Data Processing Agreement
1. Roles
The Controller determines the purposes and means of processing leads' personal data; Lumaa is the Processor. End-users / call recipients are the Data Subjects.
2. Categories of data and data subjects
| Category | Examples |
|---|---|
| Identification | Name (where supplied by Controller), phone number (E.164) |
| Communications | Voice audio, text transcripts of calls, AI-inferred outcome status |
| Behavioural | Call timestamps, attempt count, response/no-response |
Data Subjects are the natural persons whose phone numbers the Controller dials via the Service.
3. Subject matter and duration
The processing is the AI-driven outbound calling service. Duration is the term of the Subscription, plus the post-termination retention windows in Section 6.
4. Processor obligations
Lumaa will:
- Process personal data only on the Controller's documented instructions (the Subscription, the Persona configuration, and any change order).
- Ensure persons authorised to process the data are bound by confidentiality.
- Implement the technical and organisational measures described in our Privacy Policy, Section 7 (Security).
- Engage sub-processors only with prior general consent (see Annex A). Lumaa notifies the Controller 30 days before adding a new sub-processor; the Controller may object in writing and terminate the affected portion of the Service pro-rata.
- Assist the Controller in responding to Data Subject rights requests within 5 business days of receiving the request.
- Notify the Controller without undue delay (target: ≤72 hours) of any confirmed personal-data breach affecting the Controller's data, with the information required for the Controller to make its own regulatory notifications.
- Delete or return all personal data on termination, at the Controller's choice, except where UAE law mandates retention.
- Make available all information necessary to demonstrate compliance, and allow audits no more than once per year on 30 days' notice during business hours, conducted by the Controller or a mutually agreed third-party auditor at the Controller's expense.
5. Controller obligations
The Controller will:
- Ensure it has a lawful basis to process the lead data and to instruct Lumaa to call those leads (consent, legitimate interest with documented LIA, or contract).
- Not upload data outside the categories listed in Section 2 (no special-category data, no children, no minors' data).
- Configure the AI Persona to comply with the AUP and the Recording & AI Disclosure requirements.
- Provide Data Subjects the privacy information they are entitled to before their data is processed.
- Not instruct Lumaa to process data unlawfully; if Lumaa believes an instruction violates UAE law, Lumaa may decline and notify the Controller.
6. Retention and deletion
| Trigger | Retention |
|---|---|
| Active subscription | Lifetime of subscription |
| Termination — recordings, transcripts | 30 days, then hard-deleted from S3 + DB |
| Termination — leads, call logs metadata | 30 days, then hard-deleted |
| Audit log entries (calls placed, opt-outs, AUP events) | 7 years (consumer-protection record-keeping) |
| Backups containing personal data | 60-day rolling retention; hard-deleted on rotation |
The Controller may request a deletion certificate after the 30-day post-termination window.
7. International transfers
Personal data may be processed in countries outside the UAE. Each transfer is governed by Standard Contractual Clauses or an equivalent UAE PDPL adequate-protection mechanism. Where the Controller requires a UAE-only deployment, the parties will negotiate a region-specific addendum (currently roadmap; may not be available at signing).
8. Liability
This DPA does not change the liability allocation in the Terms of Service except that breach of confidentiality, breach of Section 4 (Processor obligations), or breach of Section 6 (retention) is uncapped.
9. Term and survival
This DPA continues for the life of the Subscription and for the post-termination retention periods. Sections 4(6), 6, 7, 8, and 9 survive termination.
10. Order of precedence
If this DPA conflicts with the Terms of Service, this DPA prevails for matters of personal data processing.
Annex A — Sub-processors
| Sub-processor | Purpose | Region |
|---|---|---|
| Amazon Web Services (AWS) | Compute, storage, KMS, S3 recording storage | Bahrain (me-south-1) primary; failover regions per agreement |
| OpenAI | Large-language-model inference for AI persona | United States |
| Deepgram | Speech-to-text transcription | United States |
| ElevenLabs | Text-to-speech voice synthesis | United States |
| Stripe (or alternative) | Payment processing for subscriptions | Ireland / United States |
| Twilio (optional) | Telephony origination/termination where customer chooses Twilio over PBX | United States / Ireland |
Annex B — Security measures
See our Privacy Policy, Section 7 for the current list of technical and organisational measures, including encryption, access control, logging, breach notification timing, and review cadence.
Signing
For most Clients, accepting the Terms of Service at signup constitutes acceptance of this DPA. Enterprise Clients may request a counter-signed copy on company letterhead — email legal@lumaa.ai.