Data Processing Addendum
Last Modified: December 10, 2025
This Data Processing Addendum ("DPA") forms part of the Master Services Agreement ("Agreement") between Lokr Inc. ("Processor") and the Customer ("Controller").
1. Definitions
- "Controller" means the entity that determines the purposes and means of the processing of Personal Data.
- "Processor" means the entity which processes Personal Data on behalf of the Controller.
- "Data Subject" means the individual to whom Personal Data relates.
- "Personal Data" means any information relating to an identified or identifiable natural person.
2. Processing of Personal Data
2.1 Roles of the Parties
The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller and Lokr is the Processor.
2.2 Subject Matter of Processing
Lokr provides a calendar infrastructure layer. The subject matter of the processing is limited to:
- iCalendar (.ics) feed data retrieved from Customer's origin servers.
- Transient metadata required for the "repair" and "proxy" operations.
2.3 Duration of Processing
Processing is transient ("Zero Persistence"). Data is held in volatile memory (RAM) only for the microseconds required to parse, validate, and repair the feed. It is not written to disk.
3. Security Measures
Processor shall maintain appropriate technical and organizational security measures to protect Personal Data, including:
- Encryption in Transit: All data is transmitted via TLS 1.3.
- Encryption at Rest: Not applicable (Data is not stored at rest).
- Access Control: Strict least-privilege access policies for engineering staff.
4. Subprocessors
Customer authorizes Lokr to engage the following Subprocessors:
| Name | Role | Location |
|---|---|---|
| Vercel Inc. | Hosting & Edge Compute | USA |
| Upstash Inc. | Configuration Storage (Redis) | USA |
| PostHog Inc. | Analytics (Aggregated) | USA / EU |
To execute this DPA, please download the signed PDF version from your Enterprise Dashboard or contact legal@lokr.co.