Skip to main content

Data Processing Addendum

Last updated: 2026 Q2

L2h.ai, Inc. (“L2H”) provides a standard Data Processing Addendum (the “DPA”) to customers who require one in order to comply with the EU General Data Protection Regulation, the UK GDPR, the California Consumer Privacy Act / California Privacy Rights Act, and other applicable comprehensive U.S. state privacy laws (Colorado, Connecticut, Virginia, Utah, Texas, and others). The DPA is incorporated by reference into the Master Services Agreement (MSA) executed between L2H and the customer.

1. Roles

For personal data the customer processes within an L2H deployment, the customer acts as the controller (or business) and L2H acts as the processor (or service provider). For personal data L2H collects directly for its own corporate purposes (for example, support ticket contacts, billing contacts, and marketing inquiries), L2H acts as the controller and follows its own Privacy Policy.

2. What the DPA covers

  • roles and responsibilities (controller / processor / sub-processor);
  • categories of data subjects and personal data processed;
  • processing instructions, purposes, and duration;
  • technical and organizational security measures (cross-references the Trust Center);
  • international data transfers (Standard Contractual Clauses for EEA / UK / Switzerland; supplementary measures);
  • sub-processor management, list, and notice (see Subprocessors);
  • data subject rights assistance;
  • personal-data-breach notification timing and process;
  • audit rights (including third-party audit reports);
  • return / deletion of personal data at the end of services;
  • service-provider obligations under CCPA/CPRA and similar U.S. state laws (no sale, no sharing, no combining outside business purpose); and
  • HIPAA Business Associate Agreement language available on request for healthcare customers.

3. Customer-hosted deployments

Orchestrator, Chat, and the Enterprise Agent suite (for ServiceNow and VS Code) are designed to run inside the customer’s own cloud environment (AWS, Azure, GovCloud) or on-prem Kubernetes. Production runtime data — including model inputs, outputs, and any customer content processed through L2H workflows — remains within the customer’s environment and is not routinely transmitted to or stored in L2H-controlled infrastructure.

L2H personnel may access customer-controlled environments only when authorized by the customer for a specific purpose (for example, paid professional services, in-customer support troubleshooting, or onboarding). Such access is governed by the MSA / DPA, performed on least-privilege basis under the customer’s identity provider where feasible, and logged. The DPA addresses any L2H-controlled processing (support contacts, billing contacts, and the limited circumstances described in this section) and applies whenever L2H acts as a processor for customer personal data.

4. International transfers

Where L2H processes personal data of EEA, UK, or Swiss data subjects in a jurisdiction without an adequacy decision, the DPA incorporates the European Commission’s Standard Contractual Clauses (Modules 2, 3, and 4 as applicable) and the UK International Data Transfer Addendum, supplemented by appropriate technical and organizational measures.

5. How to execute the DPA

Customers and prospective customers can request the current DPA by emailing support@l2h.ai (subject: “DPA Request”). The DPA can be signed via DocuSign, executed as part of the MSA, or attached as an Order Form addendum. We can also provide a Records of Processing Activities (RoPA) extract on request.

6. Contact

For privacy, DPA, or contracting questions: support@l2h.ai.