Data Processing Addendum
Processor terms, SCCs, and security measures.
Data Processing Addendum
This Data Processing Addendum ("DPA") forms part of the Agreement between Customer ("Controller") and Lucien AI, Inc. ("Lucien", "Processor") and governs Lucien’s processing of Customer Personal Data in providing the Services. If there is a conflict between this DPA and the Agreement, this DPA controls unless the Agreement expressly overrides a DPA term.
1. Scope & Roles
Customer determines the purposes and means of processing Customer Personal Data and is the Controller (or a Processor acting on behalf of a Controller). Lucien processes such data on Customer’s documented instructions and is a Processor (or Sub‑processor), as applicable.
2. Processing on Instructions
Lucien will process Customer Personal Data only: (a) to provide, secure, and support the Services; (b) per this DPA and the Agreement; and (c) per Customer’s further documented instructions that are consistent with the Agreement. Lucien will notify Customer if an instruction violates Data Protection Laws, where legally permitted. Lucien will not sell Customer Personal Data or share it for targeted advertising, nor combine it with personal data from other sources except as permitted by law and this DPA (e.g., for de‑identified analytics).
3. Security Measures
Lucien will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include access controls (MFA/SSO, RBAC, least privilege), device and infrastructure security, encryption in transit and at rest, logging/monitoring, incident response, employee security training, confidentiality obligations, and vendor risk management. Additional details are available at /security.
4. Sub‑processors
Lucien may appoint Sub‑processors to support the Services. Lucien will: (a) impose data protection obligations on Sub‑processors that are no less protective than this DPA; (b) remain liable for Sub‑processor acts and omissions to the extent Lucien would be liable under this DPA; and (c) maintain a list of current Sub‑processors at /legal/subprocessors. Lucien will provide advance notice of new Sub‑processors and Customer may object on reasonable data‑protection grounds. If the parties cannot resolve an objection, Customer may terminate the affected Services and Lucien will refund prepaid, unused fees for the terminated portion.
5. International Transfers (SCCs)
Where Customer Personal Data originating from the EEA/UK/Switzerland is transferred to a country not deemed adequate, the parties will rely on appropriate safeguards. The EU Standard Contractual Clauses (SCCs) (Module 2 and/or 3, as applicable) are incorporated by reference; the UK International Data Transfer Addendum and the Swiss addendum apply for UK/Swiss transfers. Annexes/Appendices will reflect the Service description, categories of data subjects/personal data, and security measures described above.
6. Breach Notification
Lucien will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data and will provide information reasonably necessary for Customer to meet its breach‑notification obligations. Lucien will take appropriate steps to contain, investigate, and remediate the incident. Notifications are not an acknowledgement of fault.
7. Deletion & Return
At termination or upon Customer request, Lucien will delete or, upon request, return Customer Personal Data in its possession, except to the extent retention is required by law or for backup/archival continuity. Data retained for legal/archival reasons will remain protected under this DPA and deleted per standard retention schedules.
8. Assistance; Data Subject Requests; Audits
Lucien will provide reasonable cooperation to help Customer respond to verifiable requests to exercise data subject rights where Customer cannot fulfill the request via the Services. Upon written request no more than once annually, and subject to reasonable confidentiality, security, and scheduling controls, Lucien will make available third‑party audit reports or certifications (e.g., SOC 2) to demonstrate compliance. If those are insufficient to meet Customer’s legal obligations, Customer may conduct an assessment upon 30 days’ notice, scoped to systems that process Customer Personal Data and conducted to minimize disruption, at Customer’s expense.
Appendix A – Description of Processing
Categories of data subjects: Customer’s personnel and end users.
Categories of personal data: identifiers (name, email, username), usage metadata, and other data Customer submits to or generates via the Services. Sensitive data is not intended to be processed unless Customer submits it.
Nature and purpose: provision, support, and improvement (including security, troubleshooting, and analytics) of the Services as described in the Agreement.
Duration: for the term of the Agreement and as otherwise permitted herein.
Appendix B – Technical and Organizational Measures (Summary)
Access controls (SSO/MFA, RBAC, least privilege); encryption in transit/at rest; network segmentation and hardened infrastructure; secure software development lifecycle; logging/monitoring and alerting; incident response; employee security training and background checks; vendor risk management; physical and environmental security.