Data Processing Agreement

This Data Processing Agreement (“DPA”) is entered into by and between Lumina Workforce, Inc. (“Processor” or “we”) and the business customer (“Controller” or “you”) identified in the associated account or order form. It governs the processing of personal data carried out by Lumina Workforce on behalf of the Controller in connection with the Lumina Workforce platform and related services (collectively, the “Service”).

For the purposes of this DPA, the following definitions apply:

• –"Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable data protection law, including the GDPR and CCPA.
• –"Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
• –"Controller" means the business entity that determines the purposes and means of processing Personal Data (i.e., the Lumina Workforce customer).
• –"Processor" means Lumina Workforce, Inc., which processes Personal Data on behalf of the Controller.
• –"Data Subject" means the natural person to whom Personal Data relates — typically the Controller's employees, contractors, or workforce members.
• –"Sub-processor" means a third-party entity engaged by the Processor to carry out processing activities on Personal Data.
• –"Applicable Data Protection Law" means all privacy and data protection laws applicable to the processing of Personal Data, including GDPR, UK GDPR, CCPA/CPRA, and any successor legislation.

This DPA applies wherever the Controller uses the Service and Personal Data of Data Subjects is processed by Lumina Workforce as a result. It does not apply to data for which Lumina Workforce acts as a data controller in its own right (such as account administrator information and billing data), which is governed by our Privacy Policy.

Lumina Workforce processes Personal Data solely as a Processor, acting on documented instructions from the Controller. The Controller is solely responsible for determining the lawful basis for processing, notifying Data Subjects, and ensuring that Personal Data is collected and submitted to the Service in compliance with Applicable Data Protection Law.

Controller Responsibilities

• –Establish and document a lawful basis for processing employee Personal Data through the Service
• –Provide required notices and, where applicable, obtain necessary consents from Data Subjects before submitting their data to the Service
• –Ensure that Personal Data submitted to the Service is accurate, adequate, and limited to what is necessary for the stated purpose
• –Configure worksite GPS geofencing thresholds and attendance requirements in compliance with local labor and privacy laws
• –Handle all Data Subject requests received directly from employees, directing to Lumina Workforce only where technically necessary

Processor Obligations

Lumina Workforce agrees to:

• –Process Personal Data only on documented instructions from the Controller, unless required to do so by law
• –Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations
• –Implement and maintain appropriate technical and organizational security measures
• –Assist the Controller in responding to Data Subject requests to the extent technically feasible
• –Delete or return Personal Data upon termination of the Service relationship, as described in Section 7
• –Notify the Controller promptly in the event of a Personal Data breach affecting Controller data
• –Provide reasonable cooperation to enable the Controller to meet its own compliance obligations

In connection with providing the Service, Lumina Workforce processes the following categories of Personal Data on behalf of the Controller:

Employee Profile Data

• –Full name and preferred display name
• –Work email address
• –Job title and role designation
• –Employee ID or payroll reference number
• –Worksite assignment and department
• –Account status (active / inactive)

GPS and Location Data

• –GPS latitude and longitude captured at the moment of each clock-in or clock-out event
• –Device accuracy radius (meters) reported by the device at the time of capture
• –Timestamp of each location capture
• –Worksite geofence validation result (within radius / outside radius / unavailable)

Location data is captured only at the moment of a clock event — not continuously or in the background. Employees who deny location permissions may still record attendance events; those events are flagged as having no GPS data.

Attendance and Time Records

• –Clock-in and clock-out event timestamps
• –Total hours worked per shift and per pay period
• –Shift schedule and occurrence data (scheduled start/end, status)
• –Attendance status flags (present, late, absent, completed)
• –Device identifier associated with each clock event
• –Offline queue records for events recorded without connectivity

Billing and Subscription Data

Billing data (payment method details, invoices, subscription tier) relates to the Controller as an organization and is processed by Lumina Workforce as a data controller, not as a processor. This data is subject to our Privacy Policy rather than this DPA. Payment card details are processed exclusively by Stripe, Inc. and are never stored on Lumina Workforce infrastructure.

Lumina Workforce processes Personal Data submitted by the Controller exclusively for the following permitted purposes:

• –Operating the attendance tracking and clock-in/clock-out features of the Service
• –Generating timecards, attendance reports, and workforce analytics accessible to the Controller's authorized managers
• –Enforcing worksite GPS geofence rules as configured by the Controller
• –Providing real-time employee attendance status on the manager dashboard
• –Sending system-generated notifications to employees (shift reminders, attendance alerts) as configured by the Controller
• –Maintaining audit logs for compliance and dispute resolution purposes
• –Detecting and preventing fraud, unauthorized access, or misuse of the Service
• –Providing technical support and troubleshooting at the Controller's request

Lumina Workforce will not process Personal Data for any other purpose, including for its own marketing, profiling, or product development, without the Controller's prior written consent or as required by law. Aggregated, de-identified analytics that cannot be re-linked to individuals may be used to improve the Service.

The Controller grants general authorization to Lumina Workforce to engage the sub-processors listed below. Lumina Workforce will ensure that all sub-processors are bound by written data protection agreements providing protections at least equivalent to those in this DPA.

Lumina Workforce will notify the Controller at least 30 days in advance of adding any new sub-processor or making a material change to an existing sub-processor relationship by updating this page and, where technically feasible, by email notification to the Controller's account administrator. The Controller may object to a new sub-processor in writing within 14 days of such notice. If the parties cannot resolve the objection, the Controller may terminate the Service pursuant to Section 13.

Lumina Workforce implements technical and organizational measures designed to ensure a level of security appropriate to the risk, including the following:

Encryption

• –All data in transit is encrypted using TLS 1.2 or higher
• –All data at rest is encrypted using AES-256 encryption provided by Supabase (PostgreSQL on AWS)
• –Authentication tokens and session credentials are encrypted and stored using industry-standard methods

Access Controls

• –Row-Level Security (RLS) policies are enforced at the database layer, ensuring each business account can only access its own data
• –Role-based access control (RBAC) limits Lumina Workforce staff access to Personal Data on a strict need-to-know basis
• –Multi-factor authentication (MFA) is available and recommended for all account administrators
• –Administrative access to production infrastructure is restricted to authorized personnel and requires additional authentication

Operational Security

• –Regular vulnerability assessments and security reviews of the application and infrastructure
• –Dependency scanning and patch management for third-party libraries and operating system components
• –Audit logging of privileged access to production systems
• –Separation of production and development environments; no Personal Data is used in development or testing without explicit Controller consent

Organizational Measures

• –Data protection training for all personnel with access to Personal Data
• –Confidentiality obligations in employment and contractor agreements
• –A designated data protection contact responsible for monitoring compliance with this DPA
• –An incident response plan with defined escalation, containment, and notification procedures

These measures will be reviewed and updated periodically as technology and threat landscapes evolve. Lumina Workforce will not materially reduce the overall level of security during the term of the Service relationship.

Personal Data is retained in accordance with the following schedule, unless a longer retention period is required by applicable law:

• –Employee profile data — retained for the duration of the active subscription; deleted within 30 days of account termination after the data export window
• –Attendance records and clock event history — retained for 7 years from the date of creation to support labor law compliance and audit requirements
• –Shift schedule and occurrence data — retained for 3 years from the scheduled date
• –GPS coordinates captured at clock events — retained as part of the attendance record for 7 years
• –Audit logs and system access records — retained for 2 years
• –Database backup snapshots — retained for up to 90 days; backups are rotated automatically and are subject to the same encryption standards as live data

Post-Termination Data Export

Upon termination of the Service relationship, the Controller has a 30-day window to export all Personal Data using the platform's export tools (CSV/JSON export via the Manager Portal) or by submitting a written request to dpa@luminaworkforce.com. After this window, Lumina Workforce will irreversibly delete or anonymize all Personal Data associated with the Controller's account, except where retention is required by law.

Early Deletion Requests

The Controller may request deletion of specific Personal Data records at any time through the Manager Portal or by written request. Lumina Workforce will process such requests within 30 days, subject to any legal retention obligations that apply.

Lumina Workforce will assist the Controller in fulfilling Data Subject rights requests to the extent technically feasible and within the scope of the Service. The Controller is the primary responsible party for handling these requests, as it is the data controller for the Personal Data of its employees.

Supported Rights

• –Right of Access — the Manager Portal provides authorized administrators with access to all employee attendance records and profile data; structured data exports are available in CSV and JSON formats
• –Right to Rectification — employee profile data and historical records can be amended by authorized administrators through the Manager Portal
• –Right to Erasure — individual employee records can be deleted by administrators; complete account deletion is handled pursuant to Section 7
• –Right to Data Portability — all attendance records and employee data can be exported in machine-readable formats (CSV, JSON) on demand
• –Right to Restriction of Processing — the Controller may suspend an employee account to prevent further processing of that individual's data without deletion

Requests Submitted Directly to Lumina Workforce

If a Data Subject submits a request directly to Lumina Workforce (rather than to the Controller), Lumina Workforce will promptly forward the request to the Controller's account administrator and will not independently act on the request without Controller authorization, except as required by law.

Response Timelines

Lumina Workforce will acknowledge Data Subject rights requests within 5 business days and provide the requested technical assistance within 30 days. The Controller remains responsible for communicating with the Data Subject and ensuring compliance within applicable statutory deadlines (e.g., 30 days under GDPR, 45 days under CCPA).

Personal Data processed through the Service may be transferred to, stored in, and processed in the United States, where Lumina Workforce and the majority of its sub-processors maintain infrastructure. Where the Controller is subject to GDPR, UK GDPR, or similar cross-border transfer restrictions, Lumina Workforce relies on the following lawful transfer mechanisms:

• –EU Standard Contractual Clauses (SCCs) — the Module 2 (Controller-to-Processor) SCCs adopted by the European Commission (Decision 2021/914) are incorporated into this DPA by reference and apply to transfers of Personal Data from the EEA to Lumina Workforce in the United States
• –UK International Data Transfer Agreement (IDTA) — for transfers from the United Kingdom, the applicable IDTA or UK Addendum to the EU SCCs applies
• –Sub-processor SCCs — Lumina Workforce ensures that each sub-processor receiving EEA or UK Personal Data is bound by equivalent transfer mechanism agreements

Enterprise customers requiring executed copies of the EU SCCs, a Transfer Impact Assessment (TIA), or customized DPA addenda should contact dpa@luminaworkforce.com. Lumina Workforce will respond to such requests within 10 business days.

In the event that Lumina Workforce becomes aware of a confirmed Personal Data breach affecting Controller data, Lumina Workforce will:

• –Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach, by email to the account administrator's registered email address
• –Provide, to the extent then known: the nature of the breach, the categories and approximate number of Data Subjects affected, the categories and approximate number of Personal Data records affected, the likely consequences of the breach, and the measures taken or proposed to address the breach
• –Cooperate with the Controller and take such reasonable steps as directed to assist in investigating, mitigating, and remedying the breach
• –Not make any public disclosure or regulatory notification relating to the breach without the Controller's prior written consent, except where disclosure is required by law

The Controller is solely responsible for determining whether notification to regulatory authorities or Data Subjects is required under Applicable Data Protection Law, and for making any such notifications. Lumina Workforce will provide reasonable cooperation and documentation to support the Controller in this process.

Lumina Workforce will, upon reasonable written request and no more than once per calendar year, make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA. This obligation may be fulfilled by:

• –Providing responses to security questionnaires or standard data protection due diligence requests
• –Sharing up-to-date third-party security certifications or audit reports (e.g., SOC 2 Type II, ISO 27001) where applicable and available
• –Allowing the Controller (or an appointed independent third-party auditor bound by confidentiality obligations) to conduct a security audit of the relevant systems, subject to reasonable prior notice, scope agreement, and execution of an appropriate non-disclosure agreement

Any audit or inspection must be conducted during normal business hours, with at least 30 days' prior written notice, and in a manner that minimizes disruption to Lumina Workforce's operations. The Controller bears all costs of any audit it initiates unless the audit reveals a material breach of this DPA by Lumina Workforce, in which case Lumina Workforce will bear reasonable audit costs.

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Lumina Workforce Terms of Service. Nothing in this DPA limits either party's liability in cases of willful misconduct, fraud, or liability that cannot be excluded under Applicable Data Protection Law.

The Controller agrees to indemnify and hold harmless Lumina Workforce from and against any claims, penalties, fines, or regulatory actions arising from the Controller's failure to comply with its obligations under Applicable Data Protection Law, including failure to establish a lawful basis for processing, failure to notify Data Subjects, or failure to respond to Data Subject requests within required timeframes.

Lumina Workforce agrees to indemnify the Controller for losses directly caused by Lumina Workforce's material breach of this DPA, subject to the liability cap set out in the Terms of Service.

This DPA is effective from the date the Controller first accepts the Lumina Workforce Terms of Service and remains in force for the duration of the Service relationship. Upon termination of the Service relationship for any reason, the DPA continues to apply to the extent necessary to govern the handling of Personal Data during the post-termination data retention and deletion period described in Section 7.

The Controller may terminate the Service in accordance with the Terms of Service if Lumina Workforce:

• –Materially breaches this DPA and fails to remedy the breach within 30 days of written notice
• –Adds a new sub-processor to which the Controller has legitimately objected and the parties cannot reach agreement
• –Is required by law to process Personal Data in a manner that conflicts with the Controller's documented instructions and cannot be resolved

Upon termination, the post-termination obligations in Section 7 (data return and deletion) and Section 10 (breach notification, for any breaches discovered post-termination) survive.

For all matters related to this DPA, data protection compliance, or Personal Data processing under this agreement, please contact:

Lumina Workforce will respond to DPA-related inquiries within 10 business days. For urgent matters involving active data breaches or imminent regulatory deadlines, please indicate the urgency in the subject line of your email.

If you require an executed, countersigned copy of this DPA for your compliance records, please email dpa@luminaworkforce.com with your organization name and account email. We will provide a countersigned PDF within 5 business days at no charge.