Lumen Twin
Last updated · May 2026

Data Processing Agreement

GDPR Article 28 terms governing how Lumendra Labs processes personal data on behalf of customers using Lumen Twin in a business context.

1. Parties and roles

This DPA is between you (the "Controller") and Lumendra Labs (Aarón Jiménez Martín, autónomo) (the "Processor"). It applies to all personal data the Processor handles to provide Lumen Twin under the Terms of Service.

2. Subject matter and duration

Processing is limited to what is necessary to deliver the service for the duration of the customer's subscription, plus a 30-day deletion window after termination.

3. Nature and purpose

Hosting, retrieval, transformation, and inference over content the Controller chooses to connect or upload, in order to train and operate a personal AI twin.

4. Categories of data subjects and personal data

Employees, contractors, and counterparties of the Controller. Categories include identifiers, communications content, calendar events, documents, voice samples (when explicitly enabled), and derived embeddings/memory.

5. Sub-processors

Current sub-processors:

  • Supabase Inc. — managed Postgres, auth and storage (EU region).
  • Cloudflare Inc. — edge runtime, DDoS protection, CDN.
  • Stripe Payments Europe Ltd. — payment processing.
  • OpenAI, Google, ElevenLabs — AI inference, with no-training flags where supported.

The Processor will give 30 days' notice of any new sub-processor; the Controller may object on reasonable data-protection grounds.

6. Security measures

Encryption at rest (AES-256) and in transit (TLS 1.3); per-tenant logical isolation via row-level security; SSO and hardware-key requirements for privileged access; immutable audit logs; quarterly access reviews; annual penetration testing.

7. International transfers

Data is stored in the EU. Where transfers outside the EEA are required (e.g. AI inference), the Standard Contractual Clauses (2021/914) apply, supplemented as needed.

8. Assistance with rights and breaches

The Processor will assist the Controller in fulfilling data-subject requests within 5 working days, and notify the Controller of any personal-data breach without undue delay and within 72 hours of confirmation.

9. Audit

The Controller may request, no more than once per year, a copy of the latest SOC 2 / ISO 27001 reports. Onsite audits are available for Enterprise customers under reasonable confidentiality terms.

10. Return and deletion

On termination the Processor will, at the Controller's option, return or permanently delete all personal data within 30 days (90 days for backups), and certify deletion on request.

11. Liability and order of precedence

This DPA forms part of the Agreement. In the event of conflict on data-protection matters, this DPA prevails.

12. Execution

To execute a counter-signed DPA, write to support@lumendralabs.com.

PrivacyTermsSecurityCookiesDPAAcceptable UseRefundsFAQ
© 2026 Lumendra Labs
Lumendra Labs · Operator: Aarón Jiménez Martín · DNI 52318478X (NIF social en trámite)
Calle Arévalo, 11, 11520 Rota (Cádiz), España · support@lumendralabs.com