If you are on an AI Buddy plan, your usage includes this Data Processing Agreement (DPA).
This Data Processing Agreement ("DPA") forms part of the Terms of Service ordered by the Customer (the "Agreement") between Lumacore Consulting Pte. Ltd. ("Lumacore") & the Customer.
The parties expressly acknowledge & agree that:
- Lumacore processes Customer Personal Data solely on behalf of & under the instructions of the Customer.
- Each party remains solely responsible for its own compliance with Applicable Data Protection Laws, including the Singapore Personal Data Protection Act 2012 (PDPA).
- Lumacore acts as a Data Intermediary (Processor) under the PDPA in respect of Customer Personal Data.
1. Definitions
- "Applicable Data Protection Laws" means the Singapore PDPA, & where applicable, the GDPR, CCPA, & UK Data Protection Act 2018.
- "Customer Personal Data" means any personal data processed by Lumacore on behalf of the Customer in connection with the SOP Builder, Grant Compass, or AI Buddy services.
- "Data Intermediary" has the same meaning as "Processor" under GDPR, referring to Lumacore's role in processing data for the Customer.
- "Personal Data Breach" means a confirmed security breach leading to the accidental or unlawful destruction, loss, or unauthorized disclosure of Customer Personal Data.
2. Processing Instructions
Lumacore shall process Customer Personal Data only on the Customer's documented instructions for the purposes of providing the operational engineering services defined in the Agreement. Lumacore shall inform the Customer if an instruction, in its opinion, infringes Applicable Data Protection Laws.
3. Security Measures
Lumacore shall implement appropriate technical & organizational measures to ensure a level of security appropriate to the risk. This includes maintaining systemic integrity through encryption, access controls, & regular audits as outlined in our Security documentation.
4. Sub-processing
The Customer grants a general authorization to Lumacore to engage sub-processors (e.g., Supabase for hosting, OpenAI for AI logic). Lumacore shall ensure that sub-processors are bound by data protection obligations equivalent to those in this DPA. A list of current sub-processors is available upon request.
5. Data Subject Rights
Lumacore shall, taking into account the nature of the processing, assist the Customer by appropriate technical & organizational measures for the fulfilment of the Customer's obligation to respond to requests for exercising Data Subject rights (e.g., access or correction requests under PDPA).
6. Data Breach Notification
Lumacore shall notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach. Lumacore shall take reasonable steps to mitigate the effects & minimize any damage resulting from the breach.
7. International Transfers
Lumacore shall ensure that any transfer of Personal Data outside of Singapore complies with the Transfer Limitation Obligation of the PDPA, ensuring that the standard of protection afforded to the data is comparable to that under the PDPA.
8. Return & Deletion
Upon termination of the Agreement, Lumacore shall, at the choice of the Customer, delete or return all Customer Personal Data, unless Singapore law or applicable regulations require continued storage of the data.
9. Governing Law
This DPA is governed by the laws of the Republic of Singapore. The parties submit to the exclusive jurisdiction of the Singapore courts.
10. Contact Details
Data Protection Officer (DPO)
Email: dpo@lumacore.pro
Address: 60 Paya Lebar Road, #06-28 Paya Lebar Square, Singapore 409051