Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Lumen Notes ("Processor", "we") and the customer ("Controller", "you") wherever we process personal data on your behalf. For PHI of US therapy clients, the executed Business Associate Agreement controls to the extent of any conflict.

1. Roles and scope

You (the clinician or practice) are the controller of client records created in Lumen; we are the processor acting on your documented instructions. The instructions are: transcribe session audio, draft clinical notes, store and make available the records you keep, and delete data per the product's deletion rules and your requests.

2. Categories of data and data subjects

• Data subjects: your therapy clients; your workspace members.
• Client data: session audio (transient — deleted on note signing), transcripts, clinical notes, treatment plans, appointment metadata. This is special-category / health data.
• Workspace data: names, emails, roles, and activity of clinicians and staff.

3. Our obligations

• Process personal data only on your documented instructions, including with regard to international transfers.
• Ensure persons authorized to process the data are bound by confidentiality.
• Implement the technical and organizational measures described on the Security page: encryption in transit and at rest, role-based access controls, audit logging, audio deletion on signing.
• Never use client data to train AI models, and contractually bind subprocessors to the same restriction.
• Assist you, taking into account the nature of processing, with data-subject requests and with your security and breach-notification obligations.
• Notify you without undue delay after becoming aware of a personal-data breach affecting your data.
• Delete or return personal data at the end of the engagement, per the retention schedule in the Privacy Policy (30-day export window, rolling 35-day backup expiry).
• Make available information necessary to demonstrate compliance, and allow for audits as described below.

4. Subprocessors

You authorize the subprocessors listed at /legal/subprocessors. We will update that page and notify account holders by email at least 14 days before adding or replacing a subprocessor that processes client data; if you object on reasonable data-protection grounds and we cannot accommodate, you may terminate and receive a pro-rata refund of prepaid fees.

5. International transfers

Production data is hosted in the United States (regions per the Subprocessors page). Where data of EEA/UK data subjects is transferred, the parties rely on the European Commission's Standard Contractual Clauses (Module 2: controller-to-processor) and the UK Addendum, which are incorporated by reference into this DPA.

6. Audits

We respond to reasonable written security questionnaires at no charge. On request and under NDA, we share third-party audit materials (including the SOC 2 Type II report when our in-progress audit completes). On-site audits are available where required by law, at the controller's expense, with 30 days' notice, no more than annually.

7. Liability

Liability under this DPA is subject to the limitations in the Terms of Service, except where applicable data-protection law does not permit such limitation.

Contact

To execute a countersigned copy of this DPA or ask questions: support@lumen.1labs.app.