Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the contractual relationship between Lumiqo Inc. (“Processor”) and the customer entity that has agreed to the Lumiqo Terms of Service (“Controller”).

This DPA sets out the terms under which Lumiqo processes personal data on behalf of the Controller when providing the Lumiqo analytics and observability platform, including API ingestion, webhook processing, event stream analytics, AI-powered insights, and related services (collectively, the “Services”).

This DPA incorporates Standard Contractual Clauses (SCCs) approved by the European Commission under Decision 2021/914 where applicable to international data transfers.

• “Applicable Data Protection Law” means the GDPR (Regulation (EU) 2016/679), UK GDPR, the Swiss Federal Act on Data Protection (nFADP), and any other applicable data protection legislation in force from time to time.
• “Controller” means the natural or legal person who determines the purposes and means of processing personal data — in this context, the Lumiqo customer.
• “Processor” means Lumiqo Inc., which processes personal data on behalf of the Controller.
• “Sub-Processor” means any third party engaged by Lumiqo to process personal data in connection with providing the Services.
• “Customer Data” means all personal data ingested into the Services by or on behalf of the Controller, including API payloads, webhook bodies, and event stream records.
• “Personal Data” has the meaning given in Applicable Data Protection Law.
• “Data Subject” means the identified or identifiable natural person to whom personal data relates.
• “Processing” means any operation performed on personal data, including collection, storage, use, disclosure, or deletion.

Subject Matter

The processing of personal data by Lumiqo as Processor is necessary for the performance of the Services as described in the Terms of Service.

Duration

Lumiqo processes personal data for the duration of the Controller's subscription to the Services and for such additional period as required for data deletion procedures or as required by law.

Nature and Purpose of Processing

• Ingesting, storing, and indexing API response payloads and request metadata
• Processing and routing inbound webhook payloads submitted to Lumiqo endpoints
• Streaming ingestion and real-time analysis of event data
• Providing AI-powered natural language querying and insight generation over Customer Data
• Surfacing real-time dashboards, alerts, and observability metrics
• Storing and managing authentication and access control data for the Controller's team

Categories of Personal Data

The categories of personal data processed depend on what the Controller chooses to ingest. Typical categories include:

• End-user identifiers (user IDs, email addresses, usernames) embedded in API or event payloads
• IP addresses and device identifiers in webhook headers or event metadata
• Behavioural data (actions, events, timestamps) from the Controller's application
• Team member identity data (name, email, role) for Lumiqo account access

Categories of Data Subjects

• End users of the Controller's products and services whose data is captured in API calls or events
• The Controller's employees and contractors who use the Lumiqo console

Lumiqo, as Processor, shall:

• Process personal data only on documented instructions from the Controller — principally to provide the Services — unless required to do so by applicable law
• Ensure that personnel authorised to process personal data are bound by appropriate confidentiality obligations
• Implement appropriate technical and organisational security measures in accordance with Article 32 GDPR (see Section 6 below)
• Assist the Controller in responding to Data Subject requests within the timelines required by Applicable Data Protection Law
• Assist the Controller in meeting obligations under Articles 32–36 GDPR (security, DPIAs, breach notification)
• Delete or return all personal data upon termination of the Services, at the Controller's election, within 30 days
• Make available all information necessary to demonstrate compliance with this DPA and cooperate with audits conducted by the Controller or a mandated auditor
• Not transfer personal data outside the EEA/UK without the safeguards described in Section 7 of this DPA

The Controller represents and warrants that it:

• Has a lawful basis for processing all personal data ingested into the Services under Applicable Data Protection Law
• Has provided all required notices to, and obtained all required consents from, Data Subjects whose personal data is sent to Lumiqo
• Will only instruct Lumiqo to process personal data in accordance with Applicable Data Protection Law
• Is responsible for the accuracy, quality, and legality of the personal data it ingests
• Will ensure that any API keys, webhook secrets, or access tokens used to send data to Lumiqo are appropriately secured and rotated
• Will configure appropriate data retention periods within the Lumiqo console and not retain personal data beyond what is necessary

Lumiqo implements the following measures to protect personal data in accordance with Article 32 GDPR:

Access Controls

• Role-based access control (RBAC) with least-privilege principles for all internal access to Customer Data
• Multi-factor authentication (MFA) enforced for all Lumiqo engineer access to production systems
• VPN and bastion-host gating for direct database access — all access logged and auditable

Encryption

• TLS 1.2 or higher for all data in transit between the Controller and Lumiqo endpoints
• AES-256 encryption at rest for all stored Customer Data on AWS
• API keys and webhook secrets stored encrypted using envelope encryption (AWS KMS)

Availability & Resilience

• Multi-availability-zone deployment on AWS for redundancy
• Automated daily backups with point-in-time recovery (PITR) for all databases
• DDoS protection and rate limiting on all public ingestion endpoints

Incident Management

• Documented incident response plan with defined roles and escalation paths
• Personal data breach notification to the Controller within 48 hours of discovery, enabling the Controller to meet its 72-hour regulatory reporting obligation
• Post-incident reviews and root cause analyses for significant security events

Lumiqo engages sub-processors to provide certain components of the Services. The Controller provides a general authorisation for Lumiqo to engage sub-processors, subject to the safeguards below.

Current Sub-Processors

• Amazon Web Services (AWS): Cloud infrastructure, storage, and compute — US-East, EU-West
• OpenAI, L.L.C.: LLM inference for conversational AI features — US. Data is not used for model training. Data Processing Addendum in place.
• Stripe, Inc.: Payment processing — US. PCI DSS Level 1 certified.
• Intercom, Inc.: Customer support messaging — US
• Functional Software, Inc. (Sentry): Error monitoring — US. Error payloads are scrubbed of PII before transmission.
• Resend, Inc.: Transactional email delivery — US

All sub-processors are bound by data processing agreements that impose data protection obligations substantially equivalent to those in this DPA. An up-to-date sub-processor list is maintained at lumiqo.app/legal/sub-processors.

Sub-Processor Changes

Lumiqo will provide at least 30 days advance written notice(via email to the Controller's registered account address) before adding or replacing any sub-processor. The Controller may object on reasonable grounds within 14 days; if objection cannot be resolved, either party may terminate the affected Services.

Where Customer Data is transferred from the EEA, UK, or Switzerland to countries not recognised as providing adequate data protection, Lumiqo relies on the following mechanisms:

• EU Standard Contractual Clauses (SCCs): Module 2 (Controller-to-Processor) as approved by the European Commission under Decision 2021/914, incorporated by reference into this DPA
• UK International Data Transfer Addendum (IDTA): For transfers from the UK, the UK IDTA to the EU SCCs is incorporated
• Swiss data transfers: Governed by applicable SCCs as recognised by the Swiss Federal Data Protection Commissioner
• EU-US Data Privacy Framework: Where applicable and Lumiqo or its sub-processors are certified under the DPF

A completed copy of the applicable SCCs and Transfer Impact Assessment (TIA) is available upon request at legal@lumiqo.app.

Lumiqo will provide the Controller with reasonable technical assistance to enable the Controller to respond to Data Subject requests. This includes:

• Data export tools in the console to extract specific user data by identifier
• API endpoints enabling programmatic data retrieval by user ID or email
• The ability to delete individual user records from the Lumiqo data store
• Audit logs of data access and processing activity relevant to a specific Data Subject

The Controller remains solely responsible for receiving, evaluating, and responding to Data Subject requests. Lumiqo will forward any Data Subject requests it receives directly to the Controller within 5 business days.

Lumiqo shall, upon reasonable written notice (minimum 30 days) and no more than once per calendar year, permit the Controller or its appointed third-party auditor to:

• Inspect Lumiqo's data processing facilities and practices relevant to this DPA
• Review Lumiqo's security policies, procedures, and relevant audit reports (SOC 2)
• Submit written security questionnaires to be answered by Lumiqo's security team

Audits may not unreasonably interfere with Lumiqo's business operations or other customers' privacy. The Controller is responsible for any costs incurred in connection with an audit. Lumiqo's SOC 2 Type II report may satisfy audit requirements for most Controllers.

Lumiqo's platform includes AI-powered features, including conversational analytics, anomaly detection, and automated insight generation. The following terms govern AI-related data processing:

• Tenant isolation: AI inference is performed in isolated, per-customer contexts. Customer Data from one tenant is never used in inference for another tenant.
• No model training: Lumiqo does not use Customer Data to train, fine-tune, or improve Lumiqo's or any sub-processor's AI models without explicit, separately documented consent.
• LLM sub-processor controls: When Customer Data is sent to third-party LLM providers (e.g. OpenAI), it is transmitted under a Data Processing Agreement that prohibits use for model training and requires deletion within 30 days.
• AI output accuracy: AI-generated insights are probabilistic outputs and may be inaccurate. The Controller is responsible for verifying AI outputs before acting on them.
• Sensitive data: The Controller must not submit special category personal data (Art. 9 GDPR) to AI features without a specific written addendum.

This DPA remains in effect for the duration of the Controller's subscription to the Services and terminates automatically when the underlying agreement terminates.

Data Deletion on Termination

• Upon termination, Lumiqo will make Customer Data available for export via the console for 30 days
• After 30 days, Customer Data will be permanently deleted from active storage within 60 days
• Backup copies are purged on their natural rotation cycle (maximum 90 days)
• Lumiqo will provide a written deletion confirmation upon request

Data that Lumiqo is required to retain by law (e.g. billing records) is retained only for the legally mandated period and is inaccessible to the Services.

For questions about this DPA, to request a countersigned enterprise DPA, or to exercise rights under this agreement:

• Legal & DPA enquiries: legal@lumiqo.app
• Data Protection Officer: dpo@lumiqo.app
• Security & audit requests: security@lumiqo.app
• Enterprise agreements: sales@lumiqo.app