Data Processing Addendum (DPA)
Last updated: 2026-05-16. Forms part of the Lumauna Terms of service. For DPA queries contact privacy@lumauna.app.
1. Definitions
"Controller" / "Business" / "Treatment Controller", "Processor" / "Service Provider" / "Operator", "Data Subject", "Personal Data", and "Processing" carry the meanings given by UK GDPR, EU GDPR, CCPA/CPRA, and LGPD respectively (the role that applies depends on which law governs your relationship with us). "Customer" means the Lumauna tenant that has accepted these terms; "Lumauna" means Luma Una Ltd.
2. Roles & subject matter
The Customer is the Controller (or Business / Treatment Controller) of the Personal Data it uploads or otherwise causes Lumauna to process via the platform. Lumauna acts as Processor (or Service Provider / Operator) in respect of that Personal Data. Processing covers the duration of the Customer's subscription plus a 30-day export-and-deletion tail (see clause 9).
3. Customer instructions
Lumauna will process Personal Data only on documented instructions from the Customer, including those expressed through the platform UI and API. Lumauna will not sell or share Personal Data, retain, use, or disclose it outside the scope of the services provided under the Terms, or combine it with personal information received from other sources. The Customer warrants that such instructions, and the Personal Data itself, comply with applicable data-protection law.
4. Categories of data & data subjects
- Customer end-users (the tenant's clients, leads, contacts)
- Customer staff users (members of the tenant's workspace)
- Identifiers, contact details, addresses, transactional data, free-text notes, photos, and (where the customer voice agent is enabled) voice recordings.
5. Sub-processors
Lumauna engages the sub-processors listed at /sub-processors. Material additions are notified 30 days in advance; objection rights are described in clause 7.
6. Security measures
- Encryption in transit and at rest, using current industry-standard algorithms.
- Tenant data isolation enforced at the database layer.
- Managed authentication with MFA and optional SSO.
- Nightly encrypted off-site backups in the EU, with a documented restore drill.
- Audit logs retained for 12 months.
- Annual third-party penetration test once GA.
7. International transfers
Primary processing occurs in the EU. Where a sub-processor processes data outside the UK / EEA / your jurisdiction, Lumauna relies on the available transfer mechanisms — UK IDTA, EU SCCs, the EU-US and UK-US Data Privacy Framework, ANPD international transfer instruments (Brazil), and equivalent contractual safeguards. The Customer authorises such transfers on the basis of those safeguards.
8. Data subject rights
Lumauna will assist the Customer in responding to data-subject requests (access, rectification, erasure, restriction, objection, portability, opt-out of sale or sharing where applicable) by providing self-service export and deletion tooling. Bespoke requests can be raised at privacy@lumauna.app and are billed at cost.
9. Retention & deletion
On termination Lumauna retains Customer data in primary storage for 30 days (for export). It is then deleted from primary storage. Backups roll on a window of approximately twelve months and expire automatically.
10. Audits
Lumauna will provide reasonable information necessary to demonstrate compliance (e.g. its sub-processor list, security whitepaper, pen-test summary). Customer-led on-site audits may be agreed in writing once a year subject to confidentiality and reasonable cost-recovery.
11. Personal data breaches
Lumauna will notify the Customer without undue delay (and within 72 hours where practicable) after becoming aware of a Personal Data breach affecting the Customer's data, providing the information required under Article 33 GDPR (and the equivalent provisions of CCPA, LGPD, and other applicable laws) to the extent then available.
12. Liability & precedence
Liability under this DPA is governed by the main Lumauna Terms of service. In the event of conflict between this DPA and the Terms in respect of Personal Data, this DPA prevails.