Data Processing Addendum (DPA)

Last updated: 28 August 2025

This Data Processing Addendum ("DPA") forms part of the agreement (the "Agreement") between WITHLUCA LTD ("Luca", "Processor", "we", "us") and the customer identified in the Agreement ("Customer", "Controller", "you") for use of Luca's services. Capitalised terms not defined here have the meanings in the Agreement.

By using the Services where Luca processes Personal Data on your behalf, you agree to this DPA.

1. Subject matter, roles & scope

1.1 Roles. For Customer Data (documents, invoice data, metadata and related content you or your end users upload or connect), Customer is Controller and Luca is Processor.

1.2 Purpose. Luca will process Personal Data solely to provide, maintain, secure and support the Services described in the Agreement.

1.3 Duration. The term of this DPA is the term of the Agreement plus any post-termination period necessary to return/delete data and comply with legal obligations.

2. Processor obligations

2.1 Instructions. Luca will process Personal Data only on documented instructions from Customer as set out in the Agreement, this DPA, and Customer's configuration of the Services.

2.2 Confidentiality. Luca ensures personnel authorised to process Personal Data are bound by confidentiality obligations.

2.3 Security. Luca implements appropriate technical and organisational measures as described in Annex II (Security Measures).

2.4 Sub-processors. Customer authorises Luca to engage sub-processors listed at withluca.ai/subprocessors. Luca will (i) impose data protection terms no less protective than this DPA, and (ii) remain liable for their performance. Luca will provide advance notice (typically 30 days) of additions or replacements via that page and/or email; Customer may object as described in the Agreement.

2.5 Assistance. Taking into account the nature of processing, Luca will assist Customer with (i) data subject requests, (ii) security of processing, (iii) personal-data breach notifications, and (iv) data protection impact assessments, to the extent required by applicable law.

2.6 Personal-data breach. Luca will notify Customer without undue delay after becoming aware of a personal-data breach affecting Customer Data and will provide information to help Customer meet its obligations.

2.7 Deletion/return. At termination or upon written request, Luca will delete or return Customer Data as instructed, unless retention is required by law. Unless otherwise agreed, deletion occurs within 30 days after termination.

3. Customer responsibilities

3.1 Lawful basis & accuracy. Customer is responsible for (i) the accuracy, quality and legality of Customer Data, (ii) obtaining all necessary consents and providing required notices, and (iii) having a valid legal basis for processing and international transfers.

3.2 Configuration & minimisation. Customer will use available controls to minimise Personal Data processed and avoid sending unnecessary personal data to logs or error tracking.

4. International transfers

4.1 Safeguards. Where processing involves transfer of Personal Data outside the UK/EEA, Luca will ensure appropriate safeguards, including the EU Standard Contractual Clauses (SCCs) and the UK Addendum/IDTA, as applicable.

4.2 SCCs incorporation. The SCCs (EU Commission Decision 2021/914) are incorporated by reference:

Module 2 (Controller → Processor) and, where Luca engages a sub-processor outside the EEA/UK, Module 3 (Processor → Processor).

Annex I/II particulars are set out in this DPA's Annexes; Annex III is the Sub-processor list at withluca.ai/subprocessors.

4.3 Regional processing options. Where Customer routes inference through OpenAI EU-region projects or selects EU/UK regions for hosting/storage, Luca will process Customer content in-region (subject to product availability and Customer configuration). Otherwise, transfers are protected by the safeguards above.

5. Audits & information

On reasonable written request and no more than once in any 12-month period (unless required by a supervisory authority or following a breach), Luca will make available information necessary to demonstrate compliance with this DPA and allow for audits by Customer or an independent auditor under confidentiality, during normal business hours, without disrupting operations. Scope and costs will be agreed in advance; Luca may satisfy audit requests by providing third-party compliance reports (e.g., SOC 2, ISO 27001) and responses to reasonable security questionnaires.

6. Google & Microsoft user data

If Customer connects Google or Microsoft services, Luca will access only the minimum scopes necessary to fetch invoice-related items. For Google APIs, Luca complies with the Google API Services User Data Policy (Limited Use) and will not use such data to develop or train generalised AI/ML models.

7. Liability & order of precedence

Each party's liability under this DPA is subject to the limitations in the Agreement. In the event of conflict, this DPA prevails over the Agreement to the extent of the conflict, except where the SCCs or UK Addendum require otherwise, in which case those terms prevail.

8. Governing law & jurisdiction

This DPA is governed by the law and courts specified in the Agreement, except the SCCs/UK Addendum which follow their own governing-law clauses.

Annex I — Processing details

A. Parties

Controller: The Customer named in the Agreement.

Processor: WITHLUCA LTD, 34 Drake Road, Harrow, England, HA2 9EA.

B. Description of processing

Subject matter: Processing of Customer's invoice and finance-related documents and metadata through the Luca platform.

Nature & purpose: Ingestion, classification, extraction, enrichment, matching, and sync to accounting systems (e.g., Xero, QuickBooks).

Duration: Term of the Agreement + retention periods in Annex II / Privacy Policy, unless otherwise instructed.

Types of Personal Data: Names, emails, business identifiers, supplier details, invoice line-item metadata, bank reference text, amounts, attachments (which may incidentally include personal data). Customer determines the specific data submitted.

Categories of data subjects: Customer's personnel; Customer's suppliers, contractors, or clients referenced in documents.

Special categories / children: Not intended to process special categories or children's data; Customer will not submit such data.

C. Transfers

As described in Section 4 of this DPA.

Annex II — Security measures (summary)

Luca maintains a security programme that includes:

Governance: Security policies, employee training, background checks for privileged roles, confidentiality undertakings.
Access control: SSO/MFA for admins; role-based least privilege; unique IDs; timely revocation.
Encryption: TLS in transit; encryption at rest for databases, file storage and backups.
Segmentation & hardening: Network segmentation, patched OS/runtime, secrets management.
Monitoring & logging: Centralised logging/metrics; anomaly and intrusion detection; time-synchronised logs.
Vulnerability management: Regular scanning; remediation aligned to severity; third-party penetration testing.
Business continuity: Backups, redundancy, disaster-recovery plans and testing.
Data minimisation: Server-side scrubbing/redaction to avoid PII in logs and error payloads.
Incident response: Documented IR plan with 24×7 escalation; breach notification to Customer without undue delay.
Vendor management: DPA and security review for sub-processors; change notifications via /subprocessors.

Annex III — Sub-processors

The current list is maintained at https://withluca.ai/subprocessors (including purpose, data types, regions, safeguards and change log).