Data Processing Addendum
This Data Processing Addendum ("DPA") sets forth the terms and conditions related to the privacy, confidentiality and security of Personal Data associated with Services provided by Luma to Host.
In this DPA references to "you" means the Host and references to "we,'' "us," "our" and "Luma" means Luma Labs, Inc.
- Business, Data Controller, Data Processor, Data Subject, Processing, Personal Data, and Service Provider shall have the meanings ascribed to them in applicable Data Protection Laws.
- CCPA means the California Consumer Privacy Act (as amended by the California Privacy Rights Act) and associated regulations.
- Data Protection Laws means all applicable laws or regulations related to the privacy, confidentiality and security of Personal Data.
- Data Security Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Personal Data Processed by Luma on Host’s behalf as part of Host’s use of the Services.
- EU SCCs means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
- Services means any services provided by Luma to Host, as defined in the Luma Terms of Service of any other applicable services agreement between Luma and Host.
- Technical and Organizational Security Measures means reasonable security measures implemented by Luma appropriate to the type of data being Processed and the Services being provided by Luma designed to protect Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. More at lu.ma/security.
- UK SCC Addendum means the United Kingdom International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses for international data transfers version B1.0 issued by the UK Information Commissioner under Section 119A of the UK Data Protection Act of 2018 and entering into force on 21 March 2022, as updated, amended, or replaced from time to time.
1. Applicability of DPA
1.1 In using Luma’s Services, Host acts as a Business and is a Data Controller of the Personal Data associated with an individual using Luma Services to register for or purchase a ticket to attend such Host’s event ("Consumer"), or to subscribe to updates from Host. Host represents and warrants that it has provided any necessary notices and if required, obtained necessary consent related to the collection of such Personal Data from the Consumer and Host has the right to share such Personal Data with Luma.
1.2 Where Luma Processes the Personal Data of Consumers on behalf of Host as part of the Services, Luma is a Data Processor or Service Provider in performing such Processing and Host is the Data Controller or Business.
This includes circumstances where Luma obtains Personal Data as a result of the provision of its core event services (for example, where Luma facilitates the transmission of emails to Consumers at the request of Hosts, collects event registrations, processes payments, or provides event insights to enable Hosts to gain understanding of their event performance).
In respect of some processing of Consumers' Personal Data, Luma may act as a Data Controller or Business, for example, where Consumers have engaged with aspects of Luma’s Applications beyond those relating to Host’s event. With regard to such processing, Luma is an independent Data Controller and not a joint Data Controller with Host.
To the extent that Luma processes Personal Data as a Data Processor or Service Provider on behalf of Host, Section 2 of this DPA shall apply, however, when Luma is acting as a Business or Data Controller of Consumers' Personal Data, Luma's processing shall not be subject to this DPA.
1.3 Details about the Personal Data to be processed by Luma and the Processing activities to be performed under the Agreement are as follows:
1.3.a duration - as set out in the Agreement;
1.3.b nature, purpose and subject matter - to enable Host to organize and promote events and manage ticketing using Luma Services;
1.3.c data categories - name, email address, billing and payment information, information related to events booked and attended, and any other Personal Data that Host requests of its Consumers;
1.3.d data subjects - Consumers.
2. Data Processing
2.1 Whenever Luma processes Personal Data on behalf of Host, Luma shall:
2.1.1 Process Personal Data only on the documented instructions of Host, unless required to do otherwise by applicable law.
Luma shall inform Host of the legal requirement before processing Personal Data other than in accordance with Host’s instructions, unless that same law prohibits Luma from doing so on important grounds of public interest.
Host will ensure that its instructions comply with all laws, regulations and rules applicable to the Personal Data, and that Luma’s processing of such Personal Data will not cause Luma to violate any applicable law, regulation or rule, including Data Protection Laws.
Luma will notify Host, if in its opinion, an instruction is in breach of applicable Data Protection Laws.
Host hereby instructs Luma, and Luma hereby agrees, to process Personal Data as necessary to perform Luma’s obligations under the Agreement and for no other purpose, unless otherwise specified in this DPA or required to comply with the law or other binding governmental order.
In the event that this DPA or any actions to be taken or contemplated in performance of this DPA do not or would not satisfy either party’s obligations under applicable Data Protection Laws, the parties shall negotiate in good faith upon an appropriate amendment to this DPA;
2.1.2 Comply with all applicable provisions of Data Protection Laws and provide the same level of protection for Personal Data as required of Host under Data Protection Laws. Luma will process Personal Data only as necessary to perform Luma’s obligations under the Agreement, or as otherwise permitted by Data Protection Laws.
Without limiting the foregoing, Luma will not
(i) “sell” or “share” the Personal Data, as such terms are defined in the CCPA;
(ii) Luma shall not retain, use, or disclose any such data outside of the direct business relationship between Host and Luma unless permitted by Data Protection Laws, or
(iii) retain, use or disclose Personal Data for any purpose other than the business purposes specified in this DPA or otherwise permitted by Data Protection Laws.
Luma shall comply with any applicable restrictions under Data Protection Laws on combining Personal Data with personal data that Luma receives from, or on behalf of, another person or persons, or that Luma collects from any interaction between it and any individual.
2.1.3 Have in place Technical and Organizational Security Measures that are documented on Luma’s website;
2.1.4 Notify Host in the event of a Data Security Breach without undue delay, unless otherwise prohibited by law or otherwise instructed by a law enforcement or data protection authority. In the event of any Data Security Breach, Luma, in its sole discretion, may provide data breach notification to affected data subjects directly. Where Luma does not provide such notification, Luma shall provide reasonable assistance, where required by applicable Data Protection Laws and at Host’s request, to enable Host to comply with its data breach obligations as a Data Controller or Business;
2.1.5 Ensure that its personnel are subject to binding obligations of confidentiality with respect to Personal Data of Consumers Processed by Luma on Host’s behalf;
2.1.6 Impose obligations on its sub-processors that have access to Personal Data of Consumers Processed by Luma on Host’s behalf that are the same as or equivalent to those set out in this Section 2 by way of written contract, and remain fully liable to Host for any failure by a sub-processor to fulfill its obligations in relation to such Personal Data;
2.1.7 Provide reasonable assistance to Host in responding to individual rights requests or other communications received under applicable Data Protection Laws from any applicable data protection authority or Consumer who is the subject of any Personal Data processed by Luma on Host’s behalf. In the event that a Consumer submits a Personal Data deletion request to Luma, Host hereby instructs and authorizes Luma to delete or anonymize the Consumer's Personal Data on Host’s behalf. Where necessary, Host shall inform Luma of any other individual rights request that Luma must comply with, and provide the information necessary for Luma to comply with the request.;
2.1.8 Upon Host’s written request, make available to Host all information reasonably necessary to demonstrate its compliance with the obligations set out in this Section 2, provide reasonable assistance with privacy and data protection impact assessments and related consultations of data protection authorities, and allow for and co-operate with any audits. Any on-site audits shall be:
(i) permitted only on reasonable advance notice to Luma;
(ii) subject to appropriate confidentiality undertakings; and
(iii) limited to once every three (3) years and only in order to evaluate a specific suspected deficiency after exhausting all other reasonable means; and
2.1.9 Except for that Personal Data with respect to which Luma acts as a Data Controller or Business, return, delete, or destroy (at Host’s election) the Personal Data of Consumers processed on Host’s behalf and copies thereof, at Host’s request (unless applicable law requires the storage of such Personal Data).
2.2 Host hereby consents and authorizes Luma to disclose or transfer Personal Data to, or allow access to Personal Data by, Luma’s current sub-processors ("Current Sub-Processors") to process Personal Data on Host’s behalf.
2.3 Host hereby consents to Luma appointing additional and replacement sub-processors ("Replacement Sub-Processors") to process Personal Data on Host’s behalf. Luma shall give notice to Host of the identity of intended Replacement Sub-Processors by updating Luma’s website (Host is responsible for regularly checking and reviewing Luma’s website for any such changes).
2.4 Luma hereby certifies that it understands the restrictions and obligations set forth in this DPA and that it will comply with them. Luma will notify Host if Luma makes a determination that it can no longer meet its obligations under Data Protection Laws.
2.5 Host shall have the right, upon fourteen (14) business days’ notice, to take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Data by Luma.
3. Cross-Border Transfers
3.1 Host agrees that Luma may transfer Personal Data of Consumers to various locations in connection with providing the Services. Transfers will be made in accordance with legally enforceable transfer mechanisms where required by applicable Data Protection Laws. To make transfers from the United Kingdom, Luma also adheres to UK Privacy Laws as described in section 3.2 of this DPA.
3.2 UK Transfers. With respect to Luma Personal Data transferred from the United Kingdom for which United Kingdom law (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, Luma will follow all laws in concordance with the UK SCC Addendum.