Data Processing Agreement (DPA)

This Data Processing Agreement (“Agreement”) forms part of the agreement between Conlumina Digital (“Processor”) and the customer (“Controller”) regarding the use of the Conlumina Reviews service.

Last updated: 2026-04-20

1. Roles and Scope

The Controller acts as the data controller and the Processor acts as the data processor within the meaning of the GDPR.

The Processor shall process personal data solely on behalf of the Controller and in accordance with the Controller’s documented instructions, as defined in this Agreement, the applicable Terms of Service, and the Controller’s use and configuration of the service.

2. Scope of Processing

The Processor processes personal data to provide the Conlumina Reviews service. This includes:

  • Importing customer data provided by the Controller
  • Sending review invitations via email or other communication channels as configured by the Controller
  • Managing and storing review responses
  • Providing tools for moderation, response, and publication of reviews
  • Aggregating and presenting review data within the platform

The Processor does not use personal data for its own purposes and does not independently determine the purposes or means of processing beyond what is necessary to provide the service.

3. Instructions

The Controller instructs the Processor to process personal data in order to provide the service. Such instructions include, but are not limited to:

  • Uploading or synchronising customer data
  • Configuring communication workflows and triggers
  • Defining recipients and timing of review invitations
  • Managing and responding to reviews

The Controller may provide additional documented instructions. The Processor shall inform the Controller if an instruction, in its opinion, infringes applicable law.

4. Legal Basis

The Controller is solely responsible for ensuring that a valid legal basis exists for the processing of personal data, including any communication sent via the service (e.g. review invitations), in accordance with applicable data protection and electronic communications laws.

The Processor does not determine the legal basis for processing and acts only on behalf of the Controller.

5. Confidentiality

The Processor shall ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6. Security Measures

The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including but not limited to:

  • Encryption of data in transit
  • Access control and authentication mechanisms
  • Restriction of access to personal data
  • Regular system updates and monitoring

Further details are described in Appendix 1.

7. Sub-processors

The Processor may engage sub-processors to provide parts of the service, including providers of hosting, infrastructure, communication delivery, and analytics services.

The Processor shall ensure that sub-processors are bound by data protection obligations equivalent to those set out in this Agreement.

A current list of sub-processors is available upon request or at: [INSERT URL].

The Controller may object to the use of a new sub-processor on reasonable data protection grounds.

8. Assistance to the Controller

The Processor shall assist the Controller, taking into account the nature of the processing, in fulfilling its obligations under applicable data protection law, including:

  • Responding to data subject requests
  • Ensuring compliance with security obligations
  • Supporting data protection impact assessments where required

9. Personal Data Breaches

The Processor shall notify the Controller without undue delay and, where feasible, within 24 hours after becoming aware of a personal data breach.

10. International Transfers

The Processor shall not transfer personal data outside the EU/EEA unless appropriate safeguards are in place in accordance with applicable law.

11. Data Retention and Deletion

Upon termination of the service, the Processor shall, at the choice of the Controller, delete or return all personal data, unless retention is required by applicable law.

Unless otherwise agreed, personal data shall be deleted within 30 days after termination of the service.

12. Audits

The Controller may request information necessary to demonstrate compliance with this Agreement. Any audits shall be carried out with reasonable notice and without disrupting the Processor’s operations.

13. Term and Termination

This Agreement remains in effect for as long as the Processor processes personal data on behalf of the Controller.

Appendix 1 – Description of Processing

Categories of data subjects

  • Customers or clients of the Controller

Types of personal data

  • Name
  • Email address
  • Phone number (if provided)
  • Review content and responses
  • Metadata related to communication and interaction (e.g. timestamps, delivery status)

Purpose of processing

  • Sending review invitations
  • Collecting and managing customer reviews
  • Providing analytics and insights related to reviews
  • Enabling publication and moderation of reviews

Nature of processing

  • Collection, storage, organisation, and structuring of data
  • Transmission (e.g. sending communications)
  • Retrieval and use within the platform
  • Deletion upon instruction or termination

Duration of processing

  • For the duration of the service agreement and until deletion in accordance with Section 11

Security measures

  • Encryption in transit (HTTPS)
  • Access control and role-based permissions
  • Limitation of access to authorised personnel only
  • Monitoring and logging of system activity