Data Processing Addendum

1. Introduction

This Data Processing Addendum ("DPA") forms part of the Terms of Use between Luminary AI ("Processor") and the Customer ("Controller"). It applies to the processing of Personal Data uploaded by the Customer to the Services.

2. Roles of the Parties

• Controller (You): You determine the purposes and means of processing Personal Data (e.g., your client's financial data).
• Processor (Us): We process Personal Data only on your documented instructions and in accordance with this DPA.

3. Data Processing Terms

• Nature & Purpose: We process data to provide estate planning visualization, summarization, and related services.
• Data Types: Trust documents, wills, beneficiary names, financial asset values, and family relationship data.
• Duration: We retain data for the term of your subscription or until you request deletion.

4. Security Measures

We implement industry-standard technical and organizational measures to protect data, including:

• Encryption of data in transit (TLS) and at rest (AES-256).
• Role-based access controls and multi-factor authentication (MFA).
• Regular security assessments and vulnerability scanning.

5. Sub-Processors

You authorize us to use third-party sub-processors (e.g., AWS, OpenAI, Anthropic) to provide the Services. We enter into written agreements with each sub-processor containing data protection obligations no less protective than those in this DPA. A current list of sub-processors is available upon request.

6. Data Subject Rights

We will provide reasonable assistance to help you respond to requests from individuals exercising their rights (e.g., right to access, deletion, or correction) under applicable data protection laws (GDPR, CCPA).

7. International Transfers

If we transfer data outside the EEA, UK, or Switzerland, we rely on valid transfer mechanisms such as the Standard Contractual Clauses (SCCs).