§ DPA

Data Processing Addendum

Our commitments as a processor of personal data on your behalf. Applies automatically to Team and Enterprise customers; available on request for others.

Effective April 22, 2026 · Last updated April 22, 2026
Contents
  1. Introduction
  2. Definitions
  3. Roles
  4. Scope of processing
  5. Sub-processors
  6. Security measures
  7. Personnel
  8. Data subject requests
  9. Breach notification
  10. International transfers
  11. Audits
  12. Return or deletion
  13. Governing law & order of precedence

Introduction

This Data Processing Addendum ("DPA") forms part of the agreement between Lumeinit Research, Inc. ("Processor") and you or your organization ("Controller") when you use Lumeinit to process personal data on behalf of your end users or customers.

It applies automatically to customers on the Team plan and above; Free and Pro customers can request it on sign-up.

Definitions

Terms like "personal data," "processing," "data subject," "controller," and "processor" have the meanings given in the EU General Data Protection Regulation ("GDPR"). "Applicable Data Protection Laws" means GDPR, UK GDPR, the Swiss FADP, and equivalent laws that apply to you.

Roles

With respect to personal data processed through the Service, you are the Controller and we are the Processor. You are responsible for determining the purposes and means of processing; we process on your documented instructions.

Scope of processing

We process the categories of personal data and data subjects, for the purposes and duration, described in Annex A (available on request). Processing is limited to what is necessary to provide the Service under our Terms.

Sub-processors

We maintain a current list of sub-processors (infrastructure, AI providers, payment, analytics, support tooling). The list is available at contact@lumeinit.com on request. We'll notify Controllers of new sub-processors with at least 30 days' advance notice; Controllers may object on reasonable grounds.

Security measures

We implement appropriate technical and organizational measures as described on our Security page. These include encryption in transit and at rest, access controls, logging, and incident response.

Personnel

Personnel authorized to process personal data are bound by confidentiality obligations and trained on data protection.

Data subject requests

We assist Controllers in responding to data subject requests (access, rectification, erasure, portability, objection) to the extent such assistance is possible through the functionality of the Service.

Breach notification

We notify Controllers without undue delay — and within 72 hours of confirmation — of any Personal Data Breach affecting their data, with the information required under GDPR Article 33(3) to the extent available.

International transfers

For transfers of personal data from the EEA, UK, or Switzerland to a third country that does not have an adequacy decision, we rely on the Standard Contractual Clauses (EU 2021/914), UK Addendum, or Swiss equivalent as applicable. These are incorporated into this DPA by reference.

Audits

We make available information necessary to demonstrate compliance with this DPA. Controllers on the Enterprise plan may conduct or commission audits on reasonable notice, subject to confidentiality.

Return or deletion

On termination of the Service, we delete or return personal data as described in our Privacy Policy. Retention for backup and legal purposes is limited and time-bound.

Governing law & order of precedence

This DPA is governed by the law of the main agreement between us. In case of conflict between this DPA and the Terms, this DPA prevails for matters relating to data protection.

Questions about this document? Write to contact@lumeinit.com.