Legal
Data Processing Agreement
Effective date: June 11, 2026
This Data Processing Agreement ("DPA") forms part of the Backlit Terms of Use between Nyfty.ai, Inc., a Delaware corporation, trading as Backlit ("Backlit" or "Processor") and the customer that accepts the Terms ("Customer" or "Controller"). It applies to the processing of Customer Personal Data, meaning personal data that the Customer or its end users submit to, or that is generated through use of, the service, including end-user identity records and any personal data stored in a glow's shared (data), per-user (userdata), public-read (records), or write-only (capture) stores. Capitalised terms not defined here have the meanings given in the Terms of Use; "Controller", "Processor", "Sub-processor", "Personal Data", "Processing", "Data Subject", and "Personal Data Breach" have the meanings given in the GDPR.
1. Subject matter and details of processing
The subject matter, duration, nature and purpose of the processing, the types of Personal Data, and the categories of Data Subjects are described in Annex I. This DPA is intended to satisfy Article 28(3) GDPR.
2. Processing on documented instructions
Backlit will process Customer Personal Data only on the Controller's documented instructions, including for international transfers, unless required to do otherwise by EU or member-state law to which Backlit is subject. In that case Backlit will inform the Controller of the legal requirement before processing, unless that law prohibits it. The Terms of Use, this DPA, and the Customer's configuration and use of the service through its documented interfaces (console, API, SDK, MCP) are the Customer's complete and final instructions. Backlit will inform the Controller if, in its opinion, an instruction infringes data protection law.
Where the Controller operates the service through an AI assistant or agent (for example via the MCP interface or a connector listing), instructions issued that way are the Controller's documented instructions. The provider of that assistant acts as the Controller's own tool or processor and not as a Backlit Sub-processor; it is not listed in Annex III, and Backlit is not responsible for that provider's processing of personal data outside the service. The Controller is responsible for having a lawful basis, and any terms it requires with that provider, for routing Customer Personal Data through the assistant.
3. Confidentiality
Backlit ensures that persons authorised to process Customer Personal Data are bound by appropriate confidentiality obligations and receive appropriate data-protection training.
4. Security
Backlit implements the technical and organisational measures set out in Annex II to provide a level of security appropriate to the risk, in accordance with Article 32 GDPR.
5. Sub-processors
The Controller grants Backlit general written authorisation to engage Sub-processors. The Sub-processors engaged at the effective date are listed in Annex III. Backlit imposes data-protection obligations equivalent to this DPA on each Sub-processor by written contract and remains fully liable for each Sub-processor's performance.
Backlit will give at least 30 days' notice before adding or replacing a Sub-processor, by updating Annex III on this page and emailing the Customer's account address. The Customer may object on reasonable data-protection grounds within that period. The parties will work in good faith to resolve the objection; if they cannot, the Customer may terminate the affected service without penalty.
6. Assistance with data subject rights
Taking into account the nature of the processing, Backlit will assist the Controller, by appropriate technical and organisational measures and insofar as possible, to respond to Data Subject requests under Chapter III GDPR. The service provides self-service capabilities for this, including:
- Access and portability: listing and retrieving stored values per silo, version-bundle export, and data-download URLs;
- Erasure: per-key deletion, removal of an end-user identity record, and whole-glow deletion, which triggers irreversible hard deletion of assets and data within 30 days;
- Rectification: updating end-user records and stored values;
- Restriction and objection: setting a glow inactive ("Dark") and revoking access.
Where a request cannot be actioned through self-service, Backlit will provide reasonable assistance on the Controller's documented request, in time for the Controller to meet its one-month statutory deadline.
7. Personal data breach
Backlit will notify the Controller without undue delay, and no later than 48 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will, to the extent known, describe the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed. Backlit will cooperate reasonably to help the Controller meet its obligations under Articles 33 and 34 GDPR. Notification is not an acknowledgement of fault or liability.
8. Impact assessments
Backlit will give the Controller reasonable assistance, taking into account the nature of the processing and the information available to it, with data protection impact assessments and prior consultations with supervisory authorities under Articles 35 and 36 GDPR.
9. Deletion and return
On termination or expiry of the service, Backlit will, at the Controller's choice, delete or return all Customer Personal Data and delete existing copies within 30 days, unless EU or member-state law requires storage. Customer Personal Data in routine backups is deleted in line with Backlit's backup-retention cycle and is not restored except for disaster recovery.
10. International transfers
The Controller acknowledges and instructs that, as described in the Terms of Use, Customer Personal Data is transferred to the United States (control plane) and may be processed by Sub-processors in third countries (Annex III).
For transfers to a third country without an adequacy decision, the parties rely on the following safeguards, in order:
- where the data importer is certified under the EU-US Data Privacy Framework (including the UK Extension and the Swiss-US framework as applicable), that certification; and
- otherwise, the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module Two (Controller to Processor) between Controller and Backlit and Module Three (Processor to Sub-processor) as applicable, which are incorporated into this DPA by reference and completed by Annex I (parties and processing description), Annex II (security measures), and Annex III (Sub-processors). For UK transfers the UK International Data Transfer Addendum applies; for Swiss transfers the SCCs apply as adapted by the Swiss FDPIC. For the purposes of the SCCs, the governing law and forum are those of Ireland.
Backlit has carried out, and will maintain, a transfer impact assessment of the US transfer and will make a summary available to the Controller on request to reporting@backlit.run.
11. Audit
Backlit will make available to the Controller the information reasonably necessary to demonstrate compliance with Article 28 GDPR and will allow for and contribute to audits. The audit right is satisfied first by Backlit providing relevant third-party certifications and audit reports (for example the underlying infrastructure provider's SOC 2 and ISO 27001 reports) where available. A direct audit is limited to once per 12 months, on reasonable prior notice, during business hours, subject to confidentiality, and at the Controller's cost, except where an audit reveals material non-compliance.
12. General
If this DPA conflicts with the Terms of Use regarding the processing of Customer Personal Data, this DPA prevails. Where the SCCs apply, the SCCs prevail over this DPA to the extent of any conflict. This DPA is governed by the laws of the State of Delaware, USA, except that the SCCs are governed as stated in section 10.
Annex I: Description of processing
Parties. Data exporter and Controller: the Customer accepting the Terms, contactable at the account email on file. Data importer and Processor: Nyfty.ai, Inc., trading as Backlit, contactable at reporting@backlit.run.
Data subjects. The Customer's end users (the people who sign in to or interact with the Customer's glows) and, where applicable, individuals whose personal data the Customer's application stores.
Categories of personal data. End-user identity records: email address, name, mobile number, permission level, and internal user identifier. Application data submitted to a glow's shared (data), per-user (userdata), public-read (records), and write-only (capture) stores, with content determined solely by the Customer. Special categories of personal data are prohibited by the Terms of Use and are not permitted.
Frequency, nature, and purpose. Continuous, for the duration of the service: hosting, storage, transmission, authentication, access control, and delivery of the Customer's applications and their data; metering and quota enforcement; and the maintenance, security, and support of the service.
Duration. The term of the service, then deletion or return under section 9.
Annex II: Technical and organisational measures
- Encryption. Personal data is encrypted in transit using TLS and at rest using the infrastructure provider's default encryption for the datastore and object storage.
- Pseudonymisation and segregation. Per-user application data is stored under a stable internal user identifier, separating identity from stored content. Each glow's data is logically isolated. Session credentials are scoped to a single glow and cannot be replayed against another.
- Access control. Least-privilege access for service components and personnel. Per-glow API keys are stored as hashes only. Session tokens are short-lived and cryptographically derived per glow, with immediate forensic key rotation available. Administrative and agent access uses OAuth with audience-bound, expiring tokens.
- Secret management. Signing keys and credentials are held in a managed secret store. No per-glow secret is stored at rest; signing keys are derived from rotated root secrets.
- Resilience. The control-plane datastore runs in a multi-region configuration; data-plane services are deployed per region. Rate limiting, input validation, and structured security logging and alerting are in place.
- Deletion. Soft-delete followed by irreversible hard deletion of assets and data within 30 days, with tier-based retention thinning of historical versions.
- Organisational measures. Confidentiality obligations and data-protection training for personnel, access-management procedures, vendor due diligence, an incident-response process, and a record of processing activities.
Annex III: Sub-processors
| Sub-processor | Service | Data processed | Location | Safeguard |
|---|---|---|---|---|
| Google Cloud (Google LLC) | Hosting, datastore, object storage, compute, secrets, console identity | All Customer Personal Data | US (control plane); US, AU, or EU (data plane, per glow region) | EU-US DPF certified; SCCs as fallback |
| Cloudflare, Inc. | DNS and edge networking | Network metadata (IP addresses, hostnames); no glow content at rest | US / global | EU-US DPF; SCCs |
| Loops (Astrodon Inc.) | Transactional email (magic-link sign-in) | End-user email addresses; sign-in links | US | EU-US DPF; SCCs |
Stripe processes app-owner billing data, for which Backlit is the controller. It is disclosed in the Privacy Policy rather than listed here. Google and Microsoft, when chosen by an end user as a sign-in provider, act at that user's direction.
We will update this list and notify customers as described in section 5.
Contact
Questions about this DPA: reporting@backlit.run