Data Processing Agreement

Last updated: March 25, 2026

Scope

This Data Processing Agreement ("DPA") applies to the Done-For-You and IT Teams bulk migration services offered by LegacyLift ("Processor," "we," "us"), where customers ("Controller," "you") upload files to our infrastructure for migration processing. This DPA does not apply to the Self-Service desktop application, which processes files entirely on your local machine.

1. Definitions

  • Personal Data: Any data contained within customer-uploaded files that relates to an identified or identifiable natural person, as defined by GDPR Article 4(1) or applicable law.
  • Processing: Any operation performed on personal data, including file conversion, format migration, VBA analysis, report generation, and temporary storage.
  • Sub-Processor: Any third party engaged by LegacyLift to process personal data on behalf of the Controller. Currently, LegacyLift uses no sub-processors for file processing.

2. Purpose and Scope of Processing

We process your files solely for the purpose of performing the migration services you requested:

  • Converting legacy file formats (.mdb, .xls) to modern equivalents (.accdb, .xlsx)
  • Scanning for and remediating VBA compatibility issues
  • Generating migration reports documenting changes made
  • Delivering migrated files back to you

We do not use your files or their contents for any other purpose, including but not limited to: training, analytics, marketing, profiling, or sale to third parties.

3. Data Handling Procedures

3.1 Upload and Storage

  • Files are uploaded via TLS 1.2+ encrypted connections.
  • Uploaded files are stored on encrypted infrastructure accessible only to the LegacyLift operator.
  • Each submission is isolated in its own directory, identified by a random UUID. No cross-contamination between customer submissions is possible.
  • No third parties, employees, or contractors have access to customer files.

3.2 Processing

  • Migration is performed using automated tooling (LegacyLift Core engine).
  • The operator may examine file structure and VBA code to diagnose issues, but does not read or extract business data content.
  • Processing occurs on the same infrastructure where files are stored. Files are not transferred to additional systems.

3.3 Delivery

  • Migrated files are delivered to you via encrypted transfer or the secure download method agreed upon.
  • Upon delivery confirmation, the submission is marked for deletion.

3.4 Deletion

  • All uploaded files and migration output are permanently deleted within 48 hours of delivery confirmation.
  • Project metadata (name, email, description — but not file contents) is retained for 90 days for support purposes, then deleted.
  • You may request immediate deletion at any time by emailing support@legacy-lyft.com or submitting a deletion request through our contact page.
  • Deletion is verified through automated purge processes that check for expired submissions.

4. Security Measures

We implement the following technical and organizational measures:

  • Encryption in transit: TLS 1.2+ for all data transfers.
  • Encryption at rest: Files stored on encrypted volumes.
  • Access control: Single-operator access. No employees, contractors, or third parties.
  • Network isolation: Application containers run on isolated Docker networks.
  • No outbound data transfer: The migration engine does not transmit data to external services.
  • Security headers: HSTS, CSP, X-Frame-Options, and other protective HTTP headers enforced.
  • Rate limiting: API endpoints are rate-limited to prevent abuse.

For full details, see our Security page.

5. Sub-Processors

LegacyLift currently uses no sub-processors for file processing. Your files are processed entirely on our own infrastructure.

Third-party services used for other purposes (not file processing):

  • Stripe: Payment processing only. Stripe does not have access to your uploaded files.
  • SMTP provider: Transactional email delivery. Emails do not contain your uploaded file contents.

If we add sub-processors in the future, we will update this DPA and notify affected customers at least 30 days in advance.

6. Your Rights as Data Controller

You retain all rights over the data contained in your files. As the Controller, you have the right to:

  • Access: Request confirmation of what data we hold and receive copies.
  • Rectification: Request correction of inaccurate data.
  • Erasure: Request immediate deletion of all files and metadata. We will comply within 24 hours of a verified request.
  • Portability: Receive your data in a standard, machine-readable format.
  • Objection: Object to processing. Since we only process for the requested migration, this effectively means canceling the service and requesting deletion.
  • Audit: Request reasonable information about our data handling practices.

7. Data Breach Notification

In the unlikely event of a data breach affecting your files:

  • We will notify you within 72 hours of becoming aware of the breach.
  • Notification will include: nature of the breach, data affected, measures taken, and recommended actions.
  • We will cooperate with any regulatory notifications you are required to make.

8. International Transfers

LegacyLift infrastructure is hosted in the United States. If you are located outside the US, your files will be transferred to and processed in the US. By using our services, you consent to this transfer. We apply the same security measures regardless of data origin.

9. Duration and Termination

This DPA is effective for the duration of our service relationship. Upon termination:

  • All files are deleted within 48 hours (or immediately upon request).
  • Metadata is deleted within 90 days.
  • Deletion logs are retained for 1 year for compliance documentation.

10. Contact

Data processing questions: support@legacy-lyft.com

Data deletion requests: Use our contact form with subject "Data Deletion Request" or email directly.