Legal · Effective 1 May 2025
Data Processing Addendum
1. Overview and roles
This Data Processing Addendum ("DPA") forms part of the agreement between Lumipact LLC ("Lumipact", "Processor") and the customer ("Controller") and governs the processing of personal data that occurs when the Controller uses the Lumipact platform.
| Data Controller | The customer (you) — the entity that determines the purposes and means of processing personal data stored in Lumipact. |
| Data Processor | Lumipact LLC — we process personal data on behalf of the Controller solely to provide the Lumipact service. |
| Applicable law | EU General Data Protection Regulation (GDPR) 2016/679 and applicable US data protection law. |
2. Scope of processing
Lumipact processes personal data that appears in or relates to contracts you upload or manage, including:
- Names, email addresses, and contact details of counterparties and contract signatories
- Names and email addresses of your team members (users) added to your Lumipact tenant
- Business identifiers such as company names, VAT numbers, and registration numbers
- Any personal data incidentally contained in uploaded contract documents or notes
We do not process special categories of personal data (Article 9 GDPR) unless you explicitly upload documents that contain them. If your contract portfolio includes such data (e.g. employment contracts referencing health conditions), you remain responsible for ensuring you have a lawful basis to process and store that data.
3. Purpose and legal basis
We process personal data only to provide, maintain, and improve the Lumipact service as instructed by you. We will not use your data for our own commercial purposes, advertising, or profiling. Our legal basis for processing is the performance of a contract with you (Article 6(1)(b) GDPR).
4. Your instructions
We act only on your documented instructions. Your use of the platform — uploading documents, inviting users, configuring alerts — constitutes your documented instructions to us. If we believe an instruction violates GDPR or applicable law, we will inform you promptly.
5. Sub-processors
We use the following sub-processors to deliver the Lumipact service. Each is bound by data processing agreements ensuring the same level of protection as this DPA:
| Supabase Inc. | Database hosting and authentication. EU data region (eu-central-1 / Frankfurt). |
| Amazon Web Services | Application server hosting. EU data region. |
| Resend Inc. | Transactional email delivery (renewal alerts, notifications). US-based, SCCs in place. |
| Stripe Inc. | Payment processing. Processes billing data only. US-based, SCCs in place. |
| OpenAI, L.L.C. | AI-assisted contract data extraction. Documents sent for processing are not used to train OpenAI models under our API agreement. US-based, SCCs in place. |
| PostHog Inc. | Product analytics. EU-hosted instance. No personal data from contracts is sent. |
We will notify you of any planned changes to this sub-processor list with at least 14 days' notice. If you object to a new sub-processor, you may terminate the agreement as set out in the Terms of Service.
6. Data subject rights
If you or a data subject (e.g. a counterparty whose name appears in a contract) submits a rights request — access, rectification, erasure, portability, restriction, or objection — you remain responsible for responding as the Controller. We will:
- Provide you with tools to export and delete data from your account.
- Assist you with requests that require access to data held in our infrastructure, within a reasonable timeframe and at a reasonable cost.
- Not respond directly to data subject requests on your behalf unless you explicitly instruct us to.
7. Security measures
We implement appropriate technical and organisational measures to protect personal data, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Row-level security policies ensuring tenant data isolation in the database
- Access controls limiting internal staff access to production data
- Regular dependency updates and security patch management
- Supabase managed authentication with bcrypt password hashing
More detail is available on our Security page (lumipact.com/security).
8. Data breach notification
In the event of a personal data breach affecting your data, we will notify you without undue delay and within 72 hours of becoming aware, providing: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address it.
9. Retention and deletion
We retain your data for as long as your account is active. On plan cancellation or account deletion:
- Your data is retained for 30 days to allow export or recovery.
- After 30 days, account data is permanently deleted from production systems.
- Anonymised aggregate metrics (e.g. total contract count) may be retained in analytics.
- Backups are retained for a maximum of 30 days and then rotated.
10. International transfers
Primary data storage is within the EU. Where sub-processors outside the EEA process personal data (Resend, Stripe, OpenAI), we ensure appropriate safeguards are in place through Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914).
11. Audit rights
You may request a written summary of our data processing practices and security controls once per calendar year. Where regulatory requirements mandate an on-site audit, we will cooperate and may charge reasonable costs for facilitating access.
12. Governing law
This DPA is governed by the laws of the State of New Mexico, United States, and forms part of the Terms of Service agreement between the parties. Any disputes are subject to the courts of Bernalillo County, New Mexico.
To execute a signed DPA for enterprise or procurement purposes, contact us at legal@lumipact.com.