Accordo sul trattamento dei dati (DPA)

1. Subject Matter of the Agreement

The Processor (Luminara AI) processes personal data on behalf of the Controller (Customer) to provide AI visibility services. The Processor will process personal data exclusively within the scope of the Controller's instructions.

2. Subject Matter and Duration of Processing

2.1 Type and Purpose of Data Processing

The Processor processes personal data for the purpose of:

• Provision and management of the Luminara AI service
• Storage and processing of product data
• Generation and provision of JSON-LD structured data
• Validation and quality scoring of product information
• Email notifications and support communication

2.2 Categories of Data Subjects

• Customers (users of the platform)
• End customers of the Controller (if contained in product data)

2.3 Categories of Data Processed

• Master data (name, company name, email address)
• Contract data (plan, usage duration, payment status)
• Product data (product names, prices, descriptions, URLs)
• Usage data (login times, API accesses, validation history)
• Technical data (IP addresses, browser information, log data)

2.4 Duration of Processing

Processing takes place for the duration of the contractual relationship between the Controller and the Processor. After termination of the contract, data will be deleted in accordance with legal retention periods or handed over to the Controller upon request.

3. Obligations of the Processor

3.1 Processing According to Instructions

The Processor processes personal data exclusively within the scope of the Controller's documented instructions. Instructions may be issued in writing or in electronic form.

3.2 Confidentiality

The Processor commits all persons involved in processing to confidentiality in accordance with Art. 28(3)(b) GDPR. The obligation to confidentiality continues beyond the end of the contract.

3.3 Technical and Organizational Measures (TOM)

The Processor implements the following technical and organizational measures to ensure an appropriate level of protection:

• Encryption: TLS 1.3 for data transmission, bcrypt for passwords
• Access Control: JWT-based authentication, role-based permissions
• Data Backup: Daily backups with 30-day retention
• Logging and Monitoring: Comprehensive audit logging of all data accesses
• Incident Response: Documented processes for security incidents
• Network Security: Firewall, rate limiting, DDoS protection

3.4 Support for the Controller

The Processor supports the Controller with:

• Information requests from data subjects
• Deletion or correction of data
• Data transfer (portability)
• Reporting of data breaches

3.5 Deletion and Return of Data

After the end of the provision of processing services, the Processor deletes all personal data or hands it over to the Controller upon request. The handover is in a structured, common, and machine-readable format (JSON, CSV).

4. Sub-Processing

4.1 Authorization of Sub-Processors

The Processor is authorized to engage sub-processors. Engagement occurs only with the prior consent of the Controller. The following sub-processors are currently authorized:

• Hosting Provider: IONOS SE (Elgendorfer Str. 57, 56410 Montabaur, Germany) - Server Location: Karlsruhe, Germany
• Email Service: IONOS SE (mail.luminara-ai.de, Elgendorfer Str. 57, 56410 Montabaur, Germany) - Sending transactional emails (password reset, welcome emails, invoices). Legal basis: Art. 6(1)(b) GDPR (contract performance). Privacy Policy: https://www.ionos.de/terms-gtc/datenschutzerklaerung/
• Payment Processing: Stripe, Inc. (510 Townsend Street, San Francisco, CA 94103, USA) - EU-US Data Privacy Framework (DPF) certified, EU Standard Contractual Clauses
• Monitoring: Currently no external monitoring provider is used. System monitoring is performed exclusively via own infrastructure on the IONOS VPS server in Germany.

The Processor informs the Controller of intended changes with a notice period of 30 days. The Controller may object within this period.

4.2 Obligations Towards Sub-Processors

The Processor commits sub-processors to the same data protection obligations as regulated in this DPA. The Processor remains responsible to the Controller for compliance with obligations by sub-processors.

5. Rights of the Controller

5.1 Control Rights

The Controller has the right to verify compliance with data protection regulations by the Processor. This can be done through:

• Obtaining information
• Inspection of relevant documents
• On-site inspections (after prior notice)
• Commissioning of an independent auditor

5.2 Right to Issue Instructions

The Controller may issue instructions to the Processor at any time regarding the processing of personal data. Instructions must be issued in text form. The Processor immediately informs the Controller if an instruction, in the Processor's opinion, violates data protection regulations.

6. Data Breaches

6.1 Reporting Data Breaches

The Processor reports breaches of the protection of personal data to the Controller without undue delay, but no later than 24 hours after becoming aware of the breach. The report contains at least:

• Description of the nature of the breach
• Categories and approximate number of data subjects and data records affected
• Likely consequences of the breach
• Measures taken or proposed to remedy the breach

6.2 Documentation

The Processor documents all data breaches, including the circumstances of the breach, its effects, and the remedial measures taken.

7. Liability and Compensation

The Processor is liable for damages resulting from improper processing of personal data. Liability is governed by the statutory provisions of the GDPR and the provisions of the main contract.

8. Final Provisions

8.1 Term

This DPA enters into force upon conclusion of the main contract and applies for the duration of the contractual relationship. Amendments or supplements to this DPA require written form.

8.2 Changes to Legal Provisions

In the event of changes to the GDPR or other applicable data protection regulations, the parties will adapt this DPA by mutual agreement.

8.3 Severability Clause

Should individual provisions of this DPA be invalid or become invalid, this does not affect the validity of the remaining provisions. The invalid provision will be replaced by a valid provision that comes closest to the economic purpose of the invalid provision.

8.4 Applicable Law and Jurisdiction

This DPA is governed by the laws of the Federal Republic of Germany and the EU General Data Protection Regulation (GDPR). Place of jurisdiction is Bochum, Germany, as stated in the main Terms and Conditions.

9. Contact

For questions regarding this Data Processing Agreement, please contact:

E-Mail: privacy@luminara-ai.de

The complete contact details can be found in our Legal Notice.