Data Processing Agreement
Last updated: 2026-06-29
1. Introduction and Parties
This Data Processing Agreement ("DPA") is entered into between Libertas Link ("Libertas Link," "we," "our," or "us") and the customer that has accepted our Terms of Use (the "Customer," "you," or "your"). It governs the processing of Personal Information that Libertas Link performs on the Customer's behalf in connection with the Libertas Linkplatform and related services (the "Service").
This DPA forms part of, and is incorporated by reference into, the Terms of Use between the parties (together with this DPA, the "Agreement"). Capitalized terms not defined here have the meaning given in the Terms of Use. This DPA is effective as of the date the Customer first accepts the Terms of Use or begins using the Service, whichever is earlier, and was last updated on the date shown above.
The Service is operated from the United States and is intended for businesses located in the United States. Libertas Link processes Personal Information only within the United States, as described in Section 10 (Data Residency).
2. Definitions
The following definitions apply to this DPA and are aligned with the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, the "CCPA/CPRA"). Where the CCPA/CPRA defines a term differently, the statutory meaning controls.
- Controller / Business: The entity that determines the purposes and means of processing Personal Information. For Customer Content, the Customer is the Business (Controller).
- Processor / Service Provider: The entity that processes Personal Information on behalf of, and at the direction of, the Business. With respect to Customer Content, Libertas Link acts as the Service Provider (Processor).
- Personal Information: Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, as defined under the CCPA/CPRA.
- Customer Content: The documents, links, queries, prompts, project context, and other materials that the Customer or its authorized users upload to or submit through the Service, including any Personal Information they contain.
- Subprocessor: Any third party engaged by Libertas Link to process Customer Content in connection with providing the Service.
- Consumer / Data Subject: A natural person whose Personal Information is contained in Customer Content.
3. Roles of the Parties and Scope of Processing
As between the parties, the Customer is the Business (Controller) of Customer Content and Libertas Linkis the Service Provider (Processor) acting on the Customer's behalf.Libertas Linkprocesses Customer Content only to provide, maintain, secure, and improve the Service for the Customer, and only in accordance with the Customer's documented instructions as described in Section 5.
3.1 Nature and Purpose of Processing
The Service is an AI assistant that operates over a business's own uploaded documents. The purpose of processing is to ingest and index Customer Content, generate AI responses grounded in and citing that content, and support related features such as drafting replies. Processing operations include collection, storage, indexing, retrieval, organization, transmission, and deletion.
3.2 Categories of Data and Data Subjects
The categories of Personal Information and the categories of Data Subjects are determined by the Customer through the content it chooses to submit. They may include the Customer's personnel, customers, vendors, and other individuals referenced within Customer Content. Libertas Link does not require, request, or intentionally collect special categories of data through Customer Content.
3.3 Duration
Processing continues for the duration of the Agreement and until Customer Content is returned or deleted in accordance with Section 11.
4. Service-Provider Obligations and Limitations
In its role as a Service Provider (Processor) under the CCPA/CPRA, Libertas Link agrees that it will:
- Not sell or share (as those terms are defined under the CCPA/CPRA) Customer Content, and not receive any monetary or other valuable consideration in exchange for Customer Content;
- Not retain, use, or disclose Customer Content for any purpose other than the specific business purpose of performing the Service for the Customer, including not retaining, using, or disclosing it outside the direct business relationship between the parties;
- Not combine Customer Content with Personal Information that Libertas Link receives from, or on behalf of, any other person, or that it collects from its own interactions with consumers, except as permitted by the CCPA/CPRA to perform the Service;
- Not use Customer Content to train, fine-tune, or improve any general-purpose, foundation, or shared machine-learning models, and not allow its AI providers (including Cloudflare Workers AI) to do so;
- Notify the Customer if Libertas Link determines that it can no longer meet its obligations under the CCPA/CPRA, and, upon such notice, cooperate with the Customer to remediate or stop the unauthorized processing.
Libertas Link certifies that it understands and will comply with these restrictions.
5. Customer Instructions and Responsibilities
The Customer is responsible for the accuracy, quality, and legality of Customer Content and for the means by which it acquired Customer Content. The Customer represents that it has a lawful basis to provide Customer Content to Libertas Link and to instruct the processing described in this DPA, and that it has provided all required notices and obtained all required consents from relevant Data Subjects.
The Customer's instructions to Libertas Link are limited to the lawful processing necessary to provide the Service, as set out in the Agreement and as configured by the Customer through the Service. Libertas Linkwill follow the Customer's reasonable documented instructions and will inform the Customer if it believes an instruction violates applicable law.
5.1 Prohibited Data
The Service is not designed for, and the Customer must not submit, protected health information or other records regulated under the Health Insurance Portability and Accountability Act (HIPAA), and Libertas Linkis not a "business associate" under HIPAA. The Customer must also not submit payment card data subject to PCI DSS, government-issued identifiers used as primary identifiers, or other categories of highly sensitive or specially regulated data prohibited by the Agreement. The Customer is solely responsible for screening Customer Content before submission.
6. Subprocessors
The Customer authorizes Libertas Link to engage Subprocessors to process Customer Content in connection with the Service. Libertas Link relies on a limited set of infrastructure and platform providers, including Cloudflare (US-region hosting, including the D1, R2, and Vectorize services, and Workers AI inference) and Stripe (payment processing for subscriptions). The current list of Subprocessors, together with their function and processing location, is maintained in our Subprocessor List, which is available on request and cross-referenced here.
Libertas Linkimposes data-protection obligations on each Subprocessor that are substantially similar to those in this DPA and remains responsible for each Subprocessor's performance of its obligations. Libertas Link will provide notice before adding or replacing a Subprocessor that processes Customer Content. The Customer may object to a new Subprocessor on reasonable data-protection grounds within thirty (30) days of notice; if the parties cannot resolve the objection, the Customer may terminate the affected portion of the Service as its sole remedy.
7. Security Measures
Libertas Link maintains technical and organizational measures designed to protect Customer Content against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures include:
- Encryption of Customer Content in transit (TLS) and at rest;
- Logical tenant isolation in a multi-tenant architecture so that each Customer's content is scoped to that Customer;
- Role-based access controls and least-privilege access for Libertas Link personnel, with access to Customer Content limited to those who need it to operate or support the Service;
- Authentication and session controls for Customer accounts (provided through Better Auth);
- Logging, monitoring, and routine review of access to production systems;
- Reliance on the security controls and certifications of its primary infrastructure provider, Cloudflare.
Libertas Link may update these measures from time to time, provided that the updates do not materially reduce the overall level of protection.
8. Security Incident Notification
Libertas Link will notify the Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Content processed by Libertas Linkor its Subprocessors (a "Security Incident").
The notification will describe, to the extent known, the nature of the Security Incident, the categories and approximate volume of affected Customer Content, the likely consequences, and the measures taken or proposed to address it. Libertas Link will provide reasonable cooperation and updates as the investigation progresses. Notice of a Security Incident is not an acknowledgment of fault or liability.
9. Assistance with Rights Requests and Compliance
Taking into account the nature of the processing, Libertas Link will provide reasonable assistance to enable the Customer to respond to requests from consumers or other Data Subjects to exercise their rights under applicable privacy laws (including rights to access, correct, delete, or limit the use of Personal Information). Where the Customer can fulfill such a request through the self-service features of the Service, the Customer will use those features.
If Libertas Linkreceives a request directly from a consumer relating to Customer Content, it will, where lawful, direct the consumer to the Customer and will not respond to the request except on the Customer's documented instructions. Libertas Linkwill also provide the Customer with information reasonably necessary to support the Customer's data-protection assessments and compliance obligations relating to the Service.
10. Data Residency
Customer Content is stored and processed within the United States. Libertas Linkuses Cloudflare's US-region services for hosting and storage, including D1 (database), R2 (object storage), and Vectorize (vector indexes), and Cloudflare Workers AI for inference. Libertas Link does not intentionally store Customer Content outside the United States. Limited operational metadata or payment-related data may be processed by Subprocessors such as Stripe in accordance with their own practices.
11. Data Export, Return, and Deletion
During the term of the Agreement, the Customer may access and export Customer Content through the features made available in the Service. On termination or expiration of the Agreement, Libertas Link will, at the Customer's choice, return or delete Customer Content, except to the extent retention is required by applicable law.
Unless the Customer requests return or earlier deletion, Libertas Link will delete Customer Content (including from D1, R2, and Vectorize) within a commercially reasonable period after termination. Residual copies in routine backups will be deleted in the ordinary course according toLibertas Link's retention schedule and remain protected by this DPA until deleted.
12. Audit and Compliance Verification
Libertas Link will make available to the Customer information reasonably necessary to demonstrate its compliance with this DPA. This may include summaries of Libertas Link's security measures and relevant certifications or third-party reports of Libertas Link or its infrastructure providers, where available.
Where required by applicable law and where the documentation above is insufficient, the Customer may request an audit no more than once per twelve (12) month period, on reasonable prior written notice, during business hours, subject to confidentiality obligations, and conducted so as not to disruptLibertas Link's operations or compromise the security or confidentiality of other customers' data. The Customer bears its own costs for any such audit.
13. Liability, Precedence, and Governing Law
Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Terms of Use, and any reference to a party's liability means the aggregate liability of that party under the Agreement as a whole.
In the event of a conflict between this DPA and the Terms of Use regarding the processing of Personal Information, this DPA controls to the extent of the conflict. In all other respects, the Terms of Use remain in full force and effect. This DPA is governed by the same governing law and venue provisions as the Terms of Use.
Libertas Link
Questions about this DPA? Email support@libertaslink.com.