LEGAL · DATA PROCESSING ADDENDUM
Data Processing Addendum
This Data Processing Addendum ("DPA") is incorporated into and forms part of the agreement between Luxorus Studio LLC ("Processor") and the customer entity that has executed a Statement of Work or Order Form ("Controller").
This Addendum supplements our Privacy Policy and the terms of your Statement of Work.
1. Purpose
This DPA governs the processing of personal data that Controller submits to the Luxorus Studio suite product in connection with the Services. It establishes the obligations and rights of both parties with respect to such data.
2. Roles
For the purposes of this DPA, Controller determines the purposes and means of processing personal data submitted to the platform. Luxorus Studio acts as Processor and processes such data only on documented instructions from Controller, including as set forth in this DPA and the applicable Order Form.
3. Data Processed
Luxorus Studio processes the categories of personal data submitted by Controller and its authorized users to the suite product, which may include: business contact information, customer records, financial transaction data, operational data, and any other data Controller uploads to the platform.
4. Security
Luxorus Studio implements and maintains appropriate technical and organizational security measures designed to protect personal data against unauthorized access, disclosure, alteration, or destruction. These measures include: row-level security on the database layer (Supabase), encrypted data at rest and in transit (TLS 1.2+), access controls limited to authorized personnel, and error monitoring via Sentry.
5. Sub-Processors
Controller hereby authorizes Luxorus Studio to engage the following sub-processors: Supabase (database), Stripe (payments), Resend (email), Sentry (error monitoring), and Vercel (hosting). Luxorus Studio will notify Controller of any intended changes to this list with reasonable advance notice, allowing Controller to object to such changes.
6. International Transfers
To the extent personal data is transferred outside the country of origin, Luxorus Studio shall implement appropriate safeguards including Standard Contractual Clauses (SCCs) as approved by applicable regulatory authorities. This DPA does not expand the scope of Luxorus Studio's obligations beyond what is technically and operationally feasible for a small U.S.-based software company.
7. Data Subject Rights
Luxorus Studio will assist Controller in responding to data subject rights requests (access, correction, deletion, portability) to the extent technically feasible. Controllers are responsible for handling data subject communications and for ensuring they have a lawful basis for any processing they direct.
8. Deletion & Return
Upon termination of the Services, Luxorus Studio will delete Controller's personal data from active production systems within 90 days, unless longer retention is required by applicable law. Backups may be retained for up to 12 months in accordance with our disaster recovery practices.
9. Suite-App DPA
Customers who access the Luxorus Suite application should also review the full DPA embedded within the suite's legal documentation, which contains additional technical specifications relevant to active account holders.
10. Contact
Questions about this DPA? Email hello@luxorusstudio.com.