Data Processing Agreement (DPA)
Last updated: April 2026
This Data Processing Agreement (DPA) supplements our Terms of Service and Privacy Policy. It applies when you, as a Controller, use LuniOps services that involve the processing of personal data on your behalf.
1. Scope and Purpose
LuniOps processes personal data on behalf of Customers (Controllers) solely for the purpose of providing the distribution operations platform as described in the Terms of Service. Processing includes: storage of customer/contact records, order data, delivery records, invoicing data, and user account information.
2. Processor Obligations
LuniOps (Processor) shall: process personal data only on documented instructions from the Controller; ensure persons authorized to process data are under confidentiality obligations; implement appropriate technical and organizational measures (TLS 1.3, AES-256 encryption, tenant isolation, RBAC); assist the Controller with data subject requests; delete or return data upon termination; make available information necessary for audits.
3. Sub-Processors
LuniOps uses the following sub-processors: - Google Cloud Platform (Firebase): Cloud infrastructure, database, authentication, storage — EU (europe-west4) - Stripe Inc.: Payment processing — EU/US - Vercel Inc.: Web application hosting — EU/US We will notify you of any intended changes to sub-processors, giving you the opportunity to object.
4. Security Measures
Technical measures: AES-256 encryption at rest, TLS 1.3 in transit, multi-tenant data isolation at database level, role-based access control (4-layer RBAC), append-only audit logging, automated backups. Organizational measures: access limited to authorized personnel, security incident response procedures, regular security reviews.
5. International Transfers
Primary data storage is in the EU (Google Cloud Platform, europe-west4, Netherlands). Where sub-processors are based outside the EU, transfers are governed by Standard Contractual Clauses (SCCs) or equivalent safeguards as required by GDPR Chapter V.
6. Data Breach Notification
LuniOps will notify the Controller without undue delay (and in any event within 24 hours) after becoming aware of a personal data breach affecting Controller data.
7. Contact
For DPA-related inquiries or to request a signed copy: privacy@luniops.de