Data Processing Agreement
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Luminai Limited ("Processor", "Luminai", "we", "us") and you ("Controller", "Customer", "you") and governs the processing of personal data by Luminai on your behalf.
This DPA ensures compliance with:
- UK General Data Protection Regulation (UK GDPR)
- Data Protection Act 2018
- Other applicable data protection laws
2. Definitions
| Term | Meaning |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person |
| Processing | Any operation performed on Personal Data |
| Data Subject | An individual whose Personal Data is processed |
| Sub-processor | A third party engaged by Luminai to process Personal Data |
| Controller | Entity determining purposes and means of processing (you) |
| Processor | Entity processing data on behalf of Controller (Luminai) |
3. Scope of Processing
3.1 Subject Matter
Luminai processes Personal Data to provide the AI agent platform services described in the Terms of Service.
3.2 Duration
Processing continues for the duration of the Terms of Service plus any retention period required by law.
3.3 Nature and Purpose
Processing includes:
- Hosting and storing Customer Content and End User data
- Processing conversations through AI models
- Providing analytics and reporting
- Technical support and troubleshooting
3.4 Categories of Data Subjects
- Customer personnel (account users)
- Customer's End Users (individuals interacting with Agents)
3.5 Types of Personal Data
- Contact information (names, email addresses)
- Conversation content and metadata
- Usage data and analytics
- Any Personal Data included in Knowledge Bases or Agent interactions
4. Customer Obligations
As Controller, you are responsible for:
- Ensuring a lawful basis for processing (consent, contract, legitimate interest, etc.)
- Providing privacy notices to Data Subjects
- Obtaining any required consents
- Providing lawful, documented processing instructions
- Responding to Data Subject requests
- Using strong authentication for account access
- Reporting security incidents promptly
5. Processor Obligations
Luminai commits to:
5.1 Processing Instructions
- Process Personal Data only on your documented instructions
- Inform you if we believe an instruction violates applicable law
- Not process for our own purposes except as permitted by law
5.2 Confidentiality
- Ensure personnel processing data are bound by confidentiality obligations
- Limit access to personnel who need it to perform services
5.3 Security Measures
Implement appropriate technical and organisational measures, including:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Access controls and authentication
- Regular security assessments
- Incident response procedures
- Employee security training
5.4 Data Breach Notification
- Notify you of Personal Data breaches without undue delay (within 48 hours)
- Provide information needed for your regulatory notifications
- Cooperate in breach investigation and mitigation
5.5 Deletion and Return
Upon termination of services:
- Delete or return Personal Data within 30 days at your choice
- Provide certification of deletion upon request
- Retain only as required by law
6. Sub-processors
6.1 Current Sub-processors
You authorise our use of the following Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Cloud infrastructure | EU/UK |
| Cloudflare | CDN, security | Global |
| OpenAI | AI model processing | USA |
| Anthropic | AI model processing | USA |
| Google Cloud | AI model processing | USA |
| Stripe | Payment processing | USA/EU |
6.2 Changes to Sub-processors
- We will notify you of new Sub-processors at least 14 days before engagement
- You may object to new Sub-processors by notifying us within 14 days
- If we cannot accommodate your objection, you may terminate affected services
7. International Transfers
7.1 Transfer Mechanisms
Personal Data may be transferred outside the UK. We rely on:
- UK International Data Transfer Agreement (IDTA)
- Standard Contractual Clauses (SCCs)
- Supplementary measures where required
7.2 AI Provider Transfers
Data sent to AI providers (OpenAI, Anthropic, Google) for processing is transferred under their DPAs and SCCs. These providers commit to not training on API data.
8. Data Subject Rights
You are responsible for responding to Data Subject requests. We will assist by forwarding requests, providing tools (data export, deletion features), and providing reasonable assistance.
9. Audit
- Provide information needed to demonstrate compliance
- Allow audits by you or a third-party auditor (with reasonable notice and confidentiality)
- Provide audit reports or certifications upon request
10. Liability
Each party is liable for damages caused by its breach of this DPA or applicable data protection law. Liability under this DPA is subject to the limitations in the Terms of Service.
11. Term
This DPA remains in effect for the duration of the Terms of Service. Obligations relating to confidentiality, data deletion, and liability survive termination.
12. Contact
For DPA-related inquiries:
Luminai Limited
Data Protection Contact: empower+privacy@luminai.co.uk