Data Processing Addendum
Effective 1 January 2026
The contract that sits behind the contract — written to be read, not filed.
1. Roles
For data Customer loads into the Service, Customer is the controller and Lunari is the processor. For account and operational data Lunari collects directly (e.g. login telemetry, support tickets), Lunari is an independent controller.
2. Subject matter and duration
Lunari processes Customer data to provide the Lunari Finance Intelligence Suite for the duration of the subscription and for up to 30 days after termination to permit export and deletion.
3. Nature and purpose
Hosting, structuring, indexing, computing on, and presenting Customer's finance data; supporting users; preventing and investigating security incidents; meeting legal obligations applicable to Lunari as processor.
4. Categories of data and data subjects
Categories typically include accounting records, vendor and customer master data, employee finance-relevant identifiers, transaction documents, and approval metadata. Data subjects include Customer's employees, contractors, vendors, and customers represented in those records.
5. Sub-processors
Lunari engages sub-processors for hosting, email delivery, error tracking, and customer support. The current list is available on request and notified at least 30 days before a new sub-processor takes effect. Customer may object on reasonable data-protection grounds.
6. International transfers
Customer data is hosted in the region selected at provisioning (EU, UK, or US). Where transfers outside the EEA or UK are unavoidable, Lunari relies on the EU Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum, which are incorporated into this DPA by reference.
7. Security
Lunari maintains an information security programme certified to ISO 27001 and audited annually under SOC 2 Type II. Technical and organisational measures include encryption in transit (TLS 1.3) and at rest (AES-256), least-privilege access, MFA for staff, change management, vulnerability management, and 24×7 monitoring.
8. Incident notification
Lunari notifies Customer without undue delay, and in any event within 72 hours, of any confirmed personal-data breach affecting Customer data, with the information needed for Customer to meet its own regulatory obligations.
9. Audit
Customer may, no more than once per year and on 30 days' notice, audit Lunari's compliance with this DPA. Lunari may satisfy audit requests by providing its most recent SOC 2 Type II report and ISO 27001 certificate under NDA.
10. Deletion and return
On termination, Lunari exports Customer data on request in a structured, commonly used, machine-readable format and deletes Customer data within 30 days, unless a longer retention is required by law.
11. Order of precedence
This DPA supplements the main agreement. In case of conflict on data-protection matters, this DPA prevails. The SCCs and UK IDTA prevail over this DPA where required by law.
12. Contact
Data protection: privacy@lunari.cloud. Security: security@lunari.cloud.