Data Processing Addendum

1. Roles of the parties

Customer is the controller or processor, as applicable, for Customer Personal Data. Luuma is the processor or sub-processor when it processes Customer Personal Data on Customer's documented instructions to provide the Services.

If Customer is a processor acting for a merchant or another controller, Customer confirms that it has authority to appoint Luuma as sub-processor and to issue processing instructions to Luuma.

2. Subject matter and duration

The subject matter is Luuma's processing of Customer Personal Data for digital signage, EPOS insights, analytics, reporting, operational intelligence, support, diagnostics, and related service delivery.

Processing continues for the term of the Services and any period required for deletion, return, backup expiry, legal compliance, or dispute resolution.

3. Nature and purpose of processing

• Hosting, storing, retrieving, and transmitting Customer Personal Data.
• Ingesting and transforming EPOS, ICRTouch, receipt, product, menu, till, and operational data.
• Generating analytics, reporting, dashboards, operational summaries, and signage outputs.
• Managing users, permissions, reseller relationships, devices, screens, and licences.
• Providing customer support, diagnostics, monitoring, incident response, and service maintenance.
• Creating backups, logs, and audit records needed to operate and secure the Services.

4. Categories of personal data

• Authorised user data such as business email address, name where provided, role, organisation, permissions, account status, login metadata, and support contact details.
• Clerk, operator, or staff IDs included in EPOS, receipt, till, report, or operational data.
• Device, diagnostic, telemetry, IP-derived, event, and audit data linked to authorised users, sites, tills, screens, or devices.
• Customer Personal Data that may incidentally appear in receipt, report, media, support, or uploaded content despite Luuma not intentionally collecting end-customer names, addresses, emails, card numbers, payment credentials, or loyalty programme data.

5. Categories of data subjects

• Customer, reseller, support provider, and merchant authorised users.
• Merchant staff, clerks, operators, managers, and support personnel whose staff, clerk, or operator IDs appear in EPOS or operational data.
• Business contacts who interact with Luuma support, onboarding, billing, or administration.
• End customers only where personal data is incidentally included by a source system or Customer-controlled upload, which is not intended by Luuma.

6. Customer obligations

• Customer must provide lawful, documented processing instructions.
• Customer must ensure it has all required lawful bases, notices, rights, consents, authorities, and agreements for the processing.
• Customer must not submit unnecessary sensitive data, cardholder data, payment credentials, or loyalty programme data unless expressly agreed in writing.
• Customer must configure source systems and reseller access controls to limit personal data sent to Luuma to what is needed for the Services.

7. Luuma obligations

• Luuma will process Customer Personal Data only on documented instructions from Customer unless required by law.
• Luuma will ensure personnel authorised to process Customer Personal Data are subject to appropriate confidentiality obligations.
• Luuma will implement technical and organisational measures designed to protect Customer Personal Data.
• Luuma will assist Customer, taking into account the nature of processing and information available, with data subject requests, security obligations, DPIAs, consultations, and breach obligations as required by UK GDPR.
• Luuma will notify Customer if, in Luuma's opinion, an instruction infringes UK data protection law.

8. Security measures

• Encryption in transit for application traffic where supported by the platform.
• Password hashing and authentication controls for user accounts.
• Role-based access controls and tenant separation controls designed to limit access to authorised users.
• Operational access controls for production systems.
• Logging, monitoring, diagnostics, and alerting designed to detect reliability and security issues.
• Backup and recovery practices designed to protect availability and resilience.
• Change management and deployment controls appropriate to the size and risk profile of the Services.
• Vendor review and contractual controls for subprocessors handling Customer Personal Data.

9. Subprocessors

Customer gives Luuma general authorisation to use subprocessors to provide the Services. Luuma will require subprocessors to protect Customer Personal Data under terms designed to provide an equivalent level of protection to this DPA.

Luuma may use subprocessors for cloud hosting, database infrastructure, storage, content delivery, email delivery, payment processing, media processing, AI features where enabled, monitoring, logging, and customer support.

Current key subprocessors and service providers are: Vercel for application hosting, deployment, edge delivery, and platform logs; MongoDB for database hosting, backup, and managed database operations; Amazon Web Services for object storage, release storage, media storage, and related infrastructure; Mux for video upload, processing, hosting, and delivery; Stripe for billing, subscription, payment administration, fraud prevention, and related financial operations; Resend for transactional email delivery and related email metadata; OpenRouter for AI request routing and AI usage infrastructure; and OpenAI for AI model processing where OpenAI-backed models are enabled through OpenRouter.

Processing locations include the configured AWS S3 eu-north-1 region, the configured MongoDB database region, the United States, Ireland, the EEA, and other global service locations used by the relevant providers.

Luuma will maintain the current subprocessor information on its website and will update that website information when material subprocessor changes are made.

10. Personal data breaches

Luuma will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data. The notice will include information reasonably available to Luuma to help Customer meet its own breach assessment and notification obligations.

Luuma will take steps designed to contain, investigate, and remediate the incident, taking into account the nature of the Services and the information available.

11. Deletion and return

On termination or expiry of the Services, Luuma will delete or return Customer Personal Data according to Customer's instructions, the agreement, and applicable law. Backup copies may remain for a limited period until overwritten or deleted in the ordinary course of backup operations.

Luuma may retain limited records where required for legal, accounting, security, audit, or dispute-resolution purposes.

12. International transfers

Luuma will not transfer Customer Personal Data internationally unless a lawful transfer mechanism applies. Where required, Luuma aims to use UK adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to EU standard contractual clauses, or another valid safeguard.

13. Audit and information

Luuma will make available information reasonably necessary to demonstrate compliance with this DPA and will support audits or inspections required by UK GDPR, subject to reasonable notice, confidentiality, security controls, and measures to avoid disruption to the Services or other customers.

14. Order of precedence

If there is a conflict between this DPA and another agreement between the parties, this DPA controls for the processing of Customer Personal Data unless the parties expressly agree otherwise in writing.