Data Processing Addendum

Last update: 12 August, 2025

This Data Processing Addendum ("DPA") forms part of the agreement between Luna Launches, Inc. (“Luna”) ("Processor") and the customer ("Controller") for the provision of Luna's B2B SaaS productivity tool services (the "Services").

1. Definitions

1.1 "Applicable Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including but not limited to the GDPR and the California Consumer Privacy Act (CCPA).

1.2 "GDPR" means the General Data Protection Regulation (EU) 2016/679.

1.3 "Personal Data" means any information relating to an identified or identifiable natural person as defined in Applicable Data Protection Laws.

1.4 "Processing" means any operation performed on Personal Data, whether or not by automated means.

2. Data Processing

2.1 The Controller retains control of the Personal Data and remains responsible for its compliance obligations under Applicable Data Protection Laws, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to the Processor.

2.2 The Processor shall only process Personal Data on behalf of the Controller in accordance with the Controller's documented instructions and in compliance with Applicable Data Protection Laws.

3. Purpose and Scope of Processing

3.1 The purpose of the processing is to provide the Services as described in the main agreement.

3.2 The types of Personal Data processed may include, but are not limited to:

• Identifiers (e.g., names, email addresses)
• Professional information (e.g., job titles, roles)
• User account information
• Profile photo and other information you choose to include to describe yourself, only collected if you do choose to provide it
• Any other information you choose to provide while using Luna that identifies or can be reasonably associated with you

4. Security Measures

4.1 The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems
• Measures to restore the availability and access to personal data in a timely manner in the event of an incident
• Regular testing and evaluation of the effectiveness of security measures

The following list describes additional information about Luna’s technical and organizational security measures:

5. Subprocessors

5.1 The Controller authorizes the Processor to engage subprocessors to assist in the provision of the Services, provided that:

• The Processor maintains an up-to-date list of subprocessors and makes it available to the Controller
• The Processor imposes data protection obligations on subprocessors that are no less protective than those in this DPA

‍Authorized subprocessors list:

6. Data Subject Rights

6.1 The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under Applicable Data Protection Laws.

7. Data Breach Notification

7.1 The Processor shall notify the Controller without undue delay of a personal data breach and shall assist the Controller in meeting its obligations under Applicable Data Protection Laws.

8. International Data Transfers

8.1 The Processor may transfer Personal Data outside the European Economic Area (EEA), including to the United States, as necessary to provide the Services.

8.2 For any such transfers, the Processor shall ensure appropriate safeguards are in place in accordance with Applicable Data Protection Laws. These safeguards may include, but are not limited to:

• Adherence to the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework, if applicable;
• Implementation of Standard Contractual Clauses approved by the European Commission;
• Any other legally recognized transfer mechanism or derogation under Applicable Data Protection Laws.

8.3 The Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision (EU) 2021/914 of 4 June 2021) are hereby incorporated in their entirety into this DPA and shall apply to transfers of Personal Data outside the EEA.

8.4 For the purposes of the SCCs: a) Luna shall be considered as the 'data exporter' and the relevant subprocessor shall be the 'data importer'; b) Annexes I, II, and III of the SCCs shall be deemed completed with the relevant information from this DPA and the Privacy Policy.

8.5 The Processor shall make available to the Controller information about the safeguards used for international transfers upon request. 

8.6 The Controller acknowledges and agrees that by using the Services, it is instructing the Processor to perform such international transfers as necessary to provide the Services.

8.7 The Processor shall promptly inform the Controller of any inability to comply with this clause due to changes in applicable laws or regulations.

9. Audit Rights

9.1 The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller.

10. Return or Deletion of Data

10.1 Upon termination of the Services, the Processor shall, at the choice of the Controller, delete or return all Personal Data to the Controller and delete existing copies unless required by law to retain such data.

11. Liability

11.1 Each party's liability arising out of or related to this DPA is subject to the limitations of liability set forth in the main agreement between the parties.

12. Governing Law

12.1 This DPA shall be governed by the laws specified in the Terms of Service.

Annexes to Standard Contractual Clauses

Annex I: List of Parties

Data exporter(s):

• Name: Controller’s name.
• Address: Controller’s registered business address and any address provided to Luna at the time that customer uses the services.
• Contact person’s name, position and contact details: Controller’s contact for the purposes of the SCC’s will be the contact of the person that properly accepts and binds Controller to this agreement unless another contact person’s information is specifically provided to Luna in writing.
• Role: Controller.

Data importer(s):

• Name: Luna Launches, Inc.
• Address: 3 Germay Dr, Unit 4 #2756 Wilmington, DE 19804, USA
• Email: [email protected] 
• Role: Processor.

Annex II: Description of Transfer

• Categories of data subjects: 
  
  • Employees, contractors, and authorized users of the Controller 
  • Individuals whose Personal Data is included in content uploaded to the Services 
  • Other end users authorized by the Controller.
• Categories of personal data transferred: 
  
  • Identification data (names, email addresses)
  • Authentication credentials (hashed passwords)
  • Professional information (job titles, roles, company affiliation)
  • User-generated content (launch details, milestones, resources, updates, OKRs, comments)
  • Profile information (photos if provided, biographical information)
  • Usage and metadata (IP addresses, browser information, feature usage)
  • Integration data (Jira issues, Slack conversations when connected)
  • Meeting notes and communications data (when uploaded).
• Sensitive data: No special categories of personal data under GDPR Article 9 are intentionally processed.
• Frequency of the transfer: Continuous as necessary for the provision of the Services.
• Nature of the processing: Storage, retrieval, organization, structuring, optional AI processing, transmission to subprocessors, and deletion.
• Purpose(s) of the data transfer and further processing: Provision of Luna's productivity and launch management services.
• Duration of processing: Duration of the active Services agreement. Upon termination, data will be deleted or returned as instructed by the Controller, except where retention is required by law.

Annex III: Technical and Organizational Measures

Specified in section 4. of this agreement.

‍