Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the agreement between you (the “Controller”) and Lumo Pages (“Processor”) when you use the Platform to collect personal data from respondents through published Lumos. It reflects the requirements of the EU GDPR and applicable law.

---

1. Scope and roles

When respondents submit data through a Lumo you publish, you act as the Data Controller and Lumo Pages processes that data on your instructions as a Data Processor, as further described in our Privacy Policy.

For account, billing, and platform operations, Lumo Pages may act as Controller as described in the Privacy Policy.

2. Nature and purpose of processing

Processing includes hosting, storing, displaying, transmitting, backing up, securing, and supporting access to respondent data submitted through your Lumos, and related logging and abuse prevention, solely to provide the Services you configure.

3. Duration

Processing continues for the term of your use of the Services and until deletion in line with the Privacy Policy, your account settings, and applicable law.

4. Your instructions

You instruct us to process respondent data as needed to operate the features you enable (e.g., inbox, exports, webhooks). You are responsible for the lawfulness of your collection and for your privacy notices to respondents.

5. Confidentiality and personnel

We restrict access to personal data to authorized personnel subject to confidentiality obligations.

6. Security

We implement appropriate technical and organizational measures, including encryption in transit (HTTPS), access controls, monitoring, and backup practices, as described in the Privacy Policy.

7. Sub-processors

You authorize us to engage sub-processors listed in our Sub-processor Appendix. We remain responsible for their performance. We will update that page when sub-processors change materially.

8. International transfers

Where data is processed outside your country, we use appropriate safeguards such as SCCs, DPF, or adequacy decisions, as described in our Privacy Policy.

9. Assistance

We will assist you, taking into account the nature of processing, with responding to requests from data subjects exercising GDPR rights, and with security and DPIA obligations where applicable and proportionate.

10. Breach notification

We will notify you without undue delay if we become aware of a personal data breach affecting respondent data you control, where required by law, and provide information reasonably necessary for you to meet your obligations.

11. Deletion and return

On termination or upon your documented request, we will delete or return personal data except where retention is required by law or limited backup cycles, as described in the Privacy Policy.

12. Audit

On reasonable request, we may make available information necessary to demonstrate compliance with this DPA, subject to confidentiality and security boundaries.

13. Liability

Liability between the parties follows our Terms of Service and applicable mandatory law.

14. Contact

Questions about this DPA: [email protected].