Skip to main content
Lumbox
FR

Data Processing Agreement

Last updated:

1. Subject matter and scope

This Data Processing Agreement ("DPA") is entered into between the customer ("Controller") and Tatan Corp SAS, operator of Lumbox ("Processor"). It governs all processing of personal data carried out by the Processor in connection with the provision of the Lumbox platform, in compliance with Regulation (EU) 2016/679 (GDPR).

2. Categories of data processed

The Processor processes the following categories of personal data on behalf of the Controller: (a) identity and contact data (name, email address); (b) access and authentication data (credentials, API tokens, session logs); (c) deployment configuration data (environment variables, container image references, domain settings); (d) audit logs and usage events.

3. Processing instructions

The Processor shall process personal data only on documented instructions from the Controller, unless required to do so by law. The Controller's instructions are set out in the Lumbox Terms of Service and any supplementary agreement.

4. Data residency and transfers

All personal data is hosted in data centres located within the European Economic Area (EEA). The per-project region class (DE / FR / NL / PL / EU-mixed) is technically enforced by the deployment infrastructure. No transfers to third countries take place without Standard Contractual Clauses or an equivalent mechanism.

5. Sub-processors

An up-to-date list of sub-processors is published at lumbox.eu/en/legal/sub-processors . The Controller will be notified of any addition or replacement of a sub-processor with at least 30 days' notice.

6. Security measures

The Processor implements and maintains appropriate technical and organisational measures, including: encryption in transit; role-based access control; immutable audit logs; infrastructure hardening; patch management; and annual penetration tests.

7. Data subject rights

The Processor assists the Controller in fulfilling data subject rights (access, rectification, erasure, portability, objection) via dedicated API endpoints: POST /api/v1/me/export and DELETE /api/v1/me.

8. Breach notification

In the event of a personal data breach, the Processor shall notify the Controller within 72 hours of becoming aware of it, in accordance with GDPR Article 33.

9. Term and termination

This DPA terminates with the Terms of Service. Upon termination, the Processor shall delete or return all personal data within 30 days, unless legally required to retain it.

10. Contact

For any question regarding this DPA or to exercise your rights: privacy@lumbox.eu