Skip to main content

Data Processing Agreement (DPA)

Copy revision: July 2026 (not legal approval)

Non-final draft pending legal and accountant review. Signed customer terms control; an executed customer-specific DPA is required, and this public template creates no processor obligation.

This non-final DPA template is provided only for customer and counsel review. It does not identify a confirmed processor and creates no obligation until the provider identity is configured, legal approval is complete, and customer-specific terms are signed. Final processor obligations, technical measures, sub-processors, regions, and notification terms belong in that executed agreement before production processing.

1. Scope and Purpose

If executed customer terms appoint the provider identified in the Legal Notice as processor, the agreed scope may cover operation of the LuniOps distribution platform and storage of customer/contact records, order data, delivery records, invoicing data, and user account information. The final scope is defined only in the signed agreement.

2. Processor Obligations

The signed DPA defines documented processing instructions, confidentiality duties, assistance with data-subject requests, termination handling, audit information, and deployment-scoped technical and organizational measures. No fixed encryption version or control status is promised by this unsigned public draft.

3. Sub-Processors

The signed DPA lists the sub-processors actually deployed for the customer, their purposes, regions, transfer safeguards, change process, and any objection rights after provider and legal review. Managed Google Cloud/Firebase services are technical candidates; a payment provider is included only if selected and activated for contracted billing. This public template is not a production sub-processor register.

4. Security Measures

Technical measures are deployment-scoped and evidenced before signature. Review areas include managed-service transport and storage protection, tenant-isolation rules, role and access controls, audit events for supported mutations, and backup/restore controls after production activation and verification. Organizational measures, monitoring, retention, and incident procedures are recorded in the signed TOM annex after legal and operational review.

5. International Transfers

Primary infrastructure is hosted on managed cloud providers. Where sub-processors are based outside the EU/EEA, transfers are assessed under GDPR Chapter V, including Articles 44-46, and are governed by Standard Contractual Clauses under Commission Implementing Decision (EU) 2021/914 or another valid transfer mechanism where required. LuniOps reviews transfer risks and supplementary measures for relevant sub-processors and records production-region configuration service by service.

6. Data Breach Notification

Confirmed personal-data incidents are assessed and communicated without undue delay where legally required. The notification channel, cooperation duties, and any contractual deadline are defined in the signed DPA after legal review.

7. Contact

For review of this DPA template, use the secure contact form or the confirmed email published in the Legal Notice. Any executed copy requires configured provider identity, counsel approval, and signed customer terms.