Data Processing Agreement

The Processor processes Personal Data solely to provide the lakesight.io Service as described in the Terms of Service. The nature of the processing involves:

• Storing Customer account information
• Using Workspace Credentials (URL + PAT) to query the Databricks REST API on behalf of the Customer
• Displaying cost and usage analytics within the platform

Processing shall be carried out only on documented instructions from the Controller.

Categories of data subjects:

• Employees or representatives of the Customer
• End users of the Customer's Databricks workspace (indirectly, via metadata)

Types of personal data:

• Email addresses, names
• Job/run/cluster metadata (names, timestamps, cost data) — which may incidentally contain identifiers

The Processor shall:

• Process Personal Data only on documented instructions from the Controller
• Ensure that persons authorized to process Personal Data are bound by confidentiality
• Implement appropriate technical and organizational security measures per Article 32 GDPR
• Not engage new sub-processors without prior notification to the Controller
• Assist the Controller in responding to data subject rights requests
• Delete or return all Personal Data upon termination of the agreement
• Make available all information necessary to demonstrate compliance

The Customer authorizes lakesight.io to engage sub-processors for the purposes of hosting and payment processing. Current sub-processors: Microsoft Azure (hosting), Stripe (payments). The Processor shall notify the Customer of any intended changes to sub-processors at least 30 days in advance.

The Processor implements the following measures (Article 32 GDPR):

• Encryption of data in transit (TLS 1.2 or higher)
• Storage of PAT tokens exclusively in Microsoft Azure Key Vault
• Access control and authentication mechanisms

In the event of a personal data breach, the Processor shall notify the Controller without undue delay and, where feasible, within 48 hours of becoming aware of the breach. The notification shall include the nature of the breach, the categories and approximate number of individuals concerned, and the measures taken to address it.

The Processor shall assist the Controller in fulfilling obligations to respond to data subject requests. Requests should be submitted to: legal@lakesight.io

Personal data is hosted within the European Union (Microsoft Azure, West Europe). In the event data is transferred to a third country, it shall only occur in compliance with Chapter V of the GDPR, including where appropriate the use of Standard Contractual Clauses.

Upon termination of the Terms of Service, the Processor shall, at the Controller's election, delete or return all Personal Data within 30 days. Copies retained for legal compliance purposes will be maintained confidentially and deleted once the retention obligation expires.

This DPA is governed by French law and the GDPR. Any dispute shall be resolved before the competent French courts.