS 1.2+ encryption for all data in transit;
- Cryptographic hashing of passwords using industry-standard algorithms;
- Access controls and principle of least privilege for all internal systems;
- Regular security reviews of platform code and infrastructure;
- Local processing architecture ensuring document content never traverses Lacuna Labs infrastructure.
8. Data subject rights
Lacuna Labs shall provide reasonable assistance to the Client in responding to data subject rights requests within the timeframes required by applicable law. Because document content is processed locally by the Client and never transmitted to Lacuna Labs, the Client is solely responsible for responding to data subject rights requests relating to document corpus data.
9. Data breach notification
In the event of a personal data breach affecting Platform Personal Data (account data), Lacuna Labs shall notify the Client without undue delay and in any event within 72 hours of becoming aware of the breach. Notification shall include the nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed to address the breach.
10. International transfers
Lacuna Labs is incorporated in the United States. Where Platform Personal Data is transferred from the EEA, UK, or Brazil to the United States, Lacuna Labs relies on:
- EEA: Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Implementing Decision (EU) 2021/914);
- UK: UK International Data Transfer Agreement (IDTA) or addendum to EU SCCs;
- Brazil: Contractual safeguards consistent with LGPD Chapter V and ANPD guidance.
Executed copies of applicable SCCs or IDTAs will be provided upon request.
11. Audit rights
The Client may audit Lacuna Labs' compliance with this DPA once per year upon 30 days' written notice, or at any time following a suspected security incident. Audits may be conducted by the Client or an independent third-party auditor subject to reasonable confidentiality obligations. Lacuna Labs may satisfy audit requirements by providing relevant certifications, third-party audit reports, or written responses to audit questionnaires where a physical audit is disproportionate.
12. Term and termination
This DPA remains in force for the duration of the subscription agreement and any period during which Lacuna Labs continues to process Platform Personal Data. Upon termination, Lacuna Labs shall delete Platform Personal Data within 30 days unless retention is required by applicable law, and shall provide written confirmation of deletion upon request.
13. Governing law
This DPA is governed by the laws of the State of England and Wales, United Kingdom, except where mandatory provisions of the UK GDPR, EU GDPR, LGPD, or other applicable data protection law require the application of another legal system, in which case those provisions shall apply to the extent of their mandatory application.
14. Execution
This DPA is incorporated into the Lacuna Labs Terms of Service by reference. For clients requiring a separately executed DPA document, please contact hello@lacunalabs.eu. A signed version will be provided within 5 business days.
Lacuna Labs (Data Processor)
Organisation name
Lacuna Labs Intelligence Ltd
Authorised signatory
[Authorised signatory]
Annex A — Technical and organisational security measures
Technical measures
- Local processing architecture: Core document analysis performed exclusively in the user's browser — no document content transmitted to servers.
- Encryption in transit: All data transmitted to Lacuna Labs servers is protected by TLS 1.2 or higher.
- Encryption at rest: Platform Personal Data stored in server-side databases is encrypted at rest using AES-256 or equivalent.
- Password security: User passwords are stored as cryptographic hashes using industry-standard algorithms (bcrypt or equivalent). Plaintext passwords are never stored.
- Access controls: Access to production systems and personal data is restricted to authorised personnel on a need-to-know basis.
- HTTPS enforcement: All platform endpoints enforce HTTPS. HTTP connections are automatically redirected.
Organisational measures
- Data minimisation: Lacuna Labs collects only personal data necessary for service delivery.
- Purpose limitation: Platform Personal Data is used exclusively for service delivery, billing, and legal compliance.
- Confidentiality obligations: All personnel with access to personal data are subject to contractual confidentiality obligations.
- Incident response: Lacuna Labs maintains an incident response procedure for personal data breaches including assessment, containment, and notification.
- Privacy by design: The local processing architecture is the primary privacy-by-design measure, ensuring document data is never exposed to Lacuna Labs infrastructure.
Annex B — Sub-processor list
Authorised sub-processors
| Sub-processor |
Location |
Purpose |
Data processed |
| Paddle Payments Ltd |
USA |
Payment processing |
Payment information, billing email |
| Platform hosting provider |
Switzerland (Infomaniak SA) |
Static file hosting |
None — static HTML/JS files only |
Note: Third-party AI providers (DeepSeek, OpenAI, Anthropic, Google Gemini) connected through the optional AI Advisor are not sub-processors of Lacuna Labs. They receive data directly from the user under the user's own API credentials and are independent controllers/processors with respect to that data.