The Living Chronicle — Companion API (Developer Portal) Last updated: 2026-04-10
This Data Processing Agreement ("DPA") supplements the Terms of Service between Aegis Brightsmark Capital MB ("Processor", "we") and any third-party developer ("Controller", "you") integrating with the Companion API. It governs the processing of personal data under the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR").
By using the Companion API, you agree to the terms of this DPA on behalf of your organization.
1. Definitions
Terms used in this DPA carry the meaning assigned in Article 4 of the GDPR. "Controller", "Processor", "Personal Data", "Processing", "Data Subject", and "Supervisory Authority" have their GDPR definitions.
For the purpose of this DPA:
- You (Controller) determine the purposes and means of processing personal data of your end users through your Companion integration.
- We (Processor) process personal data on your behalf only to the extent necessary to provide the Companion API.
2. Scope and Subject Matter
2.1 Nature and Purpose
We process personal data solely to deliver the Companion API features you request — serving lore queries, resolving graph relationships, and returning narrative context.
2.2 Categories of Data Subjects
- End users of your companion application who have linked their Living Chronicle account (where applicable)
- Developers (you) and your team members who authenticate to the developer portal
2.3 Categories of Personal Data
We process only the minimum data required:
- API key (pseudonymous identifier)
- IP address (for rate limiting and abuse prevention, retained max 30 days)
- Request metadata (endpoint, timestamp, status, latency)
- Optional: linked Living Chronicle username if the end user authenticates via OAuth
- Query content you submit (may contain end-user input you pass through)
We do not process special categories of data (Art. 9 GDPR) through this API.
2.4 Duration
Processing lasts for the duration of your API use, plus retention periods defined in Section 8.
3. Your Obligations as Controller
You warrant that you:
- Have a valid legal basis (GDPR Art. 6) for each processing purpose
- Provide your end users with a privacy notice covering the use of the Companion API
- Obtain any consent required by law (GDPR Art. 7, ePrivacy)
- Honor data subject rights (Arts. 15–22) with respect to data you control
- Do not submit personal data outside the minimum categories above
- Do not submit special category data (Art. 9) to the API
4. Our Obligations as Processor
We will:
- Process personal data only on your documented instructions (primarily through your API calls and account configuration)
- Ensure staff with access are bound by confidentiality
- Implement appropriate technical and organizational security measures (Section 6)
- Assist you in fulfilling data subject requests within technical feasibility
- Assist with data protection impact assessments (DPIAs) on reasonable request
- Notify you without undue delay of any personal data breach affecting your end users
- On termination, delete or return processed personal data, at your choice, subject to legal retention requirements
5. Sub-Processors
You authorize us to engage sub-processors to operate the Companion API. Our current sub-processors are listed in our Privacy Policy, Section 5. We will provide at least 30 days' notice before adding or replacing a sub-processor, giving you the opportunity to object on reasonable grounds.
Each sub-processor is bound by a written agreement imposing data protection obligations no less protective than this DPA.
6. Security
We implement the measures described in Privacy Policy Section 8, including:
- TLS 1.2+ encryption in transit
- Encryption at rest for sensitive data
- Least-privilege access controls with audit logs
- API key rotation support
- Rate limiting and anomaly detection
- Regular backups and incident response procedures
- Security reviews of new features and dependencies
7. International Transfers
Processing primarily occurs in the European Union (Hetzner data centers in Germany). Where data is transferred to a third country (for example, to Anthropic or Google for AI processing), the transfer is protected by the EU-U.S. Data Privacy Framework or Standard Contractual Clauses (2021/914) as appropriate.
No personal data is transferred to third countries without an adequate safeguard in place.
8. Retention and Deletion
- Request metadata logs: 30 days
- Aggregated analytics: 24 months (anonymized)
- Account and billing records: 7 years (Lithuanian tax law)
- Submitted query content: not persisted beyond request processing unless explicitly cached by you
On termination or on your written request, we will delete your account data within 30 days, except where retention is legally required.
9. Data Subject Requests
If a data subject contacts us with a request concerning data we process on your behalf, we will forward the request to you within 5 business days and will not respond on our own unless legally compelled. You remain the point of contact for your end users.
10. Audits
You may audit our compliance with this DPA once per year on 30 days' written notice, during business hours, and without disrupting our operations. We may satisfy audit requests by providing recent third-party certifications (e.g., SOC 2 reports, penetration test summaries) in lieu of an on-site audit.
11. Liability
Liability under this DPA is governed by the limitations in the Terms of Service. Nothing in this DPA excludes liability that cannot be excluded under applicable law.
12. Termination
This DPA terminates automatically when you stop using the Companion API or when the Terms of Service terminate. Provisions that by their nature should survive termination (confidentiality, indemnity, retained-data obligations) do so.
13. Governing Law
This DPA is governed by the laws of the Republic of Lithuania. Disputes are subject to the jurisdiction of the courts of Vilnius, Lithuania.
14. Contact
For questions or to exercise any right under this DPA, contact:
Data Protection Contact Aegis Brightsmark Capital MB Sembu 6, Buivydiskes, LT-14166, Vilniaus raj., Lithuania Email: info@aegisbrightsmark.com
Supervisory Authority: Valstybinė duomenų apsaugos inspekcija (VDAI) L. Sapiegos g. 17, LT-10312 Vilnius, Lithuania https://vdai.lrv.lt/
Published by: Aegis Brightsmark Capital MB, Company Code 307576279