Data Processing Agreement (DPA)

1. Introduction

1.1 Purpose and Scope

This Data Processing Agreement, including its Annexes (“DPA”) forms an addendum to the Terms of Use between Lunary LLC ("Processor") and the entity that has agreed to use Lunary LLC's Cloud Services ("Controller"), collectively referred to as the "Parties".

The purpose of this DPA is to reflect the Parties' agreement with regard to the processing of personal data in compliance with the requirements of applicable data protection laws, including but not limited to, the General Data Protection Regulation (GDPR) (EU) 2016/679.

Under this DPA, the Processor agrees to process personal data received from the Controller solely on behalf and under the instructions of the Controller, and for the specific purposes of providing the Cloud Service, which involves observability, prompt management, and evaluation platform functionalities for LLMs, as described in the Principal Agreement. The Cloud Service enables the Controller to integrate the Processor's SDK into their application to monitor LLM calls made, allowing the collection of information for observability and analytics purposes.

The Controller is the data controller of the personal data processed in the context of the Principal Agreement, and the Processor is the data processor of this data, processing it exclusively within the scope defined by this DPA and the Principal Agreement.

1.2 Definitions

For the purposes of this DPA, the following definitions shall apply:

• "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject") that is processed under the Principal Agreement.
• "Processing" (and "Process") means any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
• "Sub-processor" means any third-party processor engaged by Processor who agrees to receive personal data from Processor intended for processing activities to be carried out (i) on behalf of Controller; (ii) in accordance with Controller’s instructions as communicated by Processor; and (iii) in accordance with the terms of a written contract.
• "Data Protection Laws" means all applicable laws relating to the processing, privacy, and use of Personal Data, as applicable to either party or the Services provided under the Principal Agreement, including, where applicable, the General Data Protection Regulation ((EU) 2016/679) ("GDPR").

This DPA, including its recitals and annexes, sets forth the rights and obligations of the Parties regarding the processing of Personal Data. In the event of inconsistencies between the provisions of this DPA and the Principal Agreement, the provisions of this DPA shall prevail with regard to the Parties' data protection obligations.

The Annexes form an integral part of this DPA and contain details of the Processing, including the subject matter, duration of the processing, nature, and purpose of processing, the type of personal data processed, and the categories of data subjects.

2. Details of the Processing

2.1 Nature and Purpose of Processing

The Processor is engaged by the Controller to provide an observability, prompt management, and evaluation platform for LLMs through the Processor's Cloud Service. As part of this service, the Controller will integrate the Processor’s Software Development Kit (SDK) into their application, which enables the monitoring of language model (LLM) calls. The Processor will collect and analyze this data to provide the Controller with insights, analytics, and other related services as described in the Principal Agreement.

The processing activities performed by the Processor on behalf of the Controller are strictly limited to those necessary to deliver the services outlined in the Principal Agreement. This includes:

• Collection and storage of data generated or transmitted by the use of the Processor’s SDK within the Controller's application.
• Analysis of this data to produce observability and analytics outcomes.
• Removal or deletion of data in accordance with the data retention policies agreed upon by the Parties.

2.2 Type of Personal Data

The types of Personal Data processed under this DPA may include, but are not limited to:

• Information about the interactions between end-users (data subjects) and the language models (LLMs), which may include textual inputs and outputs.
• Metadata related to the use of the Processor’s services, which may include timestamps, device information, and network information.

It is the responsibility of the Controller to ensure that the data transmitted to the Processor for processing does not include any special categories of personal data (as defined under applicable data protection laws) unless explicitly agreed upon in writing by the Parties.

2.3 Categories of Data Subjects

The categories of data subjects whose Personal Data may be processed under this DPA include:

• End-users of the Controller’s application that integrates the Processor’s SDK.
• Any other individuals who interact with the language models (LLMs) through the Controller’s application, to the extent their information is collected and processed as part of the provided services.

The Controller shall maintain a record of processing activities under its responsibility that includes the categories of processing activities performed on behalf of the Controller as required by the applicable Data Protection Laws. The Processor shall only process Personal Data in accordance with the documented instructions from the Controller, unless required by law to act without such instructions.

3. Obligations of the Parties

3.1 Processor Obligations

The Processor agrees to process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by European Union or member state law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

1. Confidentiality: The Processor ensures that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

2. Security Measures: The Processor will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR.

3. Sub-processing: The Processor shall not engage another processor without prior written consent of the Controller. Where the Processor engages another processor for carrying out specific processing activities, the same data protection obligations as set out in this DPA shall be imposed on that other processor.

4. Data Subject Rights: The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 12 to 22 of the GDPR regarding data subject rights.

5. Data Breach Notification: The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach.

6. Data Protection Impact Assessment and Prior Consultation: The Processor shall provide assistance to the Controller with any data protection impact assessments and prior consultations with supervising authorities or other competent data privacy authorities, as required under Article 35 or 36 of the GDPR.

3.2 Controller Obligations

The Controller is responsible for ensuring that:

1. Lawfulness of Processing: The processing of personal data is performed lawfully, fairly, and transparently, in accordance with the applicable data protection laws.

2. Instructions to Processor: The Controller provides clear and documented instructions to the Processor for the processing of data, including the processing of any transfers of personal data to a third country or an international organization.

3. Rights of Data Subjects: The Controller has the responsibility to protect the data subjects' rights under the applicable data protection legislation.

4. Data Accuracy and Quality: The personal data provided to the Processor for processing is accurate, complete, and current.

3.3 Compliance with Laws

Both parties shall comply with all applicable data protection laws and regulations with respect to the processing of Personal Data under this DPA. The Controller is responsible for ensuring that there is a lawful basis for the processing and that it has obtained all necessary consents from data subjects, where required, before providing any Personal Data to the Processor for processing.

4. Sub-processing

4.1 Use of Sub-processors

The Processor is authorized to engage third-party sub-processors to assist in fulfilling the Processor's obligations with respect to providing the agreed-upon services under the Principal Agreement, subject to the conditions set out in this DPA. The engagement of sub-processors is contingent upon the Processor ensuring that the arrangement between the Processor and the sub-processor is governed by a written contract that imposes on the sub-processor the same data protection obligations that are imposed on the Processor under this DPA.

4.1.1 Approval of Sub-processors

The Controller grants general authorization to the Processor to engage the listed sub-processors included in Annex 3 of this DPA. The Processor shall notify the Controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Controller the opportunity to object to such changes.

4.1.2 Objections to Sub-processors

The Controller may object to the Processor’s appointment of a new sub-processor on reasonable grounds related to data protection concerns by notifying the Processor in writing within a specific period following the Processor’s notice of the intended change. If the Controller objects to a new sub-processor and the parties cannot resolve such objection, the Processor will either not appoint the sub-processor or, if this is not reasonably practicable, the Controller may suspend or terminate the Principal Agreement (without prejudice to any fees incurred by the Controller up to and including the date of suspension or termination).

4.2 List of Initial Sub-processors

The Processor has engaged the following sub-processors to process personal data:

• Hosting Services: Hetzner, Vercel, Google Cloud
• Error Monitoring: Sentry
• Product Analytics: PostHog
• Customer Service: Crisp
• AI Features: OpenAI, OpenRouter

A current and complete list of sub-processors may be found in Annex 3, which will be updated by the Processor as needed.

4.3 Sub-processor Obligations

Sub-processors are required to adhere to the same level of data protection and security as set forth in this DPA and the Principal Agreement. The Processor remains responsible to the Controller for the performance of the sub-processor’s obligations in accordance with the DPA’s terms. The Processor will ensure that all sub-processors are contractually bound to:

• Process personal data only on documented instructions from the Processor, consistent with the Controller’s instructions.
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing personal data.
• Adhere to the conditions for engaging further sub-processors as set out in this DPA.

The use of sub-processors by the Processor does not relieve the Processor of any of its responsibilities or liabilities under this DPA.

5. Data Transfer

5.1 Transfer Mechanisms for Data Transfers

Personal Data processed under the terms of this DPA and the Principal Agreement may be transferred from the Controller to the Processor, and to Sub-processors engaged by the Processor, subject to compliance with the applicable Data Protection Laws regarding international data transfers. Such transfers shall only occur in the context of the performance of the Processor’s services under the Principal Agreement and shall adhere to the following conditions:

5.1.1 Data Hosting and Transfer Locations

The Processor shall host and process data in Germany/Europe by default. For purposes of redundancy and backup, personal data may be transferred to and stored in other European Union countries. Any further transfer of personal data outside the European Economic Area (EEA) shall only take place subject to compliance with applicable Data Protection Laws, including ensuring appropriate safeguards are in place.

5.1.2 Legal Frameworks for Data Transfer

When transferring personal data outside of the EEA, the Processor will ensure that such transfers are subject to:

• Adequacy decisions by the European Commission;
• Appropriate safeguards as per Article 46 of the GDPR, including but not limited to Standard Contractual Clauses (SCCs) adopted by the European Commission, or any other mechanism deemed adequate by the GDPR;
• Binding corporate rules approved by competent supervisory authorities (if applicable);
• Explicit consent from the Data Subject, after having been informed of the possible risks, for transfers not covered by the above mechanisms.

5.1.3 Documentation and Audit of Transfer Mechanisms

The Processor agrees to maintain records of data transfers and the mechanisms utilised for such transfers. Upon the Controller’s reasonable request, the Processor shall provide documentation or evidence demonstrating compliance with the obligations set out in this section regarding international data transfers.

5.1.4 Data Transfer in the Context of Sub-processor Engagement

In cases where the Processor engages a Sub-processor and personal data is transferred outside the EEA, the Processor shall ensure that the Sub-processor is either located in a country recognized as providing an adequate level of protection for personal data by the European Commission or that the Sub-processor has entered into legally binding and enforceable commitments to provide an adequate level of protection for the transferred data.

6. Security of Processing

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the processing activities described in this DPA, in compliance with Article 32 of the GDPR. These measures are designed to prevent unauthorized or unlawful processing, accidental loss, destruction, or damage to Personal Data. The specific security measures are outlined below:

6.1 Security Measures

6.1.1 Encryption

Personal Data is encrypted in transit between the Controller’s systems and the Processor’s systems using HTTPS/TLS, ensuring that data remains secure, integral, and confidential during transmission over networks.

6.1.2 Access Control

Access to Personal Data is limited to authorized personnel who require access as part of their job responsibilities. The Processor ensures that its personnel are aware of and comply with the internal policies regarding data privacy and security.

6.1.3 Data Minimization

The Processor shall ensure that Personal Data is adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

6.1.4 Regular Testing and Evaluation

The security measures implemented by the Processor are regularly tested, assessed, and evaluated to ensure their effectiveness in securing the processing of Personal Data.

6.2 Incident Response

In the event of a security incident resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed by the Processor, the Processor will:

1. Notify: The Processor shall notify the Controller without undue delay after becoming aware of the personal data breach.
2. Investigate: The Processor will promptly investigate the incident to determine its cause and take appropriate measures to mitigate the effects of the incident.
3. Cooperation and Assistance: The Processor shall cooperate with the Controller and provide reasonable assistance as needed to enable the Controller to notify affected individuals and relevant regulatory authorities, where necessary.
4. Documentation: Document the incident, its effects, and the remedial actions taken. Such documentation will be made available to the Controller upon request.

6.3 Updates and Improvements

The Processor is committed to the continuous improvement of security measures. As threats evolve, the Processor will periodically review and update its security policies and controls to ensure it maintains security that is in line with or exceeds industry standards.

The Processor's commitment to security is evidenced by its ongoing efforts towards achieving recognized certifications and adherence to industry standards, such as SOC2 and ISO27001.

7. Data Breach

7.1 Breach Notification

In the event of a personal data breach, the Processor shall without undue delay, and whenever feasible, not later than 48 hours after having become aware of it, notify the Controller of the personal data breach. This notification shall include, to the extent possible, the following information:

1. Description of the Nature of the Personal Data Breach: Including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned.
2. Name and Contact Details of the Data Protection Officer or Another Contact Point: Where more information can be obtained.
3. Description of the Likely Consequences: Specifically related to the personal data breach.
4. Description of the Measures Taken or Proposed: To be taken by the Processor to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

The Processor shall document all personal data breaches, including the facts relating to the personal data breach, its effects, and the remedial action taken. This documentation must enable the Controller and any supervisory authority to verify compliance with Article 33 of the GDPR.

7.2 Incident Response

Upon notification of a breach, the Processor shall take immediate steps to secure the data, minimize the effects of the breach, and prevent a recurrence. This includes:

1. Assessment: Quickly assess the scope and impact of the breach to determine immediate containment measures.
2. Containment and Recovery: Take steps to limit the breach's impact and recover lost data where possible.
3. Investigation: Conduct a thorough investigation to determine the breach's cause and implement measures to prevent future breaches.
4. Cooperation: Work closely with the Controller to address the breach and assist in any investigations by the Controller or relevant data protection authorities.

The Processor’s prompt notification and response to data breaches are crucial in managing and mitigating any harm to data subjects and ensuring ongoing compliance with the GDPR and other applicable data protection laws.

8. Data Retention and Deletion

8.1 Retention Period

The Processor shall retain Personal Data processed on behalf of the Controller only for as long as necessary to fulfill the purposes for which the data was collected or to perform the services described in the Principal Agreement, including any period necessary to comply with legal, accounting, or reporting requirements, or to resolve disputes.

Additionally, retention periods may vary based on the specific customer plan chosen by the Controller, allowing for custom data retention policies as agreed upon in writing between the Controller and the Processor. In any event, the Processor will not retain Personal Data beyond the duration of the customer's subscription to the Processor’s services, unless legally required or permitted.

8.2 Deletion or Return of Data

Upon termination or expiration of the Principal Agreement, the Controller may, at its discretion, request the deletion or return of all Personal Data processed by the Processor. The Processor agrees to comply with any such request within thirty (30) days unless there is a legal requirement to retain certain data. In cases where the Controller does not make a choice, the Processor will automatically delete all Personal Data from its systems within ninety (90) days following the termination or expiration of the Principal Agreement, except for data that must be retained under applicable law.

8.2.1 Backup Data

Personal Data that has been removed from the Processor's active systems may remain in backups for up to thirty (30) days. During this period, the data is inaccessible for processing activities other than the restoration of the data in case of loss or damage. All Personal Data held in backups will be permanently deleted or anonymized at the end of this thirty-day period.

8.2.2 Certification of Deletion

Upon request, the Processor shall provide the Controller with a written certification indicating that all Personal Data has been deleted or returned in accordance with the terms of this section.

9. Rights of Data Subjects

9.1 Assistance with Data Subject Rights

The Processor acknowledges that the Controller has certain obligations under the GDPR and other applicable data protection laws with respect to the rights of data subjects, including but not limited to the right to access, rectify, erase, restrict processing, object to processing, and the right to data portability. The Processor agrees to assist the Controller in fulfilling these obligations by:

1. Prompt Notification: Informing the Controller without undue delay if the Processor receives a request from a data subject to exercise one or more of its rights under the GDPR or other applicable data protection laws.
2. Assisting with Responses: Providing the Controller with the necessary information and support to respond to requests from data subjects to exercise their rights. This assistance may include technical and organizational measures to enable the fulfillment of such requests.
3. Technical Measures: Implementing the necessary technical and organizational measures to enable the fulfillment of data subjects' requests.

The scope and manner of assistance shall take into account the nature of processing and the information available to the Processor. Any costs arising from such assistance may be charged by the Processor to the Controller provided they are reasonable and agreed upon.

9.2 Tools for Data Management

The Processor will provide the Controller with appropriate tools, to the extent technically feasible, that enable and facilitate the oversight and management of Personal Data processed under this DPA. These tools may include functionalities that allow the Controller to perform actions such as:

1. Accessing Personal Data: Enabling the Controller to access Personal Data processed by the Processor.
2. Correcting or Updating Data: Providing functionalities for the Controller to correct or update Personal Data.
3. Deleting Data: Facilitating the process for the Controller to delete Personal Data or to comply with data subjects' requests for erasure under applicable data protection laws.

The Processor’s provision of these tools aims to empower the Controller to manage Personal Data effectively and to ensure that the Controller can comply with its obligations under the GDPR and other applicable data protection laws, particularly those related to the rights of data subjects.

10. Audit and Compliance

10.1 Audit Rights

To verify compliance with the obligations under this DPA and applicable data protection laws, the Controller is entitled to conduct audits, including inspections, of the data processing activities performed by the Processor on behalf of the Controller. The audits may be carried out by the Controller or an auditor mandated by the Controller. The conditions for conducting audits are as follows:

1. Advance Notice: The Controller shall provide the Processor with reasonable notice of any audit or inspection to be conducted under the terms of this DPA, which shall not be less than thirty (30) days unless an urgent audit is required by data protection authorities or it is prompted by a confirmed or suspected breach of personal data.
2. Frequency of Audits: To minimize disruptions to the Processor's operations, the audits shall not be conducted more than once per year, except if: a. The Controller has reasonable grounds to believe that the Processor does not process Personal Data in compliance with this DPA or applicable laws. b. The audit is formally requested by the Controller’s data protection authority. c. Applicable Data Protection Laws provide the Controller with a direct audit right that cannot be fulfilled through other means.
3. Method of Audit: The Controller shall ensure that the audits are conducted in a manner that does not adversely affect the Processor's operations or the confidentiality of the data it processes for its other clients. The Processor may require the Controller and its auditor to sign a confidentiality agreement before conducting the audit.
4. Costs of Audit: The Controller shall bear the costs of the audit unless the audit reveals non-compliance on the part of the Processor, in which case the Processor shall bear the cost of the audit.

10.2 Documentation of Compliance

The Processor agrees to provide the Controller upon request with all information necessary to demonstrate compliance with the obligations laid down in this DPA and applicable data protection laws, and to allow for and contribute to audits, including inspections, initiated by the Controller or the Controller’s designated auditor.

The Processor shall maintain a record of all categories of processing activities carried out on behalf of the Controller, containing:

• The details of the Processor and any Sub-processors;
• The categories of processing carried out on behalf of the Controller;
• Where applicable, transfers of personal data to a third country, including the identification of that country and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDPR, the documentation of suitable safeguards;
• A general description of the technical and organizational security measures referred to in Article 32(1) of the GDPR.

11. Liability and Indemnification

11.1 Liability

Each party (the "Liable Party") shall be liable to the other party for any damages caused by its breach of this Data Processing Agreement (DPA). The extent of liability of each party shall be subject to the limitations and exclusions set forth in the Principal Agreement between the Controller and the Processor, except in cases of gross negligence or willful misconduct.

Liability under this section is limited to direct damages. Neither party shall be liable for indirect, incidental, consequential, special, exemplary, or punitive damages (including loss of profits, revenue, data, or use) incurred by the other party in connection with this DPA, even if the other party has been advised of the possibility of such damages.

Notwithstanding the foregoing, nothing in this DPA shall limit the Controller's data subjects' rights under applicable data protection laws or the Controller's ability to seek remedies under such laws.

11.2 Indemnification

1. By the Processor: The Processor agrees to indemnify, defend, and hold harmless the Controller and its directors, officers, employees, and agents from and against all claims, losses, damages, liabilities, costs, and expenses (including reasonable attorneys' fees) related to a violation of this DPA or applicable data protection laws by the Processor or its Sub-processors, except to the extent the claim arises from the Controller's instructions or from the Controller's failure to comply with its obligations under applicable data protection laws.

2. By the Controller: The Controller agrees to indemnify, defend, and hold harmless the Processor and its directors, officers, employees, and agents from and against all claims, losses, damages, liabilities, costs, and expenses (including reasonable attorneys' fees) related to a violation of applicable data protection laws by the Controller, except to the extent the claim arises from the Processor's failure to comply with its obligations under this DPA or applicable data protection laws.

3. Procedure: The indemnified party shall promptly notify the indemnifying party of any claim, cooperate with the indemnifying party in defending the claim, and allow the indemnifying party to control the defense and settlement of the claim, provided that the indemnifying party may not settle any claim in a manner that adversely affects the rights or interests of the indemnified party without its prior written consent.

12. Data Protection Impact Assessment and Prior Consultation

12.1 DPIAs

The Processor agrees to provide reasonable assistance to the Controller with any data protection impact assessments (DPIAs), and any subsequent consultations with supervising authorities or other competent data privacy authorities, which the Controller is required to carry out under Article 35 of the GDPR or equivalent provisions of other applicable data protection laws.

This assistance shall particularly include providing necessary information regarding the processing of Personal Data by the Processor and the implementation of security measures.

12.2 Consultations

In the event that the Controller is required to engage in a prior consultation with the supervising authority or any other competent data privacy authorities under Article 36 of the GDPR or equivalent provisions of other applicable data protection laws, due to a DPIA indicating that the processing would result in a high risk in the absence of measures taken by the Controller to mitigate the risk, the Processor shall:

• Provide detailed information to the Controller about the processing activities conducted on behalf of the Controller, including the specific risks related to the processing and the measures implemented to mitigate those risks.
• Assist the Controller in preparing the documentation and information necessary for the prior consultation.
• Accompany and support the Controller in discussions with the supervising authority or other competent data privacy authorities, when requested and where applicable.

The Processor's obligation to assist the Controller under this section is contingent upon the Controller providing timely notice to the Processor of the need for such assistance and any requests from supervising authorities or other competent data privacy authorities.

The costs related to providing assistance under this section shall be borne by the Controller unless otherwise agreed upon, provided that any such costs are reasonable and have been communicated to the Controller in advance.

13. Transfer of Personal Data

13.1 Conditions for Transfer

The Processor shall not transfer, nor allow any Sub-processor to transfer, any Personal Data to a country outside of the European Economic Area (EEA) or an international organization, unless the following conditions are met:

1. Adequacy Decision: The European Commission has made an adequacy decision with respect to the data protection laws of the country to which Personal Data is to be transferred.
2. Appropriate Safeguards: In the absence of an adequacy decision, the Processor ensures that appropriate safeguards, as specified under Article 46 of the GDPR, are in place, which may include but are not limited to, the use of Standard Contractual Clauses approved by the European Commission, Binding Corporate Rules, or other legally recognized mechanisms.
3. Derogations for Specific Situations: As a last resort, the Processor may rely on derogations for specific situations as set forth in Article 49 of the GDPR, in the strict scenarios where neither an adequacy decision nor appropriate safeguards are available.

13.2 Documentation of Transfer Mechanisms

The Processor agrees to document the transfer mechanisms put in place for transferring Personal Data under this DPA and to make such documentation available to the Controller upon request. This documentation shall include information on:

• The countries to which Personal Data is transferred, and the justification for such transfers.
• The measures and safeguards implemented to protect the Personal Data during its transfer and processing at the destination.
• Any changes or updates to the transfer mechanisms or to the legal framework of the destination country that might affect the adequacy of protections for transferred Personal Data.

The Processor also commits to promptly inform the Controller of any developments that may impact the legality or safety of the Personal Data being transferred under the scope of this DPA, allowing the Controller to take necessary corrective actions, including but not limited to suspending the transfer of Personal Data.

14. Term and Termination

14.1 Effective Date and Term

This Data Processing Agreement (DPA) becomes effective on the date it is signed by both parties and shall remain in effect concurrently with the Principal Agreement between the Controller and the Processor, or until terminated by either party in accordance with the terms set forth herein.

14.2 Termination

1. Termination by Notice: Either party may terminate this DPA with immediate effect by giving written notice to the other party if:

• The other party breaches any of its obligations under this DPA and fails to cure such breach within thirty (30) days after receiving written notice of the breach.
• The other party becomes insolvent, files for bankruptcy, makes an arrangement with its creditors, or goes into liquidation.

2. Automatic Termination: This DPA will automatically terminate upon the expiration or termination of the Principal Agreement.

3. Obligations upon Termination:

• Upon termination of this DPA for any reason, the Processor shall, at the choice of the Controller, delete or return all Personal Data to the Controller, and delete existing copies unless EU law or the national law of an EU member state or another applicable law, including any state or federal law of the United States, requires storage of the Personal Data.
• The Processor shall provide the Controller with certification to that effect, upon request.

4. Survival: Provisions of this DPA that, by their nature, should survive termination of this DPA will remain in effect after its termination. This includes, but is not limited to, obligations concerning confidentiality, data protection, data subject rights, and liability.

This section outlines the duration, termination conditions, and post-termination obligations of the DPA, ensuring that both parties are aware of their rights and responsibilities upon the end of the data processing relationship.

15. Miscellaneous

15.1 Amendments

This Data Processing Agreement (DPA) may be amended or modified only with the mutual written consent of both parties. Any amendments made to the DPA will take precedence over any conflicting provisions in the Principal Agreement to the extent of the conflict concerning the processing of Personal Data.

15.2 Severability

If any provision of this DPA is held by a court of competent jurisdiction to be invalid, unlawful, or unenforceable, the remaining provisions of the DPA will remain in full force and effect. The invalid, unlawful, or unenforceable provision shall be amended by the parties to achieve as closely as possible the original intentions of the parties to the extent necessary for the provision to be legal, valid, and enforceable.

15.3 Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of the State of Delaware, United States, without regard to its conflict of laws principles. Any disputes arising out of or in connection with this DPA shall be submitted to the exclusive jurisdiction of the state and federal courts located in Delaware.

15.4 Entire Agreement

This DPA, together with the Principal Agreement and any other documents referred to herein, constitutes the entire agreement between the parties concerning the subject matter hereof and supersedes all prior agreements, understandings, negotiations, and discussions, whether oral or written, between the parties.

15.5 Notices

All notices, requests, demands, and other communications under this DPA must be in writing and will be deemed to have been duly given when delivered by hand, sent by certified or registered mail (return receipt requested), or sent by reputable overnight courier service to the addresses set forth in the Principal Agreement, or to such other address as either party may specify in writing in accordance with this provision.

15.6 Assignment

Neither party may assign any of its rights or obligations under this DPA without the prior written consent of the other party, which consent shall not be unreasonably withheld, conditioned, or delayed. Notwithstanding the foregoing, either party may assign this DPA in its entirety, without the other party's consent, to its affiliate or in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets.

15.7 No Waiver

No failure or delay by either party in exercising any right under this DPA shall constitute a waiver of that right. A waiver of any default is not a waiver of any subsequent default. A waiver of any of these terms must be in writing and shall not constitute a continuing waiver or a waiver of any other term or condition.

This section provides miscellaneous but essential legal clarifications and provisions that ensure the proper governance, interpretation, and execution of the DPA, contributing to the overall structure and enforceability of the agreement.

16. Annexes

Annex 1: Details of Processing

This annex forms part of the Data Processing Agreement (DPA) and provides detailed information about the personal data processing activities carried out by the Processor, on behalf of the Controller.

1.1 Nature and Purpose of Processing

The Processor is engaged in providing cloud-based observability, prompt management, and evaluation services for large language models (LLMs) as described in the Principal Agreement. In the course of providing these services, the Processor will perform the following processing activities on the personal data provided by the Controller:

• Collection: Accumulating data generated by or resulting from the interactions with LLMs through the Controller's application integrated with the Processor's SDK.
• Storage: Holding the collected data on secure servers for the purpose of further processing.
• Analysis: Applying analytical tools and algorithms to the stored data to generate insights, performance metrics, and other derived data to improve and customize the services provided to the Controller.
• Reporting: Generating reports and visualization of analytics for the Controller, based on the processed data.

The purpose of these processing activities is to provide the Controller with comprehensive insights into the use and performance of LLMs within their application, facilitate improvements, and support decision-making processes related to AI implementations.

1.2 Type of Personal Data

The types of personal data processed might include, but are not limited to:

• User Interaction Data: Data capturing how users interact with the LLMs, including inputs to and outputs from the LLMs and other related information.
• Metadata: Information relating to the interaction with the LLMs, including timestamps and device type.

1.3 Categories of Data Subjects

The categories of data subjects may comprise:

• End-users: Individuals who interact with the Controller's application.
• Clients: In cases where the Controller provides business-to-business services, employees or representatives of client organizations who interact with the Controller's application.

1.4 Obligations and Rights of the Controller

The Controller shall ensure that the processing of personal data under the Principal Agreement is lawful, fair, and transparent. The Controller has the responsibility to ensure that data subjects are informed of the processing activities and that it has obtained all necessary consents or has established another lawful basis for processing personal data as required by applicable data protection laws.

The Controller retains all rights and obligations related to the personal data provided to the Processor for processing under the terms of the DPA and applicable laws. These rights include, but are not limited to, the right to make decisions regarding the purpose and means of the processing, responding to data subject rights requests, and ensuring compliance with data protection regulations.

This annex reflects the agreed-upon processing activities, types of data processed, categories of data subjects, and clarifies the Controller's obligations and rights. It is crucial that both parties review and update this annex periodically to reflect any changes in processing activities or legal requirements.

Annex 2: Security Measures

This annex outlines the comprehensive technical and organizational measures Lunary has implemented to ensure the security of data processing activities, in strict compliance with Article 32 of the General Data Protection Regulation (GDPR).

2.1 Technical Measures

To safeguard the integrity, confidentiality, and availability of data, Lunary employs the following technical measures:

• Encryption in Transit: All data transmitted between the customer's applications and Lunary's systems is encrypted using HTTPS/TLS protocols, ensuring secure, integral, and confidential data transfer.
• Access Controls: Access to data is strictly regulated. Only authorized personnel with a legitimate need to access the data as part of their job responsibilities are granted access.
• Network Security: Robust network security measures, including firewalls, intrusion detection systems, and regular security assessments, are in place to prevent unauthorized access and potential threats.

2.2 Organizational Measures

Lunary's commitment to data security is reflected in our organizational practices, which include:

• Staff Training: Regular training programs are conducted to ensure that all employees are aware of their data protection responsibilities and the best practices for securing personal data.
• Confidentiality Agreements: All employees and contractors are required to sign confidentiality agreements that obligate them to maintain the confidentiality of personal data.
• Access Limitation Policies: Policies are in place to limit data access to only those individuals who need it to perform their job functions, ensuring that unnecessary access to personal data is prevented.
• Data Retention and Deletion: Data retention periods are determined based on the customer's plan, with options for custom data retention available. Lunary provides tools for customers to delete data from our servers, with the assurance that deleted data will be purged from backups within 30 days.

Annex 3: Sub-processors

This annex provides a detailed list of current Sub-processors engaged by the Processor, outlining their specific roles, processing activities, and geographical locations.

3.1 Current Sub-processors

Below are the names, details, and locations of all Sub-processors currently utilized by the Processor:

• Hetzner Online GmbH

  • Role and Processing Activities: Hosting services
  • Processing Location: Germany

• Google Cloud (Google LLC)

  • Role and Processing Activities: Hosting services
  • Processing Location: Germany

• Sentry, Inc.

  • Role and Processing Activities: Error monitoring and management
  • Processing Location: United States

• PostHog, Inc.

  • Role and Processing Activities: Product analytics
  • Processing Location: United States

• Crisp IM SARL

  • Role and Processing Activities: Customer service platform
  • Processing Location: Netherlands

• OpenAI, Inc.

  • Role and Processing Activities: AI features and capabilities
  • Processing Location: United States

• OpenRouter, LLC

  • Role and Processing Activities: AI features and capabilities
  • Processing Location: United States

This list of Sub-processors is subject to updates and modifications as the Processor's service offerings evolve. The Processor commits to maintaining transparency and will provide timely updates to this annex as necessary.