Data Processing Agreement

1. Compliance with Data Protection Laws

EU GDPR, UK GDPR, UK DPA 2018.

2. Processing Scope

Solely to provide Services. Categories: names, emails, phones, IPs, device IDs.

3. Controller/Processor Roles

Controller and Processor roles defined per applicable law. Contact: privacy@loony.dev

4. Confidentiality

Confidentiality obligations for all personnel.

5. Technical Measures

• Role-based access, quarterly reviews
• Min 12-char passwords, MFA for admin
• TLS 1.2+ transit, AES-256 at rest
• Continuous vulnerability scanning
• Automated backups
• Continuous logging
• UK/EU data storage, SOC 2 hosting
• Auto-deletion 90 days post-termination

6. Sub-processors

7. Data Subject Requests

Forwarded within 5 business days.

8. Breach Notification

Notification within 48 hours.

9. DPIA Assistance

Data Protection Impact Assessment assistance provided upon request.

10. Audit Rights

Annual audit rights with 30 days notice.

11. Data Return & Deletion

Return or deletion within 30 days post-termination.

12. Data Location

Data stored in EU/EEA/UK only.

13. Governing Law

English law governs.