Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the agreement between you, the customer entity signing up for Lumi (“Customer,” “Controller” where GDPR applies), and Lumi (“Processor”) governing Processing of Personal Data in connection with the Services. Capitalized terms not defined here have the meaning in the Terms of Service or applicable data protection law.

Customer determines the purposes and means of Processing Personal Data relating to its clients, event guests, and personnel when using the Services. Lumi Processes such Personal Data only on documented instructions from Customer—including via the functionality of the Services and documented configuration—unless required otherwise by applicable law (in which case Lumi will inform Customer unless prohibited).

Subject matter: Provision of the Lumi cloud platform for event photo delivery, workspace management, and related features.

Duration: For the term of the Services agreement and as needed to wind down or comply with law, subject to retention settings described in documentation and the Privacy Policy.

Nature & purpose: Hosting, storage, authentication, similarity search to match guests to photos within Customer workspaces, security monitoring, support, and service improvement consistent with the agreement.

Categories of data subjects: Customer’s staff and contractors; event guests and subjects visible in Customer Content.

Categories of Personal Data: Identifiers (name, email); account data; photographs and embedded likenesses; technical embeddings derived from facial characteristics for matching; device/connection data; metadata Customer attaches to events and files.

Special categories: The Services involve Processing of technical embeddings derived from facial characteristics (biometric data) solely for the purpose of photo matching within Customer workspaces, as instructed by Customer.

• Process Personal Data only on documented instructions unless Union or Member State law requires Processing; in that case, inform Customer before Processing unless legally prohibited.
• Ensure persons authorized to Process Personal Data are bound by confidentiality or statutory obligations.
• Implement appropriate technical and organizational measures, taking into account the state of the art, cost, and risks, as described in Section 6.
• Assist Customer, considering the nature of Processing, with responding to data subject requests and with DPIAs or prior consultations where applicable.
• Delete or return Personal Data at the end of the Services, at Customer’s choice, unless law requires retention.
• Make available information necessary to demonstrate compliance and allow audits conducted by Customer or an auditor mandated by Customer, subject to reasonable confidentiality and security procedures.
• Notify Customer without undue delay upon becoming aware of a Personal Data breach affecting Customer data, providing information required under Article 33/34 GDPR where applicable.

Customer authorizes Lumi to engage Sub-processors to support the Services (e.g., infrastructure, database, object storage, email, DNS, analytics as configured). Lumi will impose data protection terms on Sub-processors substantially similar to this DPA. Lumi remains responsible for Sub-processors’ performance. A current list is published at lumibase.app/subprocessors (or your deployed domain’s equivalent); we will notify Customer of material changes where required by law or contract.

Where Personal Data originating in the EEA, UK, or Switzerland is transferred to countries not recognized as adequate, Lumi will implement appropriate safeguards such as the EU Standard Contractual Clauses (and UK/CH addenda as needed), unless another valid mechanism applies.

Measures include, as appropriate:

• Logical separation of customer workspaces and role-based access controls.
• Encryption of data in transit where supported for Service connections.
• Hardening, monitoring, vulnerability management, and incident response procedures.
• Limiting retention of embeddings and guest matching artifacts per product configuration and documentation.

Lumi will maintain records of Processing activities as required by applicable law.

If this DPA conflicts with the main Services agreement, the stricter data protection obligation prevails regarding Personal Data. If a supervisory authority or court voids a provision, the remainder stays in effect.

By using the Services on or after the Last updated date, Customer enters into this DPA. Enterprise customers may execute a separate order form; in case of conflict, the executed enterprise DPA controls for that Customer.

Data protection inquiries: [email protected] (replace with your official DPO or privacy contact).