Data Processing Agreement

Effective from: 6th of May, 2025

  • Lucanto Data Processing Agreement (DPA)

    This Data Processing Agreement ("Agreement") governs the processing of personal data between the Controller and Stark Codes, s. r. o. ("Processor") in accordance with the GDPR.


    1. Scope and Purpose of Processing

    1.1 The Processor shall process the following categories of Personal Data on behalf of the Controller:

    • Identification Data (name, email)

    • Contact Data (phone number, address)

    • Transactional Data (invoices, payment records)

    • Usage Data (visits, actions, telemetry)

    1.2 The purpose of processing is to provide and operate the Lucanto service, including authentication, invoicing, expense management, and team communication.

    1.3 The legal bases for processing are contract performance, legitimate interests (security, service improvement), consent (for marketing and necessary cookies), and legal obligations.


    2. Controller Responsibilities

    2.1 The Controller shall ensure that:

    • All Personal Data and instructions provided to the Processor are lawful and GDPR-compliant.

    • Appropriate consents are obtained and data subjects are informed of processing.

    • Data subject requests (access, rectification, erasure, etc.) are handled in accordance with GDPR.

    • Instructions do not violate GDPR or other applicable laws.


    3. Subprocessors

    3.1 The Processor uses the following subprocessors under GDPR-compliant agreements:

    • HubSpot, Inc. — CRM and marketing automation.

    • Apollo.io — B2B contact enrichment and prospecting.

    • Linear — Support ticketing and customer request management.

    • Google LLC — Google Analytics for web and mobile analytics.

    • June.so — Performance monitoring and telemetry.

    3.2 Each subprocessor is bound by a Data Processing Agreement, including EU Standard Contractual Clauses for transfers outside the EEA.


    4. Security Measures

    • TLS encryption in transit and AES-256 encryption at rest;

    • Role-based access control with least-privilege principles;

    • Daily backups with geo-redundant storage;

    • Regular security audits and vulnerability tests.


    5. International Transfers

    5.1 Data is primarily stored within the EEA.
    5.2 Transfers outside the EEA are protected by Standard Contractual Clauses.


    6. Data Retention and Deletion

    6.1 Personal Data is retained for the duration of the contractual relationship and for 10 years after the last login (for audit and legal purposes).
    6.2 Upon account termination, data is permanently deleted within 45 days (backups deleted after 45 days).
    6.3 Anonymized data may be retained indefinitely for analytical purposes.


    7. Liability and Disclaimer

    7.1 The Processor’s liability is limited to direct damages caused by a material breach of this Agreement.
    7.2 The Processor is not liable for damages resulting from following the Controller’s documented instructions.


    8. Conflict and Precedence

    8.1 In the event of any conflict between this Agreement and the Lucanto Terms and Conditions, the provisions of this Agreement shall prevail.


    9. Controller Rights

    The Controller has GDPR rights: access, rectification, erasure, restriction, portability, objection, and withdrawal of consent.


    10. Term and Termination

    10.1 This Agreement remains in effect for the duration of the contractual relationship and any legally required retention periods.
    10.2 The Agreement may be terminated by termination of the Lucanto Terms and Conditions.


    Governing Law: Slovak law
    Jurisdiction: Courts of Bratislava

    For inquiries, contact hello@lucanto.eu.