Effective May 1, 2026
Data Processing Addendum
This Data Processing Addendum (“DPA”) supplements the Luminet Terms of Service and reflects the parties’ agreement on the processing of personal data in connection with the Service, in compliance with the GDPR, UK GDPR, and analogous data-protection laws.
1. Roles
Customer is the Controller of Personal Data submitted to the Service. Luminet acts as the Processor and may engage Subprocessors as listed on our Trust page.
2. Subprocessors
Luminet uses model providers (OpenAI, Anthropic, Google, etc.), cloud infrastructure (AWS, GCP), and operational tools (Datadog, Stripe). Customers will receive at least 30 days’ notice before adding a new Subprocessor and may object on reasonable grounds.
3. Cross-border transfers
For transfers from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties incorporate the EU Standard Contractual Clauses (Module Two) by reference.
4. Security measures
Luminet maintains the technical and organizational measures described on the Security page, including encryption in transit and at rest, MFA, access logging, and a SOC 2 Type II program.
5. Data subject rights
Luminet will provide reasonable assistance to Customer in responding to data subject requests for access, rectification, erasure, restriction, portability, and objection.
6. Breach notification
Luminet will notify Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach affecting Customer Personal Data.
7. Audits
Customer may audit Luminet’s compliance with this DPA on reasonable notice and not more than once per year, satisfied by the most recent SOC 2 Type II report unless Customer demonstrates good cause for additional review.
⚠️ This is a placeholder. Final legal copy is being reviewed by counsel. For specific questions, contact billing@lumnt.com.