Skip to content

Data Processing Agreement

GDPR · UK GDPR · Swiss FADP · CPRA-compatible

Download PDFRequest counter-signed copy

1. Subject and scope

This Data Processing Agreement ("DPA") forms part of the Liora Terms of Service between Liora Music Technologies, Inc. ("Processor" or "Liora") and the customer entity that has subscribed to a paid Liora plan ("Controller" or "Customer"). The DPA governs Liora's processing of Personal Data on behalf of the Customer.

This DPA implements the Customer's obligations under Article 28 GDPR (and equivalent provisions in UK GDPR, Swiss FADP, California CPRA, and other applicable laws).

2. Definitions

Capitalized terms have the meaning given in the GDPR. "Personal Data" means any information relating to an identified or identifiable natural person processed by Liora on behalf of the Customer in connection with the Service.

3. Subject matter, duration, nature, and purpose of processing

  • Subject matter: provision of the Liora music generation Service.
  • Duration: for the term of the Customer's subscription, plus any retention periods set out in the Privacy Policy.
  • Nature and purpose: hosting, generating, transmitting, displaying, and storing User Content; authentication; billing; abuse prevention; aggregated, non-identifying analytics.
  • Categories of data subjects: Customer's authorized users, end users, and any individuals whose data Customer submits to the Service.
  • Categories of Personal Data: account data (name, email, locale, profile photo), Service data (prompts, lyrics, generated tracks, library metadata), device and technical data (IP address hash, browser, OS), and communications.

4. Processor obligations

Liora will:

(a) Process Personal Data only on documented instructions from the Customer (the Terms of Service constitute the initial documented instructions); (b) Ensure persons authorized to process Personal Data are bound by confidentiality; (c) Take all measures required under Article 32 GDPR (security measures listed in Annex A); (d) Engage subprocessors only as permitted in Section 5; (e) Assist the Customer with data subject rights requests, security obligations, and DPIAs; (f) Delete or return Personal Data at the end of provision of the Service per Customer's choice; (g) Make available all information necessary to demonstrate compliance and allow audits as set out in Section 8.

5. Subprocessors

Liora may engage subprocessors to provide the Service. The current list is published at /legal/subprocessors and updated at least 30 days before any addition or replacement that processes Customer Personal Data.

The Customer authorizes the use of subprocessors listed at the start of the term. The Customer may object to a new subprocessor on reasonable grounds within 14 days of notice. If Liora cannot accommodate, the Customer may terminate the affected portion of the Service for material breach.

6. International transfers

Where Personal Data of EEA/UK/Swiss residents is transferred outside the EEA/UK/Switzerland to a country without an adequacy decision, the parties incorporate the EU Standard Contractual Clauses (SCCs) of 4 June 2021 (Module Two: Controller to Processor), and the UK International Data Transfer Addendum. Liora acts as data importer.

7. Security measures

Liora implements the technical and organisational measures set out in Annex A to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

8. Audit rights

Once per calendar year, the Customer may, at its expense, request from Liora a copy of the most recent third-party security audit (e.g. SOC 2 Type II, ISO 27001), if available. On-site audits are limited to enterprise contracts and require 30 days' notice and execution of a separate audit agreement.

9. Personal data breach

Liora will notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach. The notice will include all information required by Article 33(3) GDPR insofar as known at the time, with updates as the investigation progresses.

10. Data subject rights

Liora will, taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as possible, to fulfil the Customer's obligation to respond to data subject rights requests under GDPR Chapter III. Liora's standard tooling supports access, rectification, erasure, restriction, and portability requests.

11. Deletion or return

Within 30 days of contract termination, Customer may export all User Content via the standard export tools. After 60 days, Liora will delete all Personal Data unless retention is required by law. Backups are purged within 35 days thereafter.

12. Liability

The liability provisions in the Terms of Service apply to this DPA.

13. Order of precedence

In the event of a conflict between this DPA and the Terms of Service, this DPA prevails with respect to processing of Personal Data.

Annex A — Technical and organisational measures

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Role-based access control with least-privilege principle.
  • Multi-factor authentication enforced for all Liora personnel with Customer-data access.
  • Audit logging for all production data access.
  • Vulnerability scanning (weekly), penetration testing (annual), bug bounty (continuous).
  • SOC 2 Type II audit (target completion: 12 months from launch).
  • Vendor risk assessments for all subprocessors.
  • Incident response plan with quarterly tabletop exercises.
  • Data backup with monthly restore tests.
  • Geographic redundancy across two regions.

How to execute this DPA

This DPA is incorporated by reference into the Liora Terms of Service for any Customer on a Creator, Studio, or Enterprise plan. For a counter-signed copy, email [email protected] with your Customer name and the date you accepted the Terms.