Data Processing and Sharing Agreement

Data Processing and Sharing Agreement

Updated 1 September 2025

This Data Processing and Sharing Agreement (“DPSA”) forms part of the Customer Agreement between the Parties (the “Agreement”), located at https://luminalearning.com/agreement. If a provision in this DPSA conflicts with a provision elsewhere in the Agreement, the provision in this DPSA governs.

1.               Definitions

1.1.           In this DPSA the following words or phrases have the meaning set out alongside them, save to the extent that the context clearly indicates otherwise. Other capitalised terms have the meaning as set out in the Agreement.

Controller: defined in UK Data Protection Law.

Customer Data: the following Personal Data about Participants:

a)               data the Customer provides to Lumina Learning for use in the delivery of Products and Services, such as Participants’ names, email addresses, grammatical gender, and responses to questions or tasks;

b)               data Participants provide to the Customer, or to Lumina Learning acting at the Customer’s direction, for use in the delivery of Products and Services, such as their responses to one of Lumina Learning’s online questionnaires; and

c)               data about Participants found in Portraits and other reports that Lumina Learning generates for the Customer during delivery of Products and Services.

Data Breach: defined in UK Data Protection Law.

Data Protection Law: UK Data Protection Law and any other data protection or privacy law that applies in the circumstances, such as Regulation (EU) 2016/679 (the EU’s GDPR).

Data Subject: defined in UK Data Protection Law.

Lumina Learning Data: the following Personal Data:

a)               data Lumina Learning collects about Data Subjects who have an account in its online system, such as contact details, technical information and usage details;

b)               data Lumina Learning collects about Practitioners and the Customer’s administrative staff, such as contact details;

c)               data Lumina Learning extracts or derives from Customer Data for purposes described in section 3 below (“Lumina Learning Research Data”); and

d)               data Lumina Learning collects to monitor compliance with the Agreement and to demonstrate its compliance with legal obligations, including the Customer’s data processing instructions.

Participant: a Data Subject who is an end user or end recipient of the Services that Lumina Learning provides to the Customer.

Personal Data: defined in UK Data Protection Law.

Processor: defined in UK Data Protection Law.

UK Data Protection Law: data protection or privacy law that applies in the United Kingdom, including the Data Protection Act 2018 and Regulation (EU) 2016/679 and associated law as retained in United Kingdom domestic law (the UK’s GDPR).

2.               Roles and Subject Matter: Customer Data

2.1.           Roles of the Parties: the Parties acknowledge that the Customer is a Controller of Customer Data, and Lumina Learning acts as a Processor of Customer Data on the Customer’s instructions.

2.2.           Subject matter of processing: Lumina Learning’s provision of Products and Services to the Customer under the Agreement.

2.3.           Duration of processing: for the duration of the Agreement, or until Customer Data is deleted in accordance with the Agreement.

2.4.           Nature and purpose of processing: Lumina Learning will use Customer Data to:

2.4.1.      organise delivery of Products and Services to the Customer; and

2.4.2.      generate other forms of Customer Data, such as Portraits and other reports the Customer requests, subject to the commercial terms the Parties have agreed.

2.5.           Type of personal data: Customer Data.

2.6.           Categories of Data Subjects: Participants.

2.7.           The Parties acknowledge that if any Customer Data is controlled by a third-party Controller, in this scenario (i) the Customer is a Processor acting on the Controller’s instructions, (ii) Lumina Learning is the Customer’s sub-processor, and (iii) the Parties will comply with the Agreement, with the Customer assuming the obligations of a Controller and Lumina Learning the obligations of a Processor. The Customer will promptly (i) provide the Controller’s instructions to Lumina Learning, and (ii) provide to the Controller any information provided by Lumina Learning regarding the processing. The Customer warrants that all instructions it provides are those of the Controller. Lumina Learning may take processing instructions directly from the Controller.

3.               Roles and Subject Matter: Lumina Learning Data

3.1.           Lumina Learning will act as a Controller of Lumina Learning Data, using and retaining it according to Lumina Learning’s published privacy notices and internal policies.

3.2.           Nothing in the Agreement is intended to make the Customer a Controller or a Processor of Lumina Learning Data.

3.3.           Lumina Learning may generate Lumina Learning Research Data by extracting it from (or deriving it through analysis of) Customer Data.

3.4.           Lumina Learning may use Lumina Learning Research Data for:

3.4.1.      quality control and validation of Lumina Learning’s psychometric models; and

3.4.2.      creation of pseudonymised or anonymised datasets for use in research and development.

4.               Customer’s Obligations

4.1.           The Customer must:

4.1.1.      comply with all relevant Data Protection Laws; and

4.1.2.      provide Lumina Learning with all information and assistance Lumina Learning reasonably requires to comply with its obligations as a Processor of Customer Data.

5.               Lumina Learning’s Obligations

5.1.           Lumina Learning must:

5.1.1.      comply with all relevant Data Protection Laws;

5.1.2.      process Customer Data only according to the Customer’s reasonable documented instructions (which are deemed to include the contents of the Agreement); and

5.1.3.      take steps to ensure that anyone acting under Lumina Learning’s authority who has access to Customer Data does not process those data except on the Customer’s instructions, unless they are required to do so by Data Protection Law.

5.2.           If, according to Data Protection Law Lumina Learning is required to process Customer Data other than as instructed by the Customer, then Lumina Learning must inform the Customer of the legal requirement before carrying out the processing, unless that law prohibits Lumina Learning from doing so on important grounds of public interest.

5.3.           Lumina Learning must inform the Customer if, in its opinion, any instruction infringes Data Protection Law.

5.4.           Lumina Learning must require, through legally binding mechanisms such as contracts and employment policies, its Representatives to whom it makes Customer Data available for processing to do so in strict compliance with Lumina Learning’s obligations under the Agreement.

5.5.           In processing Customer Data, Lumina Learning must secure the data against accidental or unlawful destruction, loss, alteration, and unauthorised disclosure and access by implementing and maintaining technical and organisational measures, including all measures set out in the Agreement, that are proportionate to the harm that could result from such events.

5.6.           Except to the extent prohibited by Data Protection Law, Lumina Learning must promptly relay to the Customer any requests, notifications, or complaints from a Data Subject or a supervisory authority relating to the processing of Customer Data.

5.7.           Regarding any Customer Data that Lumina Learning processes (or has previously processed), Lumina Learning must assist the Customer by appropriate technical and organisational measures, insofar as this is possible, to fulfil the Customer’s obligations as Controller to respond to requests for exercising such a Data Subject’s rights laid down in the applicable Data Protection Law.

5.8.           In the event of a Data Breach involving Customer Data that Lumina Learning or any of its sub-processors are or had been processing, Lumina Learning must:

5.8.1.      notify the Customer without undue delay after becoming aware of the Data Breach;

5.8.2.      promptly investigate the causes of the Data Breach, identify the likely effects on the affected Data Subjects, and develop proposed measures to mitigate further effects and to remedy the Data Breach; and

5.8.3.      not publish any filing, communication, notice, press release, or report concerning the Data Breach, and not communicate directly with Data Subjects about the Data Breach, without the Customer’s prior written consent.

5.9.           The notification described in clause 5.8.1 must, at minimum:

5.9.1.      describe the nature of the personal data breach including, where possible, the categories and approximate number of Data Subjects concerned, the categories and approximate number of Personal Data records concerned, and the names of all affected Data Subjects;

5.9.2.      communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;

5.9.3.      describe the likely consequences of the Data Breach; and

5.9.4.      describe the measures that Lumina Learning proposes to take in order to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

5.10.        Lumina Learning’s obligation to report or respond to a Data Breach is not and will not be construed as admission of fault or liability by Lumina Learning with respect to the Data Breach.

5.11.        In the event of a conflict between a person’s obligations under the Agreement and the person’s obligations toward a Data Subject under the applicable Data Protection Law, that person must comply with their obligations to the Data Subject. Lumina Learning must notify the Customer, and give the Customer an opportunity to object, before taking any action that violates a term of the Agreement in order to comply with the Data Subject’s rights.

5.12.        The Customer may obtain a copy of Customer Data at any time by using the self-service export tools in the Online Account. The Customer acknowledges that some Customer Data is found within Products for which it must pay a Fee or exchange Points. (For example, to obtain the Customer Data in a Portrait, the Customer must pay a Fee or exchange the relevant quantity of Points for that Portrait).

5.13.        At the Customer’s request, or upon termination of the Agreement, or where clause 5.14 applies, Lumina Learning will delete Customer Data within 30 days, save that Customer Data in Lumina Learning’s backups and archives will be deleted according to Lumina Learning’s retention policies. After data deletion is initiated, it cannot be cancelled or reversed. Requests must be addressed to privacy@luminalearning.com.

5.14.        Lumina Learning may cease to process certain Customer Data, for example where a legacy product is retired, subject to providing the Customer with at least 30 days’ notice.

6.               Processing, Sub-Processing and International Transfers

6.1.           The Customer hereby gives Lumina Learning general written instruction to:

6.1.1.      process Customer Data in any manner reasonably required to achieve the purposes of processing;

6.1.2.      engage sub-processors to process Customer Data; and

6.1.3.      transfer Customer Data to any geographic location or international body where reasonably necessary to achieve the purposes of processing, subject to the existence of adequate safeguards.

6.2.           Lumina Learning must ensure that any sub-processor it uses to process Customer Data:

6.2.1.      has committed itself to confidentiality or is under an appropriate statutory obligation of confidentiality; and

6.2.2.      is required, by way of a written contract or other legal act under Data Protection Law, to process Customer Data in accordance with Lumina Learning’s obligations under the Agreement, and in particular provides sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing meets the requirements of the Data Protection Law.

6.3.           Lumina Learning may use the sub-processors listed in section 9 below.

6.4.           Lumina Learning may change the list of sub-processors in section 9, provided it notifies the Customer in writing a reasonable period of time in advance of the change. This period will be 30 days unless there is a compelling reason for a shorter period. The Customer may object to the change by notifying Lumina Learning in writing, providing reasons for its objection, before the end of the aforementioned period. If the Customer does not object within that period, the Customer is deemed to approve the change.

6.5.           If the Customer objects to a change of sub-processors, both Parties must use reasonable endeavours to reach an agreement to resolve the dispute within a period of 30 days. If the dispute is not resolved by the end of that period, either Party may terminate the Agreement immediately without liability by providing notice to the other Party.

6.6.           Lumina Learning is liable for the acts and omissions of sub-processors in processing Customer Data to the same extent as if it performed the processing.

7.               Audit

7.1.           Regarding the processing of Customer Data, Lumina Learning must make available to the Customer all information necessary to show Lumina Learning’s compliance with its obligations laid down in the Agreement.

7.2.           The Customer may audit Lumina Learning’s compliance with the Agreement. Any audits must:

7.2.1.      be at a mutually agreed time, or in the absence thereof with at least 30 Business Days’ notice;

7.2.2.      take place during Lumina Learning’s normal UK business hours;

7.2.3.      use all reasonable measures to minimise disruption to Lumina Learning’s operations; and

7.2.4.      take place no more than once in any rolling 12-month period.

8.               Term and Termination

8.1.           This DPSA survives termination of the Agreement, for as long as Lumina Learning or its sub-processors hold any copies of Customer Data.

9.               Approved Sub-processors

Where Lumina Learning Ltd is the contracting entity the following sub-processors are used:

Where an entity other than Lumina Learning Ltd is the contracting entity the following sub-processors are used: