Data Processing Agreement
Last updated: March 25, 2026 · GDPR Article 28(3)
1. Parties
This Data Processing Agreement ("DPA") forms part of the agreement between:
Controller: The Client, as identified in the applicable order, intake form, or Terms of Service ("Controller").
Processor: LUMGEX, operated by Dianna Abad Veloz as an eenmanszaak, KvK 96772875, The Netherlands ("Processor").
This DPA supplements and is incorporated into the LUMGEX Terms of Service and Privacy Policy. In the event of a conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data processing matters.
2. Definitions
Terms used in this DPA have the meanings given to them in the General Data Protection Regulation (EU) 2016/679 ("GDPR"). "Personal Data", "Processing", "Controller", "Processor", "Data Subject", and "Supervisory Authority" shall have the same meaning as in the GDPR.
3. Subject matter, duration, nature & purpose
Subject matter: The Processor processes Personal Data on behalf of the Controller solely for the purpose of delivering GPSR compliance documentation services (currently: Intelligence Reports; Evidence Packs in preparation, not yet available for order) as described in the Terms of Service.
Duration: This DPA applies for the duration of the service relationship between the Parties. Processing begins when the Controller submits an intake form and ends when all Personal Data has been deleted or returned in accordance with Section 10.
Nature of processing: Automated and semi-automated processing including: collection (via intake forms), storage (in operational systems), structuring, extraction (via AI-assisted workflows), organization into compliance documentation, and delivery via secure file sharing.
Purpose: To generate structured GPSR compliance documentation packages on behalf of the Controller for use in connection with Amazon EU marketplace listings.
4. Types of Personal Data processed
Note: Categories marked with * apply only when the Evidence Pack service is used. The current Intelligence Report service processes primarily client contact data (row 4).
| Category | Data elements | Source |
|---|---|---|
| EU Responsible Person * | Name, address, email, phone number | Client intake / uploaded documents |
| Manufacturer contacts * | Contact person name, email, address | Uploaded compliance documents |
| Importer contacts * | Contact person name, email, address | Uploaded compliance documents |
| Client contacts | Name, email, company name, VAT number | Intake form, Stripe checkout |
5. Categories of Data Subjects
- EU Responsible Persons designated by the Controller
- Manufacturer and importer contact persons identified in uploaded compliance documents
- The Controller's own employees or representatives who interact with the service
6. Processor obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, unless required by EU or Member State law to which the Processor is subject (Article 28(3)(a) GDPR).
- Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Article 28(3)(b) GDPR).
- Implement appropriate technical and organizational security measures as described in Section 8 (Article 28(3)(c) GDPR).
- Not engage another processor (sub-processor) without prior general written authorization from the Controller, subject to the conditions in Section 9 (Article 28(3)(d) GDPR).
- Assist the Controller, taking into account the nature of processing, in responding to Data Subject requests (Article 28(3)(e) GDPR).
- Assist the Controller in ensuring compliance with security obligations, data breach notification, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of processing and the information available to the Processor (Article 28(3)(f) GDPR).
- At the choice of the Controller, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless EU or Member State law requires storage (Article 28(3)(g) GDPR). See Section 10.
- Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller (Article 28(3)(h) GDPR). See Section 11.
7. Controller obligations
The Controller shall:
- Ensure that it has a lawful basis for providing Personal Data to the Processor.
- Ensure that it has obtained all necessary consents or authorizations to share the Personal Data of third parties (including Responsible Persons, manufacturer contacts, and importer contacts) with the Processor.
- Provide complete and accurate information and documentation necessary for the Processor to perform its services.
- Be responsible for the accuracy, quality, and legality of Personal Data provided to the Processor.
8. Security measures
The Processor implements the following technical and organizational measures to protect Personal Data:
- Self-hosted core processing infrastructure (Hetzner, EU/Germany) to minimize third-party exposure during document processing.
- Two-factor authentication (2FA) on all operational tools and accounts.
- Access limited to necessary personnel on a least-privilege basis.
- Encrypted transport (TLS) for all data transfers.
- Files shared via access-controlled links limited to authorized recipients.
- AI sub-processors (OpenAI) engaged under zero-data-retention API terms; client data is not used to train AI models.
- Regular review and update of security measures in line with the state of the art.
9. Sub-processors
The Controller provides general written authorization for the Processor to engage the following sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object.
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Hetzner | VPS hosting, automation workflows, PDF processing | EU (Germany) | N/A (EU) |
| OpenAI | AI text extraction and data structuring (ZDR API) | US | EU-US DPF / SCCs |
| Airtable | Order management and delivery tracking | US | EU-US DPF / SCCs |
| Make.com | Workflow automation and routing | EU | N/A (EU) |
| Google Workspace | File storage, delivery folders, email | EU/US | EU-US DPF / SCCs |
| Stripe | Payment processing and invoicing | US | EU-US DPF / SCCs |
| Tally | Intake forms | EU (Belgium) | N/A (EU) |
| Hostinger | Website and static page hosting | EU (Lithuania) | N/A (EU) |
The Processor shall ensure that each sub-processor is bound by data protection obligations no less protective than those set out in this DPA.
10. Data retention & deletion
Upon termination of the service relationship or upon written request by the Controller, the Processor shall, at the Controller's choice, delete or return all Personal Data and delete existing copies, unless EU or Member State law requires continued storage. Retention periods:
- Intake assets and delivered Intelligence Reports: up to 18 months from delivery. (Evidence Pack retention terms will apply when that service becomes available.)
- Operational logs: up to 24 months.
- Hash-chain audit trail: up to 7 years (tamper-evident integrity records).
- Billing and tax records: up to 7 years (Dutch fiscal law obligation).
The Processor shall confirm deletion in writing upon request.
11. Audits
The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA. The Controller may conduct or commission an audit of the Processor's processing activities, subject to reasonable advance notice (minimum 14 days), during normal business hours, and no more than once per calendar year unless required by a supervisory authority. The Controller shall bear the costs of any such audit. The Processor shall cooperate in good faith.
12. Data breach notification
The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data breach. The notification shall include, to the extent available: the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach.
13. International transfers
Where Personal Data is transferred to sub-processors outside the EEA, the Processor relies on the EU-US Data Privacy Framework (DPF) for certified vendors and/or Standard Contractual Clauses (SCCs) as specified in the sub-processor table above. The Processor shall ensure that appropriate safeguards are in place before any transfer takes place.
14. Liability
Each Party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, except where such limitation is not permitted by applicable law.
15. Term & termination
This DPA enters into force upon the Controller's acceptance of the Terms of Service (including by placing an order or submitting an intake form) and remains in effect for as long as the Processor processes Personal Data on behalf of the Controller. Provisions that by their nature should survive termination (including Sections 10, 11, 12, and 14) shall remain in effect after termination.
16. Governing law
This DPA is governed by the laws of the Netherlands. Any disputes arising from this DPA shall be submitted exclusively to the competent court in The Hague, the Netherlands, in accordance with the Terms of Service.
17. Amendments
The Processor may update this DPA to reflect changes in applicable law, sub-processors, or processing activities. Material changes will be notified to active clients by email at least 14 days prior to taking effect. Continued use of the service after notification constitutes acceptance.
Questions about this DPA? privacy@lumgex.com
lumgex.com · Operational readiness for your compliance. Not legal advice. No guarantee of Amazon acceptance.