Data Processing Agreement (Draft)

This is a draft DPA for the Luqora Books & People private beta. It will be finalised before paid production launch.

Version: 1.0-beta. Last updated: 16 June 2026.

Processor

LUQVERSE LTD

Purpose

Processing customer workspace data (accounting records, HR documents, employee data, uploaded files) on behalf of the customer (controller).

Processor Obligations

• Process data only on documented instructions from the controller
• Ensure staff confidentiality obligations
• Implement appropriate technical and organisational security measures
• Assist the controller with data subject requests
• Notify the controller of data breaches without undue delay
• Delete or return data on termination of the agreement
• Cooperate with audits and inspections

Customer (Controller) Obligations

• Ensure lawful basis for processing data uploaded to Luqora
• Provide clear processing instructions
• Not upload prohibited or illegal data

Security Measures

• Encryption in transit (TLS)
• Tenant isolation
• Role-based access control (RBAC)
• Two-factor authentication (2FA)
• File validation (type, size, magic-byte)
• Audit logging
• Secure storage

Subprocessors

A list of current subprocessors is available at /subprocessors.

International Transfers

Where subprocessors operate outside the UK/EEA, Standard Contractual Clauses or equivalent safeguards are in place.

Breach Notification

The processor will notify the controller within 72 hours of becoming aware of a personal data breach.

Data Return and Deletion

On request or account closure, customer data will be returned or securely deleted.

Beta Limitation

During private beta, this DPA applies on a best-effort basis. Full contractual DPA will be available before paid production.

Contact

info@luqverse.com

TODO: Final legal review required before paid production launch.