Last Updated: February 11, 2026
Need a signed Data Processing Agreement for your records?
Request DPA →Overview
This Data Processing Agreement ("DPA") forms part of the LukaGRC Terms of Service and applies when LukaGRC processes personal data on behalf of customers in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
Definitions
- Controller: The customer who determines the purposes and means of processing personal data
- Processor: LukaGRC, which processes personal data on behalf of the Controller
- Personal Data: Any information uploaded to LukaGRC that relates to an identified or identifiable individual
- Processing: Any operation performed on personal data, including collection, storage, use, and deletion
Scope of Processing
LukaGRC processes personal data only as necessary to provide our services, including:
- Account and user management
- AI-powered document analysis and evidence mapping
- Questionnaire automation
- Vendor risk management
- Platform support and troubleshooting
Data Subject Categories
Personal data may relate to:
- Customer employees and authorized users
- Third-party vendors and assessors
- Individuals mentioned in compliance documentation
Types of Personal Data
- Names and contact information
- Employment details and job titles
- IP addresses and system logs
- Data contained in uploaded policies and documentation
Security Measures
LukaGRC implements appropriate technical and organizational measures including:
- Encryption in transit and at rest
- Multi-tenant data isolation
- Access controls and authentication
- Regular security testing and audits
- Audit logging of data access
- Employee confidentiality obligations
Sub-Processors
LukaGRC engages the following sub-processors:
- Amazon Web Services (AWS): Cloud hosting infrastructure
- Google Cloud Platform: AI processing (when cloud AI is enabled)
We will notify customers at least 30 days before adding new sub-processors.
Data Subject Rights
LukaGRC will assist customers in responding to data subject requests including:
- Access requests
- Rectification requests
- Erasure requests
- Restriction of processing
- Data portability
Customers can contact hello@lukagrc.com for assistance with data subject requests.
Data Breach Notification
In the event of a personal data breach, LukaGRC will:
- Notify affected customers without undue delay
- Provide details of the breach and affected data
- Describe measures taken to address the breach
- Assist customers in meeting their notification obligations
International Data Transfers
Personal data may be transferred to countries outside the European Economic Area. LukaGRC ensures appropriate safeguards through:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
- Other lawful transfer mechanisms as required
Data Retention and Deletion
LukaGRC retains personal data only as long as necessary to provide services. Upon termination:
- Customers have 30 days to export their data
- LukaGRC will delete or anonymize personal data after the retention period
- Some data may be retained for legal or compliance purposes
Audit Rights
Customers may request information about LukaGRC's compliance with this DPA, including:
- SOC 2 Type II audit reports (when available)
- Information about security measures
- Details of sub-processors
Contact
For questions about this DPA or to request a signed copy:
Email: hello@lukagrc.com