Security & GDPR

Clear answers for agencies and brands. No fluff.

Roles

For customer-uploaded materials, you are typically the controller and LUMGEX acts as a processor under GDPR. Our Data Processing Agreement (DPA) per Article 28 GDPR is published at lumgex.com/dpa.html and applies automatically when you use our services.

Subprocessors

We use a small set of providers for storage, email, payments, and AI-assisted document processing. All subprocessors are listed with their purpose, location, and transfer mechanism in our Privacy Policy.

AI / LLM usage

AI-assisted document processing is an integral part of our service and is performed under the legal basis of contract performance (GDPR Art. 6(1)(b)). We use AI to extract, structure, and validate compliance data from your uploaded documents. Data sent to AI providers is minimized to what is necessary for the task. Customer data is not used to train public models. Our primary AI subprocessor (OpenAI) operates under zero-data-retention API terms.

Security measures

• Access control and least privilege
• Two-factor authentication (2FA) on all operational tools
• Encrypted transport (TLS) for all data transfers
• Self-hosted core processing infrastructure (EU/Germany)
• Time-limited secure links for downloads
• Audit trail + SHA-256 integrity hashes for delivered packs
• AI subprocessors engaged under zero-data-retention terms

Retention

Intelligence Report & intake assets: up to 18 months. Operational logs: up to 24 months. Hash-chain audit trail: up to 7 years. Billing/tax records: up to 7 years (Dutch fiscal law). Full retention schedule in our Privacy Policy.

Deletion requests

Email privacy@lumgex.com to request deletion. We respond within 30 days (typically within 72 hours).

Full legal documents

• Terms of Service: lumgex.com/terms.html
• Privacy Policy: lumgex.com/privacy-notice.html
• Data Processing Agreement: lumgex.com/dpa.html