Data Processing Agreement

1. Scope and purpose

LumenWeave processes personal data on behalf of the customer for the sole purpose of providing the LumenWeave service: collecting, storing, transmitting, analysing, and displaying compliance documents and managing communications with the customer's contacts. LumenWeave does not use customer personal data for its own purposes.

2. Categories of data processed

The personal data processed under this DPA includes:

• Names, email addresses, and phone numbers of the customer's subcontractor and client contacts.
• Documents uploaded by those contacts (which may themselves contain personal data such as director names, policy holder names, and identification on cards or certificates).
• Message content sent to or received from those contacts through LumenWeave-managed channels.

The data subjects are the customer's employees, contractors, subcontractors, and their representatives.

3. Processing activities

LumenWeave will process personal data to:

• Store documents securely on behalf of the customer.
• Transmit messages to the customer's contacts on behalf of the customer.
• Analyse documents using AI to flag obvious compliance issues.
• Present dashboards and audit trails to authorised users within the customer's organisation.

4. Security measures

LumenWeave will implement and maintain the following measures:

• AES-256 encryption of customer data at rest.
• TLS 1.3 encryption of data in transit.
• Row-level security in the database so each customer only sees their own organisation's data.
• Signed, time-limited URLs for all access to stored objects. No anonymous access to customer storage.
• Append-only audit log of access, uploads, reviews, and downloads.
• Role-based access control within customer organisations.
• Regular security reviews and staff access limited on a need-to-know basis.

5. Sub-processors

LumenWeave uses the following sub-processors to deliver the service. By accepting this DPA, the customer provides a general authorisation for these sub-processors:

• Supabase — database and storage hosting (AWS EU).
• Google (Vertex AI) — AI document analysis (Gemini Pro). Documents sent for analysis are not retained by Google for model training under our Vertex AI terms.
• Resend — transactional email.
• Twilio — SMS and WhatsApp messaging.
• Stripe — payment processing (customer billing data only; no subcontractor data).
• Vercel — application hosting.

LumenWeave will give the customer at least 30 days' notice of any proposed change to sub-processors (addition or replacement). The customer may object to a new sub-processor on reasonable data protection grounds; if the parties cannot agree an alternative, the customer may terminate the affected service component.

6. International data transfers

Personal data may be transferred to and processed in the countries where our sub-processors operate, as listed in section 5.

Transfers of personal data out of the UK or EEA are covered by the European Commission's Standard Contractual Clauses and, where applicable, the UK International Data Transfer Addendum, or by another safeguard recognised under UK GDPR.

For customers located in other jurisdictions, LumenWeave applies equivalent contractual and technical safeguards (encryption at rest and in transit, access controls, audit trail, and a written commitment from each sub-processor that it will process data only on documented instructions) so that the level of protection is not materially reduced by the transfer.

7. Breach notification

LumenWeave will notify the customer without undue delay and in any event within 72 hours of becoming aware of a personal data breach affecting that customer's data. The notification will include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed.

8. Assistance with data subject rights

LumenWeave will, taking into account the nature of the processing, provide reasonable assistance to the customer in responding to requests from data subjects exercising their rights under applicable data protection law (access, rectification, erasure, portability, restriction, objection).

9. Deletion and return of data

On termination of the service, the customer may export their data for up to 30 days. After that period (or sooner on request), LumenWeave deletes all customer personal data from live systems within 30 days. Backup copies are overwritten on the standard backup rotation, which is complete within 90 days. LumenWeave will confirm deletion in writing on request.

10. Audit rights

On reasonable written notice and no more than once in any 12-month period, the customer may request confirmation in writing of the security measures LumenWeave has in place. Where the customer reasonably requires further assurance, the parties will cooperate in good faith to provide it, including through independent certifications, penetration test summaries, or structured questionnaire responses.

11. Confidentiality

LumenWeave ensures that everyone authorised to process customer personal data is bound by a duty of confidentiality. Production access is limited to named staff.

12. Term

This DPA takes effect from the date the customer accepts these terms and continues in force until the customer stops using the service and all customer personal data has been deleted or returned in accordance with section 9.

13. Governing law

This DPA is governed by the laws of England and Wales and the courts of England and Wales have exclusive jurisdiction.

This DPA is intended to comply with applicable data protection laws in the jurisdiction of the customer, including but not limited to UK GDPR (as amended by the Data (Use and Access) Act 2025), EU GDPR, the Australian Privacy Act 1988, the Singapore PDPA, and other applicable data protection legislation. Where a customer's local law imposes additional processor obligations that cannot be overridden by contract, those obligations apply in addition to this DPA.

14. Contact

DPA and data protection queries: contact@lumenweave.ai.