Data Processing Addendum

Last updated: 2025-11-21
Version: 1.0 — Lumentir
Controller → Processor

This Data Processing Addendum (“DPA”) forms part of any agreement or service order between Lumentir, located at Verdunplein 17, Unit C2671, Eindhoven, The Netherlands (“Processor”), and the customer using the Lumentir AI visibility platform (“Controller”).

This DPA governs Lumentir’s processing of Personal Data on behalf of the Controller in connection with the provision of the Lumentir service (“Services”).

1. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person processed by Lumentir on behalf of Controller.
• Processing, Data Subject, Controller, Processor, Supervisory Authority: as defined in the GDPR.
• Sub-processor: Any third party engaged by Lumentir to process Personal Data.
• Services: Lumentir’s AI visibility platform, including authentication, dashboards, session recordings, and related functionality.

2. Roles of the Parties

• Controller determines the purpose and means of the processing.
• Lumentir acts solely as Processor and processes Personal Data only on documented instructions from Controller.
• Lumentir does not sell, share, or use Personal Data for advertising, profiling, or AI model training.

3. Controller Instructions

Lumentir will process Personal Data exclusively:

• to deliver, maintain, and secure the Services,
• to provide customer support,
• to manage authentication and account access,
• to conduct limited session recordings for UX improvement (as described in Annex I),
• as required by law.

Lumentir shall promptly inform Controller if an instruction violates the GDPR.

4. Types of Personal Data and Data Subjects

See Annex I for full details, including:

• Contact data (name, email)
• Account data (hashed password)
• Session recordings & usage logs (non-user-specific analytics where possible)
• Prompt/URL scraping data for visibility analysis (non-PII)

No special categories of data or children’s data are processed.

5. Confidentiality

Lumentir ensures that all personnel with access to Personal Data:

• are bound by confidentiality obligations,
• receive data protection training,
• access data strictly on a need-to-know basis.

6. Security Measures

Lumentir maintains industry-standard and GDPR-aligned security measures, including:

• TLS for all data in transit
• Encryption at rest
• Strong password hashing
• Multi-factor authentication for admin access
• Brute-force detection and rate limiting
• Logging, monitoring, and anomaly detection

See Annex II – Security Measures.

7. Sub-Processors

Lumentir may use Sub-processors listed in Annex III.

• Controller will be notified of material changes.
• Controller may object only on reasonable and documented grounds.
• All Sub-processors are bound by obligations materially similar to those in this DPA.

8. International Data Transfers

• Lumentir stores all customer data in the EU (AWS EU region).
• Certain Sub-processors may process data in the United States.
• All international transfers rely on:
  • the EU–US Data Privacy Framework,
  • Standard Contractual Clauses 2021 (Module 2: Controller → Processor),
  • TIA (Transfer Impact Assessment) as provided in Annex IV.
• Lumentir does not transfer data to third countries beyond the US.

9. Data Subject Rights

Lumentir assists Controller in fulfilling Data Subject rights:

• access
• rectification
• deletion
• restriction
• portability
• objection

Requests may be submitted to: [email protected].
A DSAR template is included in Annex V.

10. Data Breach Notification

• Lumentir will notify Controller without undue delay and within 24 hours after becoming aware of a Personal Data Breach.
• Lumentir will provide:
  • nature of the breach,
  • categories and volume of affected data,
  • likely consequences,
  • mitigation measures taken.
• Lumentir supports Controller in communication with the Dutch DPA or other supervisory authorities.

11. Data Retention & Deletion

• Session recordings & logs: max. 3 months
• Authentication/account data: as long as subscription is active, then deleted within 3 months

Upon termination:

• Lumentir deletes or anonymizes Personal Data within 1–3 months, unless legally required to retain it.
• Controller can delete account data through the dashboard.

12. Audit Rights

• Controller may request one audit per year.
• Performed by an independent auditor, mutually agreed.
• At Controller’s cost.
• Subject to reasonable notice and confidentiality.

13. Liability

• Liability is governed by the parties’ main agreement.
• This DPA does not expand Lumentir’s liability unless required by mandatory law.

14. Term & Termination

• This DPA remains effective as long as Lumentir processes Personal Data for Controller.
• Obligations regarding confidentiality, international transfers, and deletion survive termination.

ANNEX I — Details of Processing

Nature of processing:
Hosting, storing, analyzing, and managing platform user data for accessing and using Lumentir’s Services.

Purpose of processing:

• Authentication and account management
• Service delivery and functionality
• Session recordings for UX/product improvement
• Support and incident monitoring

Types of personal data:

• Name
• Email address
• Hashed password
• Session recordings
• IP-independent analytics
• Technical logs

Data subjects:

• Employees and authorized users of Controller

Retention: Max. 3 months, unless required otherwise.

ANNEX II — Security Measures

Technical Measures

• TLS 1.2+
• AES-256 encryption at rest
• Secure password hashing (bcrypt/argon2)
• Firewalls & WAF (Cloudflare)
• DDoS protection
• Brute-force detection
• Least-privilege IAM
• MFA on privileged accounts
• Continuous monitoring
• Logging & alerting

Organizational Measures

• Access limited to owner & support
• Confidentiality obligations
• Employee training
• Incident response plan
• Change management procedures

ANNEX III — Sub-Processors

• AWS Europe — Hosting, storage (EU)
• Cloudflare — CDN, security (EU/US)
• Google Workspace — Email support (EU/US, DPF certified)

All Sub-processors operate under GDPR-equivalent terms.

ANNEX IV — Transfer Impact Assessment (Summary)

• Nature of data: limited identity data (name/email)
• Destination: US only
• Safeguards:
  • Organizational controls
  • Encryption at rest/in transit
• Risk level: low, due to minimal categories and encryption
• Conclusion: Transfers ensure essentially equivalent protection

ANNEX V — Data Subject Request Template (DSAR)

Subject: Data Subject Rights Request
To: [email protected]

I hereby exercise my rights under the GDPR regarding my Personal Data processed by Lumentir.
I request the following (select one or more):

• ☐ Access to my data
• ☐ Rectification
• ☐ Erasure
• ☐ Restriction
• ☐ Portability
• ☐ Objection
• ☐ Other: _________

Name:
Email:
Description of request: