Data Processing Agreement
Effective Date: March 20, 2026 Last Updated: March 20, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between:
- Data Controller: You, the merchant ("Controller")
- Data Processor: Refined Element, LLC, a Florida limited liability company, operating as Lightning Enable ("Processor")
This DPA applies where and to the extent that the Processor processes Personal Data on behalf of the Controller in the course of providing Lightning Enable under the Agreement.
1. Definitions
| Term | Definition |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR |
| Processing | Any operation performed on Personal Data, as defined in Article 4(2) of the GDPR |
| Data Subject | The identified or identifiable natural person to whom Personal Data relates |
| Sub-Processor | Any third party engaged by the Processor to process Personal Data on behalf of the Controller |
| GDPR | Regulation (EU) 2016/679 of the European Parliament and of the Council |
| UK GDPR | The GDPR as retained in United Kingdom law by the European Union (Withdrawal) Act 2018 |
| SCCs | Standard Contractual Clauses as approved by the European Commission (Commission Implementing Decision (EU) 2021/914) |
| Data Breach | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data |
| Agreement | The Terms of Service between Controller and Processor, available at docs.lightningenable.com/legal/terms-of-service |
| Service | The Lightning Enable API middleware payment orchestration platform |
| L402 | An HTTP-based protocol for payment-gated API resource access using Lightning Network invoices |
| AI Agent | An automated software system that accesses the Service on behalf of a natural person or legal entity |
| Applicable Data Protection Law | All laws applicable to processing under this DPA, including GDPR, UK GDPR, Swiss FADP, CCPA, and applicable U.S. state privacy laws |
2. Scope and Purpose of Processing
2.1 Subject Matter
The Processor processes Personal Data solely to provide the Lightning Enable service as described in the Agreement.
2.2 Categories of Data Subjects
- Merchants (Controller's employees or representatives who use Lightning Enable)
- End customers (individuals whose shipping information is submitted through the Shopify L402 integration)
2.3 Types of Personal Data Processed
| Category | Data Elements | Purpose |
|---|---|---|
| Merchant account data | Name, email address, plan tier | Account management, service delivery, communications |
| Payment provider credentials | Encrypted Strike/OpenNode API keys, Shopify Admin API tokens, webhook secrets | Forwarding API requests to the Controller's payment provider |
| API request metadata | IP address, user agent, endpoint, timestamp, HTTP method, response status | Security monitoring, debugging, abuse prevention |
| Shopify customer data | Name, shipping address, email, phone number | Creating Shopify orders on behalf of the Controller |
| Shopify order data | Order ID, line items, pricing, status, timestamps, claim tokens | Order lifecycle management |
| Lightning Network protocol data | Payment hashes, invoice data, node identifiers, channel references | Technical facilitation of Lightning payment protocol on Controller's behalf |
2.4 Duration of Processing and Retention
Processing shall continue for the duration of the Agreement. Upon termination or expiration of the Agreement, Processor shall retain and delete Personal Data in accordance with the following schedule:
| Data Category | Retention Period After Termination |
|---|---|
| Merchant account data (name, email, plan tier) | 12 months, then deleted |
| Payment provider credentials (API keys, tokens, webhook secrets) | Deleted within 24 hours |
| API request metadata (IP, user agent, endpoint, timestamp) | 90 days from creation, then deleted |
| Shopify customer data (name, address, email, phone) | Deleted within 24 hours or upon Controller's earlier request |
| Shopify order data (order details, claim tokens) | 90 days from creation, then deleted |
| Security event logs | 180 days from creation, then deleted |
2.5 AI Agent and Automated Transactions
Where Controller's service is accessed by AI agents, automated systems, or machine-initiated requests (including L402 protocol transactions):
(a) Processor processes API request metadata generated by such automated access in the same manner as human-initiated requests;
(b) to the extent an AI agent transmits Personal Data of a natural person (such as the principal authorizing the AI agent), such data shall be treated as Personal Data under this DPA and processed in accordance with Controller's documented instructions;
(c) data generated by or about an AI agent that does not relate to an identified or identifiable natural person is not Personal Data within the scope of this DPA;
(d) Controller is responsible for ensuring its use of AI agents complies with applicable data protection law, including providing appropriate notices to natural persons whose Personal Data may be processed through AI agent interactions.
2.6 L402 Protocol Data
Processing of data in connection with the L402 protocol (including challenge tokens, payment preimages, macaroon credentials, and claim tokens) is limited to technical facilitation. To the extent such data constitutes or contains Personal Data, it shall be processed in accordance with this DPA. Processor shall not use L402 protocol data to identify, profile, or track natural persons beyond what is necessary to provide the service.
2.7 Non-Custodial Processing; No Fund Transmission
Processor provides connector software that facilitates API communication between Controller and Controller's payment providers. Processor does not hold, custody, control, or transmit monetary value, cryptocurrency, or digital assets at any point during processing. All payment transactions are executed directly between Controller (or Controller's end customers) and Controller's payment providers using Controller's own credentials. This DPA governs the processing of Personal Data associated with such transactions, not the transactions themselves.
3. Obligations of the Processor
3.1 Processing Instructions
The Processor shall:
(a) Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data outside the EEA, unless required to do so by applicable law — in which case, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law;
(b) Not process Personal Data for any purpose other than providing the Lightning Enable service as described in the Agreement;
(c) Inform the Controller immediately if, in the Processor's opinion, an instruction infringes the GDPR or other Applicable Data Protection Law.
3.2 Confidentiality
The Processor shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.3 Security Measures
3.3.1 Processor shall implement and maintain appropriate technical and organizational measures per GDPR Article 32. As of the Effective Date, these include:
Encryption:
- AES-256-GCM for Personal Data at rest, including payment provider credentials
- HTTPS with TLS 1.2+ for all data in transit
Access Control:
- Microsoft Entra ID authentication for Azure SQL
- Azure Key Vault for encryption key and secret management
- API key authentication for all service endpoints
- Logical tenant isolation (data segregated by MerchantId)
Monitoring and Resilience:
- Rate limiting on API endpoints
- Security event logging with 180-day retention
- Automated threat detection and alerting
3.3.2 Processor shall regularly review and update these measures to address evolving threats, considering costs, nature, scope, context, and purposes of processing.
3.3.3 Processor shall not materially reduce security without prior written notice. Controller may terminate upon thirty (30) days' notice if it reasonably objects to a reduction.
3.4 Sub-Processing
(a) The Controller provides general authorization for the Processor to engage Sub-Processors listed in Section 8 of this DPA.
(b) The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-Processors, giving the Controller at least thirty (30) days to object to such changes.
(c) Where the Controller objects to a new Sub-Processor on reasonable grounds related to data protection, the parties shall discuss the Controller's concerns in good faith. If the parties cannot resolve the objection, the Controller may terminate the affected portion of the service.
(d) The Processor shall impose data protection obligations no less protective than those set out in this DPA on each Sub-Processor by way of a written contract.
(e) The Processor shall remain fully liable to the Controller for the performance of each Sub-Processor's obligations.
3.5 Data Subject Rights
(a) The Processor shall assist the Controller in fulfilling its obligation to respond to Data Subject requests to exercise their rights under Applicable Data Protection Law (access, rectification, erasure, restriction, portability, objection).
(b) If the Processor receives a request from a Data Subject directly, the Processor shall promptly redirect the Data Subject to the Controller and notify the Controller of the request, unless otherwise required by law.
3.6 Data Breach Notification
3.6.1 Processor shall notify Controller without undue delay and in any event within seventy-two (72) hours after becoming aware of a Data Breach affecting Controller's Personal Data. "Becoming aware" means the point at which Processor has a reasonable degree of certainty that a security incident has affected Personal Data — mere suspicion without corroboration does not trigger the notification period.
3.6.2 Notification shall include, to the extent reasonably available: (a) a description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned; (b) the name and contact details of Processor's data protection contact; (c) a description of the likely consequences of the Data Breach; (d) a description of the measures taken or proposed to address the Data Breach, including measures to mitigate its possible adverse effects; (e) where applicable, whether the breach involved encrypted data and whether the encryption keys were compromised.
3.6.3 Where it is not possible to provide all information at the time of initial notification, Processor shall provide the information in phases without further undue delay.
3.6.4 Processor shall document all Data Breaches, including the facts, effects, and remedial actions taken, and make such documentation available to Controller upon request.
3.6.5 Processor shall cooperate with Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each Data Breach.
3.7 Data Protection Impact Assessments
The Processor shall provide reasonable assistance to the Controller with data protection impact assessments and prior consultations with supervisory authorities, to the extent required under Articles 35 and 36 of the GDPR, taking into account the nature of the processing and the information available to the Processor.
3.8 Deletion and Return of Data
3.8.1 Upon termination or expiration of the Agreement, and at Controller's election, Processor shall either (a) return all Personal Data to Controller in a commonly used, machine-readable format, or (b) delete all Personal Data in accordance with the retention schedule in Section 2.4. Controller shall make its election within thirty (30) days of termination; absent an election, Processor shall delete per the retention schedule.
3.8.2 Processor shall certify deletion in writing within ten (10) business days of completing deletion.
3.8.3 Processor may retain Personal Data to the extent required by applicable law, provided Processor (a) maintains confidentiality, (b) processes it only for legal compliance, and (c) deletes it promptly when the legal obligation expires.
3.9 Audit Rights
3.9.1 Processor shall make available to Controller all information reasonably necessary to demonstrate compliance with this DPA and Applicable Data Protection Law.
3.9.2 Processor shall allow audits conducted by Controller or a qualified third-party auditor, subject to: (a) thirty (30) days' prior written notice (unless triggered by a Data Breach or supervisory authority request); (b) conducted during normal business hours, no more than once per twelve (12) month period (unless required by a supervisory authority or triggered by a Data Breach); (c) Controller bears audit costs, except where the audit reveals material non-compliance, in which case Processor bears reasonable costs; (d) auditor bound by confidentiality and shall not be a competitor of Processor.
3.9.3 Processor may satisfy audit obligations by providing (a) a current SOC 2 Type II report or equivalent third-party security assessment, or (b) a written compliance attestation, provided such documentation is no more than twelve (12) months old. If Controller has reasonable grounds to believe such documentation is insufficient, Controller retains the right to conduct an audit under Section 3.9.2.
4. Obligations of the Controller
The Controller shall:
(a) Ensure that it has a lawful basis for processing Personal Data and for instructing the Processor to process Personal Data on its behalf;
(b) Provide all necessary notices to, and obtain all necessary consents or authorizations from, Data Subjects as required by Applicable Data Protection Law;
(c) Be responsible for the accuracy, quality, and legality of the Personal Data provided to the Processor;
(d) Ensure that its instructions to the Processor comply with Applicable Data Protection Law; and
(e) Comply with its own obligations under the GDPR, UK GDPR, and any other Applicable Data Protection Law.
5. International Data Transfers
5.1 Transfer Mechanism
Lightning Enable infrastructure is hosted in the United States (Microsoft Azure, East US region). For transfers of Personal Data from the EEA, United Kingdom, or Switzerland to the United States:
(a) The parties hereby enter into the Standard Contractual Clauses (Module Two: Controller to Processor) as approved by the European Commission (Commission Implementing Decision (EU) 2021/914), which are incorporated into this DPA by reference.
(b) For purposes of the SCCs:
- The "data exporter" is the Controller;
- The "data importer" is the Processor;
- The details of the transfer are as described in Section 2 of this DPA;
- The competent supervisory authority shall be determined in accordance with Clause 13 of the SCCs;
- The governing law shall be the law of the EU Member State in which the data exporter is established.
(c) For transfers from the United Kingdom, the UK International Data Transfer Addendum to the EU SCCs (as issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018) is incorporated into this DPA.
(d) For transfers from Switzerland, the SCCs apply with the modifications required by the Swiss Federal Data Protection Act (FADP).
5.2 Sub-Processor Transfers
Where Sub-Processors are located outside the EEA, the Processor shall ensure that appropriate data transfer mechanisms are in place with each Sub-Processor, including SCCs where applicable.
5A. U.S. State Privacy Laws
5A.1 CCPA/CPRA
To the extent Processor processes Personal Data of California residents on behalf of Controller, Processor acts as a "Service Provider" as defined in the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA"). Processor shall:
(a) process such Personal Data only for the specific business purposes set forth in this DPA and the Agreement, and not for any commercial purpose other than providing the services;
(b) not "sell" or "share" (as those terms are defined in the CCPA) Personal Data received from or on behalf of Controller;
(c) not combine Personal Data received from Controller with Personal Data received from other sources or collected from its own interactions with the Data Subject, except as expressly permitted by the CCPA;
(d) comply with all applicable obligations under the CCPA and grant Controller the right to take reasonable and appropriate steps to ensure Processor uses Personal Data in a manner consistent with Controller's CCPA obligations;
(e) notify Controller if Processor determines it can no longer meet its obligations under the CCPA;
(f) upon Controller's request, assist Controller in responding to verifiable consumer requests, including requests by authorized agents, within the timeframes required by the CCPA.
5A.2 Other U.S. State Laws
To the extent Personal Data is subject to other applicable U.S. state data privacy laws (including but not limited to the Virginia CDPA, Colorado CPA, Connecticut DPA, and Texas DPSA), Processor shall process such data consistent with the obligations set forth in this DPA and shall not process such data in a manner that would constitute a "sale" under any such law.
6. Liability and Indemnification
6.1 Liability Cap. Subject to Section 6.3, each party's total aggregate liability to the other party under or in connection with this DPA, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, shall not exceed the amounts paid or payable by Controller to Processor under the Agreement in the twelve (12) months immediately preceding the event giving rise to the claim, subject to a minimum floor of one hundred U.S. dollars ($100).
6.2 Consequential Damages Exclusion. Subject to Section 6.3, neither party shall be liable to the other for any indirect, incidental, special, consequential, or punitive damages, including loss of profits, revenue, data, or business opportunity, however caused, even if advised of the possibility of such damages.
6.3 Exclusions from Limitation. The limitations in Sections 6.1 and 6.2 shall not apply to: (a) either party's liability to Data Subjects under GDPR Article 82, UK GDPR, or any Applicable Data Protection Law; (b) Processor's breach of Section 3.1 (processing beyond documented instructions); (c) either party's indemnification obligations under Section 6.4; (d) liability arising from willful misconduct or gross negligence; (e) breach of Section 3.2 (confidentiality obligations).
6.4 Indemnification. Each party shall indemnify, defend, and hold harmless the other party from and against any third-party claims, fines, penalties, damages, and reasonable costs (including attorneys' fees) arising from the indemnifying party's breach of this DPA or Applicable Data Protection Law, provided the indemnified party gives prompt written notice, reasonable cooperation, and sole control of the defense.
7. Term and Termination
7.1 Term
This DPA takes effect on the date the Controller begins using Lightning Enable and remains in effect for as long as the Processor processes Personal Data on behalf of the Controller.
7.2 Survival
The following Sections shall survive termination: Sections 1 (Definitions), 2.4 (Retention), 2.7 (Non-Custodial Processing), 3.6 (Data Breach Notification), 3.8 (Deletion and Return), 3.9 (Audit Rights), 5A (U.S. State Privacy Laws), 6 (Liability and Indemnification), 9 (Contact), and 11 (Governing Law and Dispute Resolution).
8. Authorized Sub-Processors
8.1 Controller provides general authorization for Processor to engage the Sub-Processors listed below. Processor shall comply with notice requirements in Section 3.4 before engaging any new Sub-Processor.
| Sub-Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Microsoft Azure (Microsoft Corporation) | Cloud infrastructure, database hosting, key management | All categories in Section 2.3 | United States (East US) |
| Vercel, Inc. | Application hosting and content delivery | API request metadata, merchant account data | United States |
| Stripe, Inc. | Subscription billing for Processor's services | Merchant name, email, payment method for SaaS subscription | United States |
| Google LLC (Google Analytics) | Platform usage analytics | IP address (anonymized), device/browser information, usage patterns | United States |
8.2 Controller's Own Processors. For the avoidance of doubt, the following services are engaged directly by Controller and are not Sub-Processors under this DPA:
- Strike — Controller's Bitcoin/Lightning payment provider
- OpenNode — Controller's Bitcoin/Lightning payment provider
- Shopify — Controller's ecommerce platform
Processor accesses these services using Controller's own API credentials and acts solely as a technical conduit forwarding Controller's instructions. Controller is solely responsible for its own data processing agreements with these providers.
8.3 The current Sub-Processor list is maintained at docs.lightningenable.com/legal/data-processing-agreement and updated per Section 3.4.
9. Contact Information
Processor: Refined Element, LLC [Street Address] [City], Florida [ZIP] United States
Data Protection Contact: privacy@lightningenable.com Legal Inquiries: legal@lightningenable.com
EU Representative (GDPR Article 27): Not currently appointed. Processor will appoint an EU representative if required based on the nature and scale of processing of EU Data Subjects' Personal Data.
UK Representative (UK GDPR Section 13): Not currently appointed. Processor will appoint a UK representative if required based on the nature and scale of processing of UK Data Subjects' Personal Data.
10. Amendments
10.1 Processor may propose amendments to reflect changes in Applicable Data Protection Law, regulatory guidance, or Sub-Processor list. Thirty (30) days' prior written notice required.
10.2 For amendments required solely to comply with mandatory changes in applicable law, continued use after effective date constitutes acceptance, provided the amendment does not materially diminish Processor's obligations or Controller's rights.
10.3 For all other material amendments (scope of processing, security measures, Sub-Processor arrangements), the amendment requires Controller's affirmative written consent.
10.4 If Controller objects (10.2) or declines consent (10.3), either party may terminate upon thirty (30) days' written notice, and Processor shall comply with Section 3.8.
11. Governing Law and Dispute Resolution
11.1 This DPA shall be governed by and construed in accordance with the laws of the State of Florida, without regard to its conflict of law principles, except to the extent that the mandatory provisions of the GDPR, UK GDPR, or Swiss FADP require otherwise.
11.2 Any dispute arising out of or in connection with this DPA that is not subject to the exclusive jurisdiction of a Data Subject's supervisory authority under Applicable Data Protection Law shall be subject to the exclusive jurisdiction of the state and federal courts located in Orange County, Florida.
11.3 Nothing in this Section limits the right of any Data Subject to lodge a complaint with a supervisory authority or to seek a judicial remedy under Applicable Data Protection Law.