Data Processing Attachment (DPA)

Version: September 2021

by and between LumApps (“Processor”) and Customer (“Controller”) for the use of the software as a service developed by LumApps.



This DPA has been pre-signed on behalf of LumApps.

To complete this DPA, Customer must:

  • complete the information in the signature box and sign at the end of the document;
  • send the signed DPA to LumApps by email to

Upon receipt of the validly completed DPA by LumApps, this DPA will become legally binding.



If the Customer signing this DPA is a party to a contract with LumApps or is the customer of an authorized reseller of LumApps to whom the terms and conditions of the LumApps Terms of Use apply, for the use of the software as a service developed by LumApps (“Agreement”), this DPA is an addendum to and forms part of the Agreement.



1. Definitions

The following words and expressions shall have the following meanings:

Customer” means any legal entity that has an Agreement.

Data Protection Laws” means all data protection laws and regulations, including the data protection laws and regulations of the Europe Union, the European Economic Area and their member states, the United Kingdom and the United States and its states, applicable to the Processing under the Agreement as amended from time to time.

Data Subject” means the identified or identifiable person to whom Personal Data relates.

Personal Data” means the information relating to an identified or identifiable natural person.

Physical, Technical and Organizational Security Measures” means those measures aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Security Incident” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, the Personal Data transmitted, stored, or otherwise processed as part of the Service.

Sub-processor” means a third party selected by the Processor to process Personal Data in connection with provision of the Service.


2. Description of Personal Data Processing

The subject matter of the Personal Data processing is described below:

Description Details
Purpose Use of LumApps Services and other services
Nature of the processing Processing necessary to provide, maintain and improve the Service provided to Customer pursuant to the Agreement which includes:

  • Provision of support services;
  • Improvement of user experience and fostering of the adoption and design features that fit user needs;
  • Monitoring for metrics, traces and logs to perform Lumapps support and security duties;
  • Storage.
Duration of the processing The duration of the applicable agreement or Order and 3 months after in order to provide the Customer the possibility to retrieve Personal Data.
Categories of personal data Name, address, title, position, telephone, e-mail address, IP address, Usernames, passwords and any other Personal Data voluntarily provided by the users of the Application and/or Customer in the Application (example: job location, date of birth, hobbies, HR registration number, etc).
Categories of persons concerned Users as described in the applicable order form or the Agreement.
List of subprocessor(s) and their location(s)



3. Obligations of Processor

The Processor will process the Personal Data as follows:

(a) Not retain, use or otherwise disclose any Personal Data for any purpose other than to provide the services specified in the Agreement;

(b) Keep the Personal Data secure and accessible only to authorized persons who are committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(c) Process such Personal Data only on documented instructions from the Controller. For Customers that are European this shall include matters concerning transfers of Personal Data to third country or an international organization, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

(d) At the expiration of the term or during the term of the Agreement, comply with Controller instruction to make available and/or delete the Personal Data as soon as reasonably practicable and within a maximum period of 180 days, unless applicable Data Protection Laws required storage. The cost shall be borne by the Controller;

(e) Make available to the Controller, upon its express request, information necessary to demonstrate compliance with the obligations laid down in this document by appropriate means in compliance with the Processor’s internal organization;

(f) Immediately inform the Controller if, in its opinion, an instruction of the Controller infringes the applicable Data Protection Laws. Once informed that one of its instructions may be in breach of the applicable Data Protection Laws, the Controller shall assess the situation and determine whether the instruction actually violates a Data Protection Law. If the Controller persists with an unlawful instruction, the Processor shall be entitled to terminate this DPA or the related Agreement;

(g) Ensure that such Personal Data is only used for purposes authorized by the Controller;

(h) Implement and maintain appropriate Physical, Technical and Organizational Security Measures. Notwithstanding any provision to the contrary, the Processor may modify or update the Physical, Technical and Organizational Security Measures at its discretion provided that such modification or update does not result in a material degradation in the protection offered by the Physical, Technical and Organizational Security Measures;

(i) Notify the Controller without undue delay, after becoming aware, with all available information regarding a Security Incident and provide cooperation as necessary to enable it to comply with any obligation to report information regarding such a Security Incident to the appropriate regulatory agency and/or to the relevant data subjects in accordance with the requirements of the applicable Data Protection Laws;

(j) Return or with regard to LumApps Software, provide access to retrieve the Personal Data to Controller during the three (3) months after the termination or the expiry of the Agreement, unless required to be stored under other applicable Data Protection Laws;


4. Sub Processing

4.1. The Controller authorizes the Processor to engage Sub-processors to assist in fulfilling LumApps’ obligations with respect to the provision of the Services.

4.2. The list of LumApps’ relevant Sub-processors is available at

4.3. The Processor shall inform the Controller of any changes concerning the addition or replacement of any Sub-processor within a reasonable time. The Controller shall have the opportunity to object to the engagement of a new Sub-processor on legitimate grounds relating to the protection of Personal Data within 10 days after being notified of such change. In case of an objection, the Parties will discuss the Controller’s concerns in good faith with a view to achieving a commercially reasonable resolution.

4.4. When Personal Data is controlled by an European Controller and is sub-processed to Sub-Processors located outside of the EEA, the Controller hereby agrees to the signature by the Processor on its behalf of the standard contractual clauses for the transfer of personal data to Sub-Processors established in third countries under Commission Decision 2021/914 or equivalent standard data protection clauses under EU Law.

4.5. In any case, where the Processor engages Sub-processors, it will impose data protection terms on the Sub-processors that provide at least the same level of protection for Personal Data as those in Section 3, to the extent applicable to the nature of the services provided by such Sub-processors. The Processor will remain responsible for each Sub-processor’s compliance with its data protection obligations.


5. Audit

The Processor shall allow for, and contribute to, audits, including inspections, conducted by the Controller or another auditor mandated by the Controller in accordance with the following procedures:

(a) Upon the Controller’s request, the Processor will provide the Controller or its mandated auditor with the most recent certifications and/or summary audit report(s), which the Processor has procured to regularly test, assess and evaluate the effectiveness of the Physical, Technical and Organizational Security Measures;

(b) The Processor shall reasonably cooperate with the Controller by providing available additional information concerning the Physical, Technical and Organizational Security Measures, to help the Controller better understand such measures;

(c) To the extent it is not possible to otherwise satisfy an audit right mandated by applicable law or expressly agreed by the Parties, only legally mandated entities (such as governmental regulatory agency having oversight of the Controller’s operations), the Controller or its mandated auditor may conduct an audit subject to a fifteen (15) business days prior notice and within the limit of one audit per year. During such audit, the Processor will disclose to the Controller the information necessary to demonstrate compliance with the obligations defined in this Section. The Controller shall have no right to view or access any systems, data, records or other information relating or pertaining to other customers or resellers of the Processor. Any such audit under the scope of this Section by the Controller is conducted at its own costs, on a time and material basis. The Controller shall provide the Processor with a copy of the audit report.

Any auditor mandated by the Controller shall not be a direct competitor of the Processor with regard to the Services and shall be bound to an obligation of confidentiality.


6. Data Subject rights

The Processor will provide support to enable the Controller to respond to any request by any individual exercising his or her right under the applicable Data Protection Laws, including the right to access, correct or retrieve Personal Data, request or complaint by any person or regulatory authority in connection with the processing of Personal Data.

The Processor will take into account the nature of the processing, the information available to the Processor, its competences and the costs of implementation for the fulfillment of Controler’s obligation to respond to a data subject request.

If such requests, correspondence, inquiries or complaints go directly to the Processor, the latter will promptly inform the Controller and will advise the Data Subject to submit their request to the Controller, who is solely responsible for responding substantively to any such requests or communications.

The Controller shall:

(a) warrant to the Processor that it is entitled to, and has obtained all necessary consents required to, use and transfer such Personal Data to Processor as required for the Processor and its sub-processor to provide the Service, in full compliance with applicable Data Protection Laws, including as needed, compliance to any prior required formalities and data subject rights, such as information and/or consent when such is required under applicable Data Protection Laws;

(b) be solely responsible (i) for the accuracy, quality and legality of the Personal Data shared to the Processor and the means by which it acquired Personal Data, and for (ii) determining the purposes and the means of LumApps processing the of Personal Data;

(c) remain responsible for the completeness, the appropriation and the accuracy of the documented instructions.

Any changes to the instructions given or the security measures that are required by the Controller, shall be borne by the Controller.


7. Miscellaneous

The DPA will remain in force as long as the Processor processes Personal Data on behalf of Controller under the Agreement.

This DPA shall be governed by the terms and conditions of the Agreement (including but not limited to terms related to confidentiality, indemnification, limitation of liability, etc).

In the event of any conflict or inconsistency between the terms and conditions of this DPA and any terms or conditions set forth in this Agreement, the terms and conditions set forth in the Agreement shall prevail.


On behalf of
Name: _________________
Position: _____________________
Date: _______________________
On behalf of
Name: Sébastien RICARD
Position: CEO



Previous versions:

LumApps Legal Page