Daylit raises $110m to build AI Agents for Accounts Receivable Intelligence. Click to learn more.

Daylit data processing agreement (DPA)

Latest Revision: December 5th, 2025

This Data Processing Agreement (“DPA”) is a standalone agreement between Lendica Corp. (d/b/a “Daylit”) and any customer that uses the Services (“Customer”). This DPA governs Daylit’s Processing of Personal Data in connection with the Services and becomes effective upon the earlier of (i) Customer’s acceptance of the DPA, or (ii) Daylit’s Processing of Personal Data on Customer’s behalf. For purposes of this DPA, references to the ‘Agreement’ mean the Cloud Service Agreement.

1. Definitions

“Personal Data” means any information relating to an identified or identifiable natural person that is provided to Daylit or Processed by Daylit in connection with the Services. Personal Data includes only the limited categories of personal information that may appear within Customer Data (such as business contact information, user account details, and information contained in AR or financial records), and has the meaning assigned to “personal information” or “personal data” under applicable U.S. state privacy laws, including the CCPA.

“CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code Sections 1798.100–1798.199, as amended by the California Privacy Rights Act of 2020.

“GLBA” means the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801–6809 and §§ 6821–6827, and its implementing regulations, including the Safeguards Rule (16 C.F.R. Part 314) and Privacy Rule (16 C.F.R. Part 313).

“Data Protection Laws” means all data protection, privacy, and data security laws and regulations applicable to the Processing of Personal Data under the CSA and this DPA, including, as applicable, U.S. federal and state privacy and data security laws.

“Data Controller” means the entity that determines the purposes and means of Processing Personal Data.

“Data Processor” means the entity that Processes Personal Data on behalf of a Data Controller.

“Data Subject” means an identified or identifiable natural person to whom Personal Data relates.

“Incident” means a data security incident involving the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

“Processing” (and “Process”) means any operation performed on Personal Data, including collecting, recording, storing, using, disclosing, or deleting such data.

“Subprocessor” means any third party engaged by Daylit to Process Customer Personal Data on Daylit’s behalf.

2. Daylit as Data Processor and Data Controller

2.1 Daylit as Data Processor

Daylit acts as a Data Processor when Processing Customer Personal Data on Customer’s behalf and in accordance with Customer’s documented instructions, including to:

  • Ingest, normalize, and reconcile AR and related financial data from Customer’s connected systems;
  • Store and organize such data to provide the Services;
  • Generate analytics, dashboards, insights, and workflows for Customer’s internal use;
  • Execute Customer-configured workflows;
  • Provide support and maintenance services.

2.2 Daylit as Independent Data Controller

Daylit acts as an independent Data Controller when it determines the purposes and means of Processing Personal Data, including when Daylit:

  • Analyzes platform usage to maintain, improve, and develop the Services;
  • Manages its own business operations (billing, CRM, compliance);
  • Complies with legal or regulatory obligations; or
  • Maintains records required by law.

2.3 Data Subjects

Personal Data may relate to:

  • Customer’s employees or authorized users;
  • Customer’s business contacts; and
  • Individuals whose information appears in AR, accounting, or financial records.

2.4 Categories of Personal Data

Depending on Customer configuration, Personal Data may include:

  • Business contact information;
  • User account credentials and usage metadata;
  • AR, accounting, CRM, or financial record information;
  • Invoice and transaction metadata;
  • Technical and usage data (e.g., IP addresses, logs);
  • Limited financial account identifiers (where provided);
  • Other data Customer elects to process via the Services.

3. Nature and Purpose of Processing

3.1 Processor Purposes

When acting as Data Processor, Daylit Processes Personal Data solely to:

  • Provide, operate, and support the Services;
  • Execute Customer’s documented instructions;
  • Perform technical operations necessary to deliver the Services; and
  • Fulfill purposes documented in the CSA or this DPA.

3.2 Controller Purposes

When acting as Data Controller, Daylit Processes Personal Data for the purposes described in Section 2.2.

4. Daylit’s Obligations as Data Processor

To the extent Daylit acts as Data Processor for Customer Personal Data, Daylit will:

Confidentiality. Ensure personnel authorized to Process Personal Data are bound by confidentiality obligations and trained on privacy and security.

Security Measures. Implement appropriate technical and organizational measures to protect Personal Data, as described in Exhibit A, which may be updated without materially reducing protection.

Data Subject Requests. Provide reasonable assistance with Data Subject rights requests where required by law, subject to reasonable fees for material effort.

Legal Requests. Notify Customer of legal requests for Personal Data where permitted and disclose only what is legally required.

Compliance Assistance. Assist Customer with data protection impact assessments and regulatory consultations as required by law.

Data Retention and Deletion. Process Personal Data for the Subscription Term and any wind-down period.

Customer Data Export. Provide Customer Data exports within thirty (30) days following termination upon request.

Deletion or Anonymization. Delete or anonymize Customer Personal Data after export, subject to legal retention requirements.

5. Subprocessors

Authorization. Customer authorizes Daylit to engage Subprocessors.

Subprocessor Obligations. Subprocessors must provide protections no less protective than this DPA.

Notice. Daylit will provide advance notice before engaging new Subprocessors.

Objection Rights. Customer may object on reasonable data-protection grounds and terminate affected Services if unresolved.

6. Customer Obligations as Data Controller

Customer is responsible for:

  • Maintaining a lawful basis for Processing;
  • Providing required notices and obtaining consents;
  • Ensuring lawful instructions and configuration of the Services;
  • Minimizing sensitive Personal Data;
  • Responding to Data Subject requests.

7. Liability and Mutual Indemnification

Liability. The CSA’s liability limitations apply to this DPA.

Customer Indemnification. Customer will indemnify Daylit for claims arising from unlawful instructions, Customer Data, or Customer non-compliance.

Daylit Indemnification. Daylit will indemnify Customer for claims arising from Daylit’s breach of this DPA as a Data Processor.

Exclusions. Indemnification does not apply to misuse, misconfiguration, unlawful data, or controller activities.

Procedure. The indemnifying party controls defense and settlement, subject to notice and cooperation requirements.

8. Term, Termination, and General Provisions

Term. This DPA remains in effect for as long as Daylit Processes Personal Data under the Agreement.

Amendment. Daylit may amend this DPA, with termination rights for material changes.

Conflicts. This DPA controls for data protection matters.

Dispute Resolution. Governed by the Agreement.

Severability. Invalid provisions will be reformed while preserving intent.

Governing Law. Governed by the same law as the Agreement.