LumoAuth — Data Processing Agreement

Effective: April 21, 2026

This Data Processing Agreement (“DPA“) forms part of, and is incorporated into, the agreement between LumoAuth (“LumoAuth,” “we,” “us“) and the customer identified in the ordering documents (“Customer“) under which LumoAuth provides the LumoAuth identity platform and related services (the “Agreement” and the “Services“). It governs the processing of Customer Personal Data in connection with the Services and reflects the parties’ commitments under the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR“), the UK GDPR, the Swiss Federal Act on Data Protection (“Swiss FADP“), and U.S. state privacy laws including the California Consumer Privacy Act as amended (“CCPA“).

In the event of a conflict between this DPA and the Agreement, this DPA prevails with respect to the subject matter of data protection. Capitalized terms not defined herein have the meaning given in the Agreement.

1. Definitions

1.1 “Customer Personal Data” means Personal Data that LumoAuth Processes on behalf of Customer in connection with the Services.

1.2 “Data Protection Laws” means all applicable laws relating to the protection of Personal Data, including the GDPR, the UK GDPR, the Swiss FADP, and U.S. State Privacy Laws.

1.3 “Personal Data,” “Processing,” “Controller,” “Processor,” “Data Subject,” and “Supervisory Authority” have the meanings given in the GDPR (or the equivalent concepts under other Data Protection Laws).

1.4 “SCCs” means the Standard Contractual Clauses for the transfer of personal data to third countries approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as updated.

1.5 “Security Incident” means any confirmed accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data while Processed by LumoAuth or a Sub-processor. Security Incident does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, such as unsuccessful log-in attempts, pings, port scans, denial-of-service attacks, and similar incidents.

1.6 “Sub-processor” means any third party engaged by LumoAuth to Process Customer Personal Data on LumoAuth’s behalf.

1.7 “U.S. State Privacy Laws” means the CCPA, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, and any other U.S. state data-protection or consumer-privacy law in force from time to time, as applicable.

1.8 “UK Addendum” means the International Data Transfer Addendum to the SCCs issued by the United Kingdom Information Commissioner under s.119A of the Data Protection Act 2018, version B.1.0, 21 March 2022.

2. Interaction with the Agreement

2.1 This DPA applies to the extent LumoAuth Processes Customer Personal Data in connection with the Services. It supersedes any prior data-processing terms between the parties.

2.2 The liability of each party under this DPA is subject to the aggregate limitation of liability set out in the Agreement, except to the extent such limitation is prohibited by Data Protection Laws.

3. Role of the parties

3.1 Processor / Sub-processor role. With respect to Customer Personal Data:

(a) Customer is the Controller (or, where Customer itself Processes Personal Data on behalf of a third-party controller, the Processor), and LumoAuth is the Processor (or Sub-processor, as applicable);
(b) each party will comply with its obligations under Data Protection Laws in that role; and
(c) LumoAuth will Process Customer Personal Data only on documented instructions from Customer, including as set out in the Agreement, this DPA, and Customer’s use of the Services.

3.2 Independent controller role — Account Data. LumoAuth is an independent Controller (and not a joint Controller with Customer) in respect of Account Data — information about Customer’s representatives (name, business email, hashed login credentials, billing contact), security and abuse-prevention telemetry, and aggregate usage metrics needed to administer the Customer account, secure the Services, bill the Customer, comply with law, and improve the Services. LumoAuth’s Processing of Account Data is governed by our Privacy Policy, not this DPA.

3.3 CCPA service-provider status. To the extent LumoAuth Processes Personal Data subject to U.S. State Privacy Laws, LumoAuth acts as a “service provider” or “processor” as defined in those laws. LumoAuth will not:

sell or share Customer Personal Data (including for cross-context behavioral advertising);
retain, use, or disclose Customer Personal Data outside of the direct business relationship between LumoAuth and Customer;
retain, use, or disclose Customer Personal Data for any purpose other than the business purposes specified in the Agreement and this DPA, or as otherwise permitted by U.S. State Privacy Laws; or
combine Customer Personal Data with Personal Data obtained from or on behalf of any other person, except as permitted under U.S. State Privacy Laws for the performance of the Services.

LumoAuth will inform Customer without undue delay if it determines that it can no longer meet these obligations.

3.4 Customer responsibilities. Customer is responsible for (i) the lawfulness and accuracy of Customer Personal Data, (ii) providing all notices and obtaining all consents and authorizations required under Data Protection Laws to permit LumoAuth’s Processing, (iii) configuring the Services’ privacy controls (such as retention settings, MFA requirements, tenant permissions, webhook destinations, and AI-feature enablement) consistent with Customer’s own obligations, and (iv) responding to Data Subject requests as Controller.

3.5 Instructions. Customer’s complete and final instructions to LumoAuth are: (a) the Agreement, (b) this DPA, and (c) configuration and commands Customer issues through the Services. LumoAuth will inform Customer without undue delay if, in its opinion, an instruction infringes Data Protection Laws; LumoAuth may suspend performance of the affected instruction pending resolution.

4. Details of Processing

Schedule 1 (Details of Processing) describes the subject matter, nature, purpose, duration, categories of Data Subjects, and categories of Customer Personal Data Processed under this DPA.

5. Sub-processors

5.1 General authorization. Customer grants LumoAuth general written authorization to engage Sub-processors. The current list of Sub-processors, including the infrastructure providers for the US and EU hosting regions, is set out in Schedule 7 (Sub-processors) and published at https://lumoauth.dev/legal/subprocessors.

5.2 Obligations on Sub-processors. LumoAuth will (i) enter into a written agreement with each Sub-processor imposing data-protection obligations substantially no less protective than those in this DPA, to the extent applicable to the nature of the services provided by the Sub-processor, and (ii) remain liable to Customer for each Sub-processor’s performance of those obligations.

5.3 Changes; right to object. LumoAuth will give Customer at least fifteen (15) days’ prior notice of the addition or replacement of a Sub-processor through the published subprocessor list (or, at Customer’s request, by email to a named Customer contact). Customer may object on reasonable data-protection grounds within ten (10) days of such notice. If Customer so objects, the parties will cooperate in good faith to resolve the objection, which may include LumoAuth offering an alternative configuration (for example, continued use of the existing Sub-processor, or a different region). If no resolution is reached within thirty (30) days, either party may terminate the portion of the Services that cannot be provided without the proposed change, and Customer will be refunded any pre-paid fees for the terminated portion covering the period after termination.

6. Data Subject requests

6.1 LumoAuth will, to the extent permitted by law, promptly forward to Customer any request LumoAuth receives from a Data Subject in relation to Customer Personal Data, and will not respond directly to the Data Subject except to confirm that the request has been received and forwarded to Customer.

6.2 LumoAuth will provide Customer with reasonable assistance, including through self-service tooling in the Services (for example, admin-console user deletion, data export APIs, and GDPR-subject-rights commands), to enable Customer to respond to Data Subject requests.

6.3 If Customer requires assistance beyond self-service tools, LumoAuth may recover reasonable costs incurred in providing that assistance.

7. Security and audits

7.1 Security measures. LumoAuth will implement and maintain the technical and organizational measures set out in Schedule 2 (Technical and Organizational Measures). LumoAuth may update these measures from time to time, provided the overall level of protection is not materially diminished.

7.2 Personnel. LumoAuth ensures that personnel authorized to Process Customer Personal Data are bound by written confidentiality obligations, have received appropriate data-protection training, and have access to Customer Personal Data only on a need-to-know basis.

7.3 Audits and certifications. Upon Customer’s written request at reasonable intervals (and no more than once per calendar year, unless a Security Incident has occurred or Data Protection Laws require otherwise), LumoAuth will make available the information reasonably necessary to demonstrate compliance with this DPA, including:

(a) the latest third-party audit reports and certifications that LumoAuth holds or can reasonably obtain for its infrastructure providers (for example, ISO 27001 certifications held by Hetzner for its EU and US data centers);
(b) completed industry-standard security questionnaires (such as CAIQ or SIG Lite);
(c) a summary of LumoAuth’s information-security policies; and
(d) where the foregoing is insufficient to demonstrate compliance, an on-site audit of LumoAuth’s facilities conducted by Customer or a qualified independent auditor mutually agreed by the parties, subject to at least thirty (30) days’ prior written notice, execution of appropriate confidentiality undertakings, and conducted during business hours in a manner that does not unreasonably interfere with LumoAuth’s operations.

7.4 Customer bears the costs of audits carried out under Section 7.3(d), including reasonable time-and-expense reimbursement for LumoAuth’s participation.

8. Security Incidents

8.1 LumoAuth will notify Customer without undue delay, and in any event within seventy-two (72) hours after LumoAuth becomes aware of a Security Incident affecting Customer Personal Data.

8.2 The notification will contain the information then available to LumoAuth, including a description of the nature of the Security Incident, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address the incident and mitigate its effects. LumoAuth will provide updates as more information becomes available.

8.3 LumoAuth will take reasonable steps to contain, investigate, and mitigate any Security Incident, and will cooperate with Customer’s reasonable requests for information and assistance (including with Customer’s notification obligations to Data Subjects and Supervisory Authorities).

8.4 Notification of, or response to, a Security Incident under this Section 8 is not an acknowledgement by LumoAuth of any fault or liability.

9. Deletion and return

9.1 Upon termination or expiration of the Agreement, and at Customer’s choice, LumoAuth will either (a) delete or (b) return to Customer all Customer Personal Data, and delete existing copies, unless retention is required by Data Protection Laws. Self-service tooling (admin console export, data-export API) is sufficient to satisfy Customer’s return option at Customer’s election.

9.2 LumoAuth will complete deletion within ninety (90) days of termination or expiration, and will procure deletion by Sub-processors in accordance with their contractual obligations to LumoAuth. Customer Personal Data that persists in encrypted backup media will be overwritten or cryptographically erased in the ordinary course within the backup-retention window and will not be restored to production except in the event of a disaster-recovery need (in which case deletion will then take effect on the restored copy).

9.3 Where retention is required by law, LumoAuth will isolate the retained Customer Personal Data, restrict further Processing to the legal-obligation purpose, and delete it when the legal obligation expires.

10. Term

This DPA takes effect on the Effective Date above and remains in force for so long as LumoAuth Processes Customer Personal Data under the Agreement. Obligations that by their nature should survive (including Sections 3, 8, 9, and 10 and Schedules 3–6) survive termination.

11. Cross-border data transfers

11.1 Hosting regions. LumoAuth offers Customer a choice of hosting region at the time of tenant provisioning:

EU region — Customer Personal Data Processed in the Services’ production path is stored and Processed on infrastructure located in Germany (Hetzner data centers in Nuremberg / Falkenstein).
US region — Customer Personal Data Processed in the Services’ production path is stored and Processed on infrastructure located in the United States (Hetzner data centers in Ashburn, Virginia / Hillsboro, Oregon).

Customer selects the region for its tenant; Customer Personal Data in a given tenant is not replicated between regions by LumoAuth.

11.2 Transfers under EU law. Where Customer’s transfer of Customer Personal Data to LumoAuth, or any onward transfer by LumoAuth to a Sub-processor, is a “restricted transfer” under the GDPR, the SCCs are incorporated into this DPA by reference as follows (see Schedule 3): Module Two (controller to processor) where Customer is the Controller; Module Three (processor to processor) where Customer is itself a Processor for a third-party controller; and Module One (controller to controller) for any Account Data LumoAuth receives as independent Controller. The SCCs apply with the elections and specifications set out in Schedule 3, and Annexes I–III of the SCCs are populated by Schedules 1, 2, and 7 respectively.

11.3 UK and Swiss transfers. Transfers of Customer Personal Data subject to the UK GDPR or the Swiss FADP are subject to the UK Addendum and the Swiss supplemental terms in Schedule 5.

11.4 Supplementary measures. LumoAuth has implemented, in addition to the SCCs, the supplementary technical, organizational, and contractual measures set out in Schedule 4, which are designed to address the concerns identified by the Court of Justice of the European Union in Schrems II and by the European Data Protection Board’s guidance on supplementary measures.

11.5 Transfer impact assessments. LumoAuth will provide Customer with reasonable information to enable Customer to conduct a transfer impact assessment, including documentation of LumoAuth’s approach to government-access requests (Schedule 4), the location of Sub-processors, and the certifications held by infrastructure providers.

12. Customer Personal Data subject to U.S. State Privacy Laws

To the extent U.S. State Privacy Laws apply, the U.S. Addendum in Schedule 6 supplements this DPA.

13. General

13.1 Governing law. This DPA is governed by the law specified in the Agreement, except that Schedule 3 (SCCs), Schedule 5 (UK/Swiss), and the supplementary measures in Schedule 4 are governed by the laws specified therein.

13.2 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions remain in full force and effect.

13.3 Order of precedence. In the event of conflict: (i) the SCCs (Schedule 3) and the UK Addendum (Schedule 5) prevail over the body of this DPA; (ii) this DPA prevails over the Agreement; and (iii) subject to (i) and (ii), the Agreement prevails over any inconsistent customer ordering document.

13.4 Entire agreement. This DPA, together with the Agreement, constitutes the entire agreement of the parties relating to the Processing of Customer Personal Data.

Schedule 1 — Details of Processing

Part A — Parties

Data exporter: Customer, as identified in the Agreement. Where Customer is itself acting as a Processor for a third party (for example, Customer’s own customer), Customer represents that it has authority from that third-party Controller to enter into this DPA.

Data importer: LumoAuth, the operator of the LumoAuth identity platform.

Contact for data-protection matters: privacy@lumoauth.dev.

Part B — Processing description

Element	Description
Subject matter	Provision of the LumoAuth identity platform, including authentication, authorization, directory, MFA, SSO, push-auth, and related services described in the Agreement.
Duration	For the term of the Agreement plus the post-termination period set out in Section 9.
Nature and purpose of Processing	Operating sign-up, sign-in, session, and token flows; managing user directory and group data; enforcing authorization policies (including Google Zanzibar–style relationship tuples and ABAC policies); delivering WebAuthn/FIDO2, TOTP, and push-authentication factors; operating SCIM provisioning with external identity providers; running audit logging; generating reports; securing the Services; and providing support.
Categories of Data Subjects	Customer’s end users; Customer’s administrators and employees; and, where applicable, the representatives of Customer’s own customers who interact with Customer’s applications.
Categories of Personal Data	Identifiers (email, username, phone number, external directory ID, user ID); authentication credentials (hashed passwords, WebAuthn/FIDO2 public keys, encrypted TOTP secrets, push-auth enrollment material); profile attributes configured by Customer; session and token metadata (issued tokens, refresh tokens, session IDs, expiry); device and request metadata (IP address, user agent, approximate IP-derived geolocation, timestamps); audit and security events (authentication outcomes, authorization decisions, SCIM events, admin actions); webhook-delivery metadata; and any other data elements Customer configures in its tenant schema.
Special categories	LumoAuth does not solicit special categories of Personal Data. Customer will not configure the Services to collect special-category data without a valid legal basis and without first notifying LumoAuth and entering into supplemental terms.
Frequency	Continuous, for the duration of the Agreement.
Retention	As configured by Customer in the Services. Defaults: authentication logs retained for a rolling period configurable up to twelve (12) months; session tokens purged on expiry; user records retained until deleted by Customer or until Agreement termination per Section 9.
Hosting region	EU (Germany) or US (Hetzner), selected by Customer at tenant provisioning. See Section 11.1.
Onward transfers	To the Sub-processors listed in Schedule 7, solely to provide the Services.

Part C — Competent Supervisory Authority

Where the GDPR applies and Customer is established in, or has a representative in, the EEA, the Supervisory Authority of the EU Member State in which Customer (or its EU representative) is established is the competent authority. Where the UK GDPR applies, the UK Information Commissioner’s Office is the competent authority. Where the Swiss FADP applies, the Swiss Federal Data Protection and Information Commissioner (FDPIC) is the competent authority.

Schedule 2 — Technical and Organizational Measures

LumoAuth maintains the following measures, updated from time to time. The overall level of protection will not be materially diminished.

1. Physical security (infrastructure providers)

Production workloads run on Hetzner Online GmbH infrastructure in data centers certified under ISO/IEC 27001. Data centers have 24×7 monitoring, multi-factor physical access controls, CCTV, perimeter protection, and redundant power and cooling.
LumoAuth does not operate any servers outside of these certified data centers for production Customer Personal Data.

2. Tenant isolation

Each Customer tenant has a row-level tenant context enforced at the service tier; cross-tenant reads and writes are prevented by query-level guards and verified by integration tests.
Per-tenant signing keys are used where the Services issue tenant-scoped tokens.

3. Encryption

In transit: TLS 1.2 or higher is required for all external connectivity, including dashboards, APIs, webhooks, and push-auth device traffic.
At rest: Production database volumes are encrypted at the storage layer. Authenticator material is additionally protected above the storage layer: passwords stored as salted cryptographic hashes; WebAuthn/FIDO2 stored as public keys only; TOTP secrets and push-auth private material encrypted with application-layer keys.
Keys: Encryption keys are managed under a documented key-management procedure with periodic rotation.

4. Access control and least privilege

LumoAuth personnel authenticate with SSO, multi-factor authentication, and, for privileged production access, hardware-backed credentials.
Production access is granted on a least-privilege, time-bound, and auditable basis. Changes to access rights are logged and reviewed.
Administrative endpoints enforce step-up authentication (recent-auth requirement) for credential-changing actions, and rate-limit sensitive flows.

5. Authentication of end users

The Services offer strong authentication options to Customer end users, including WebAuthn/FIDO2, TOTP, and push-authentication via the Lumo Push Auth mobile app, as configured by Customer.
Passwords are validated against a tenant-configurable policy and known-breached-password lists.

6. Audit logging

The Services write a structured audit log of authentication, authorization, admin, and security-sensitive events. Logs include actor, tenant, target, event type, outcome, request IP, and timestamp, and are available to Customer administrators.
LumoAuth maintains its own platform-level logs separate from Customer-visible audit logs; access is restricted and audited.

7. Secure development lifecycle

Code changes go through peer review, automated static analysis, and an automated test suite that includes security-focused tests (CSRF, authentication firewalls, authorization boundaries, tenant isolation).
Dependencies are tracked for known vulnerabilities; security-relevant updates are prioritized.
Pre-production environments do not contain production Customer Personal Data; test data is synthetic or anonymized.

8. Vulnerability management

LumoAuth performs regular vulnerability assessments of the Services, including automated dependency scanning and periodic third-party penetration tests (results available under NDA).
A documented responsible-disclosure channel is maintained at security@lumoauth.dev.

9. Change management

Infrastructure and application changes follow a change-management process with peer review, staged rollout, rollback capability, and post-deployment monitoring.

10. Incident response

LumoAuth maintains an incident-response plan covering detection, triage, containment, eradication, recovery, notification (per Section 8), and lessons-learned review. The plan is tested periodically.

11. Business continuity and disaster recovery

Production databases are backed up on a rolling schedule with encrypted, off-host storage within the same region.
Recovery procedures are documented and tested. Targets: RPO ≤ 24 hours, RTO ≤ 24 hours for core authentication paths.

12. Sub-processor oversight

LumoAuth evaluates Sub-processors before engagement and at renewal, including review of the Sub-processor’s security practices and data-protection posture.

13. Personnel

All LumoAuth personnel sign written confidentiality undertakings, complete security and privacy training on hire and periodically thereafter, and undergo background checks to the extent permitted by law in the relevant jurisdiction.

1. Incorporation

Where this DPA governs a restricted transfer under the GDPR, the SCCs are incorporated by reference and apply with the following elections.

2. Module selection

Module Two (Controller → Processor) applies where Customer is the Controller of the transferred data and LumoAuth is the Processor.
Module Three (Processor → Processor) applies where Customer acts as Processor for a third-party controller and LumoAuth is a Sub-processor.
Module One (Controller → Controller) applies to any transfer of Account Data (Section 3.2) where LumoAuth is an independent Controller.

3. Optional clauses and elections

Clause	Election
Clause 7 (Docking clause)	Included.
Clause 9 (Use of Sub-processors)	Option 2 — general written authorization, with at least 15 days’ notice as per Section 5.3.
Clause 11 (Redress)	The optional language on independent dispute resolution is not included.
Clause 17 (Governing law)	The law of the Republic of Ireland.
Clause 18 (Choice of forum and jurisdiction)	The courts of Ireland.

4. Annex mapping

SCC Annex I.A (List of parties): Schedule 1, Part A.
SCC Annex I.B (Description of transfer): Schedule 1, Part B.
SCC Annex I.C (Competent supervisory authority): Schedule 1, Part C.
SCC Annex II (Technical and organizational measures): Schedule 2.
SCC Annex III (List of Sub-processors, where Module Two or Three applies and Option 2 of Clause 9 is selected): Schedule 7.

5. Precedence

In the event of a conflict between the SCCs and the rest of this DPA or the Agreement, the SCCs prevail with respect to the restricted transfer.

Schedule 4 — Supplementary measures for international transfers

LumoAuth has adopted the following supplementary measures in addition to the SCCs, consistent with the European Data Protection Board’s Recommendations 01/2020.

1. Technical measures

In-region Processing. Production Customer Personal Data is Processed in the region the Customer selects (Section 11.1). LumoAuth does not relocate production data to a different region in response to a government request.
Strong encryption. All external network traffic is TLS-encrypted; authenticator secrets and tokens are additionally encrypted at the application layer; database volumes are encrypted at rest. LumoAuth does not hold cleartext passwords and cannot produce them in response to a request.
Pseudonymization and minimization. The Services are architected so that LumoAuth Processes only the data necessary for authentication and authorization; LumoAuth does not request or store identity documents, biometric templates, or payment-card numbers in the authentication path.

2. Organizational measures

Access minimization. Access to production Customer Personal Data is limited to a small, documented group of personnel with a demonstrable need; all such access is logged.
Training on public-authority requests. Personnel with production access are trained on how to identify and escalate requests for disclosure from public authorities.
Transparency report. LumoAuth maintains a published transparency report, updated at least annually, covering the number and type of legally binding requests for Customer Personal Data received from public authorities.

3. Contractual measures — public-authority requests

LumoAuth will:

(a) Assess and challenge. Carefully review each legally binding request for Customer Personal Data from a public authority for compatibility with Data Protection Laws and challenge the request (including by pursuing interim relief) where, after a careful assessment, LumoAuth concludes there are grounds to do so under the laws of the country of destination.
(b) Notify Customer. Promptly inform the affected Customer of any such request — including what data was requested, the requesting authority, the legal basis, and the response provided — except where legally prohibited from doing so. Where prohibited, LumoAuth will use reasonable efforts to challenge the prohibition and to provide aggregate information as soon as legally permitted.
(c) Minimize disclosure. Disclose only the minimum amount of Customer Personal Data strictly required to respond to the request.
(d) No voluntary access. Not provide Customer Personal Data to any public authority on a voluntary basis, including not creating or maintaining any “back door” that would provide a public authority with access to Customer Personal Data outside a lawful, binding process.
(e) Section 702 / E.O. 12333. To the extent LumoAuth receives a request under section 702 of the U.S. Foreign Intelligence Surveillance Act or Executive Order 12333, paragraphs (a)–(d) apply.

Schedule 5 — UK and Swiss Addendum

Part 1 — UK

The UK Addendum (International Data Transfer Addendum to the SCCs, version B.1.0, 21 March 2022) is incorporated by reference and forms part of this DPA to the extent Customer Personal Data is subject to the UK GDPR.

Table 1 (Parties) is populated by Schedule 1, Part A.
Table 2 (Selected SCCs, Modules and Selected Clauses) is populated by Schedule 3.
Table 3 (Appendix Information) is populated by Schedules 1, 2, and 7.
Table 4 (Ending this Addendum): the data importer (LumoAuth) may end the Addendum when the Approved Addendum changes, as set out in clause 19 of the Mandatory Clauses.
Clause 16 of the Mandatory Clauses is not modified.

Part 2 — Switzerland

For transfers subject to the Swiss FADP, the SCCs apply with the following amendments:

References to “Regulation (EU) 2016/679” are interpreted as references to the Swiss FADP;
The competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner (FDPIC);
The term “Member State” does not prevent data subjects in Switzerland from exercising their rights in their country of habitual residence;
Until revised Swiss FADP comes into full effect, the SCCs also protect Personal Data relating to legal entities.

Schedule 6 — U.S. Addendum

To the extent U.S. State Privacy Laws apply to Customer Personal Data Processed under this DPA, LumoAuth:

Processes Customer Personal Data only for the limited and specified business purposes set out in the Agreement and this DPA (including providing, maintaining, securing, and improving the Services in accordance with the scope of the Agreement);
Does not sell Customer Personal Data or otherwise make it available to any third party for monetary or other valuable consideration;
Does not share Customer Personal Data for cross-context behavioral advertising;
Does not retain, use, or disclose Customer Personal Data outside of the direct business relationship between Customer and LumoAuth, except as permitted by U.S. State Privacy Laws;
Does not combine Customer Personal Data with Personal Data received from or on behalf of any other person, or collected from LumoAuth’s own interaction with any Data Subject, except as permitted by U.S. State Privacy Laws;
Notifies Customer without undue delay if LumoAuth determines it can no longer meet these obligations;
Grants Customer the right, on reasonable notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data; and
Ensures that any Sub-processor engaged to Process Customer Personal Data subject to U.S. State Privacy Laws is bound by contractual terms substantially similar to those set out in this Schedule 6.

LumoAuth certifies that it understands the restrictions in this Schedule 6 and will comply with them.

Schedule 7 — Sub-processors

The following Sub-processors are engaged to Process Customer Personal Data as of the Effective Date. An up-to-date list is maintained at https://lumoauth.dev/legal/subprocessors.

Sub-processor	Purpose	Entity location	Processing location
Hetzner Online GmbH	Production hosting infrastructure (compute, storage, networking) for the EU region	Germany	Germany (Nuremberg / Falkenstein)
Hetzner Online GmbH	Production hosting infrastructure (compute, storage, networking) for the US region	Germany	United States (Ashburn, VA / Hillsboro, OR)
Postmark (ActiveCampaign, LLC)	Transactional email delivery (verification, password reset, security notifications, admin alerts)	United States	United States
Google LLC — Firebase Cloud Messaging (FCM)	Delivery of push-authentication prompts to Android devices and, on Customer request, web push	United States	Global (per FCM’s published regions)
Apple Inc. — Apple Push Notification service (APNs)	Delivery of push-authentication prompts to iOS devices	United States	Global (per APNs’ published regions)
Mistral AI SAS	AI-assisted features (policy authoring, theming, risk narrative), engaged only when the Customer enables these features in tenant configuration. The AI provider is selected and configured by LumoAuth at the platform level, not by the Customer. End-user authentication data is not sent to this Sub-processor.	France	European Union

Customer choice of hosting region. Customer selects the tenant’s hosting region at provisioning. Customer’s production Customer Personal Data is Processed only by the Hetzner region Customer selects and is not replicated to the other region by LumoAuth.

Hetzner in the transfer analysis. Hetzner Online GmbH is established in Germany. For Customers whose tenants are hosted in the EU region, Customer Personal Data is stored and Processed in Germany (no restricted transfer outside the EEA). For Customers whose tenants are hosted in the US region, Customer’s restricted transfer (where one arises) is to the United States, and the SCCs (Schedule 3) and supplementary measures (Schedule 4) apply. In both cases, LumoAuth has confirmed that Hetzner’s EU and US data centers are certified under ISO/IEC 27001 and that Hetzner contracts on the basis of the EU Commission SCCs for restricted transfers.

Execution

This DPA forms part of, and is executed by reference to, the Agreement. By accepting the Agreement (or, where the Agreement is a written contract, by signing it), each party is deemed to have signed this DPA as of the later of the Effective Date above and the effective date of the Agreement.

Contact for data-protection matters: privacy@lumoauth.dev.

LumoAuth LLC
600 California Street, 11th Floor
San Francisco, CA 94108