Data Processing Agreement (DPA)

1. Subject Matter of the Agreement

The Processor (Luminara AI) processes personal data on behalf of the Controller (Customer) to provide AI visibility services. The Processor will process personal data exclusively within the scope of the Controller's instructions.

2. Subject Matter and Duration of Processing

2.1 Type and Purpose of Data Processing

The Processor processes personal data for the purpose of:

• Provision and management of the Luminara AI service
• Storage and processing of product data
• Generation and provision of JSON-LD structured data
• Validation and quality scoring of product information
• Email notifications and support communication

2.2 Categories of Data Subjects

• Customers (users of the platform)
• End customers of the Controller (if contained in product data)

2.3 Categories of Data Processed

• Master data (name, company name, email address)
• Contract data (plan, usage duration, payment status)
• Product data (product names, prices, descriptions, URLs)
• Usage data (login times, API accesses, validation history)
• Technical data (IP addresses, browser information, log data)

2.4 Duration of Processing

Processing takes place for the duration of the contractual relationship between the Controller and the Processor. After termination of the contract, data will be deleted in accordance with legal retention periods or handed over to the Controller upon request.

3. Obligations of the Processor

3.1 Processing According to Instructions

The Processor processes personal data exclusively within the scope of the Controller's documented instructions. Instructions may be issued in writing or in electronic form.

3.2 Confidentiality

The Processor commits all persons involved in processing to confidentiality in accordance with Art. 28(3)(b) GDPR. The obligation to confidentiality continues beyond the end of the contract.

3.3 Technical and Organizational Measures (TOM)

The Processor implements the following technical and organizational measures pursuant to Art. 32 GDPR to ensure an appropriate level of protection:

• Physical Access Control: Servers are operated in IONOS data centers in Germany. Physical access control is provided by the data center operator in accordance with ISO 27001 (access restrictions, video surveillance, alarm systems).
• System Access Control: SSH key-only authentication (no root login), fail2ban against brute force, two-factor authentication for admin access, automatic session timeout.
• Data Access Control: JWT-based authentication, role-based permissions (RBAC), principle of least privilege, separate user accounts for services and administration.
• Separation Control: Tenant separation at database level through merchant-specific foreign keys. Every data access is verified via middleware to ensure it belongs to the requesting tenant.
• Encryption (Transfer Control): TLS 1.3 for all data transfers, bcrypt (cost factor 12) for passwords, VPN connection (WireGuard) between web and database server, HSTS with preload.
• Input Control: Audit logging of all write data accesses with timestamp and user ID. Logs are retained for 90 days and protected against retroactive modification.
• Availability Control: Daily automated backups with 30-day retention. Backups on separate server. Redundant network connectivity provided by IONOS. Recovery Time Objective (RTO): 4 hours, Recovery Point Objective (RPO): 24 hours.
• Resilience (Art. 32(1)(b) GDPR): Rate limiting on all API endpoints, DDoS protection, automatic process restart on failure (PM2), network firewall with restrictive rules.
• Incident Response: Documented process for security incidents. Notification to Controller within 24 hours of discovery. Notification to supervisory authority within 72 hours pursuant to Art. 33 GDPR.

3.4 Support for the Controller

The Processor supports the Controller with:

• Information requests from data subjects
• Deletion or correction of data
• Data transfer (portability)
• Reporting of data breaches

3.5 Deletion and Return of Data

After the end of the provision of processing services, the Processor deletes all personal data or hands it over to the Controller upon request. The handover is in a structured, common, and machine-readable format (JSON, CSV).

4. Sub-Processing

4.1 Authorization of Sub-Processors

The Processor is authorized to engage sub-processors. Engagement occurs only with the prior consent of the Controller. The following sub-processors are currently authorized:

• Hosting Provider: IONOS SE (Elgendorfer Str. 57, 56410 Montabaur, Germany) - Server Location: Karlsruhe, Germany
• Email Service: IONOS SE (mail.luminara-ai.de, Elgendorfer Str. 57, 56410 Montabaur, Germany) - Sending transactional emails (password reset, welcome emails, invoices). Legal basis: Art. 6(1)(b) GDPR (contract performance). Privacy Policy: https://www.ionos.de/terms-gtc/datenschutzerklaerung/
• Payment Processing: Stripe, Inc. (510 Townsend Street, San Francisco, CA 94103, USA) - EU-US Data Privacy Framework (DPF) certified, EU Standard Contractual Clauses
• Monitoring: Currently no external monitoring provider is used. System monitoring is performed exclusively via own infrastructure on the IONOS VPS server in Germany.
• Search Result Data: SerpAPI (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) - Retrieval of search engine results for competitive analysis. EU Standard Contractual Clauses (SCCs). No personal data is transmitted.
• News Data: NewsAPI (London, UK) - Retrieval of news articles for trend and market analysis. EU-UK Adequacy Decision. No personal data is transmitted.
• Community Data: Reddit API (Reddit, Inc., 303 2nd Street, Suite 500S, San Francisco, CA 94107, USA) - Retrieval of public discussions for market and sentiment analysis. EU-US Data Privacy Framework (DPF). No personal data is transmitted.

The Processor informs the Controller of intended changes with a notice period of 30 days. The Controller may object within this period.

4.2 Obligations Towards Sub-Processors

The Processor commits sub-processors to the same data protection obligations as regulated in this DPA. The Processor remains responsible to the Controller for compliance with obligations by sub-processors.

5. Rights of the Controller

5.1 Control Rights

The Controller has the right to verify compliance with data protection regulations by the Processor. This can be done through:

• Obtaining information
• Inspection of relevant documents
• On-site inspections (after prior notice)
• Commissioning of an independent auditor

5.2 Right to Issue Instructions

The Controller may issue instructions to the Processor at any time regarding the processing of personal data. Instructions must be issued in text form. The Processor immediately informs the Controller if an instruction, in the Processor's opinion, violates data protection regulations.

6. Data Breaches

6.1 Reporting Data Breaches

The Processor reports breaches of the protection of personal data to the Controller without undue delay, but no later than 24 hours after becoming aware of the breach. The report contains at least:

• Description of the nature of the breach
• Categories and approximate number of data subjects and data records affected
• Likely consequences of the breach
• Measures taken or proposed to remedy the breach

6.2 Documentation

The Processor documents all data breaches, including the circumstances of the breach, its effects, and the remedial measures taken.

7. Liability and Compensation

The Processor is liable for damages resulting from improper processing of personal data. Liability is governed by the statutory provisions of the GDPR and the provisions of the main contract.

8. Final Provisions

8.1 Term

This DPA enters into force upon conclusion of the main contract and applies for the duration of the contractual relationship. Amendments or supplements to this DPA require written form.

8.2 Changes to Legal Provisions

In the event of changes to the GDPR or other applicable data protection regulations, the parties will adapt this DPA by mutual agreement.

8.3 Severability Clause

Should individual provisions of this DPA be invalid or become invalid, this does not affect the validity of the remaining provisions. The invalid provision will be replaced by a valid provision that comes closest to the economic purpose of the invalid provision.

8.4 Applicable Law and Jurisdiction

This DPA is governed by the laws of the Federal Republic of Germany and the EU General Data Protection Regulation (GDPR). Place of jurisdiction is Bochum, Germany, as stated in the main Terms and Conditions.

9. Contact

For questions regarding this Data Processing Agreement, please contact:

E-Mail: privacy@luminara-ai.de

The complete contact details can be found in our Legal Notice.