DATA PROCESSING ADDENDUM (TEMPLATE) — Lumen-Pro by Elite AI Empire
Version 2026-05-24

This Data Processing Addendum ("DPA") forms part of the Lumen-Pro Terms
of Service between Elite AI Empire ("Processor") and the Customer
("Controller").

1. DEFINITIONS — Per GDPR Article 4.

2. SCOPE — Processor processes Personal Data on behalf of Controller
   solely to deliver the Lumen-Pro service.

3. SUBJECT MATTER — Account data, OAuth tokens, flow definitions, run
   records, audit logs.

4. NATURE + PURPOSE — Automation of Controller-defined workflows across
   third-party services authenticated via OAuth.

5. CATEGORIES OF DATA SUBJECTS — Controller's authorized users; persons
   referenced in trigger payloads passing through flows.

6. CATEGORIES OF PERSONAL DATA — Email addresses, OAuth tokens (encrypted),
   flow purpose text, trigger payload contents.

7. PROCESSOR OBLIGATIONS:
   (a) process only on documented instructions from Controller;
   (b) ensure confidentiality of personnel;
   (c) implement TOMs per Annex II (AES-256-GCM at rest, TLS 1.2+ in
       transit, hash-chained audit log, principle of least privilege);
   (d) engage Sub-processors only with Controller's prior consent
       (current list at /pro/privacy);
   (e) assist Controller with data subject rights requests within 30 days;
   (f) notify Controller of personal data breach within 72 hours of
       awareness;
   (g) delete or return Personal Data at end of provision of services.

8. SUB-PROCESSORS — Listed at /pro/privacy. Controller is deemed to have
   given general written authorization; we will notify of changes 30 days
   in advance.

9. INTERNATIONAL TRANSFERS — Data is hosted in EU (Oracle Frankfurt).
   For any transfer outside the EEA, Standard Contractual Clauses (EU
   2021/914) apply by reference.

10. AUDIT — Controller may audit Processor's compliance with this DPA
    no more than once per year, on 30 days notice, during business hours,
    subject to confidentiality. SOC2 Type II report (once available)
    satisfies this obligation.

11. LIABILITY — Limited to fees paid by Controller in the prior 12 months,
    save for breach of Section 7(b) and (c).

12. TERM — Effective upon Customer's acceptance of the Terms; survives
    termination for so long as Processor retains Personal Data.

ANNEX I — Subject matter, duration, nature, purpose: see Sections 2-6.
ANNEX II — Technical + Organizational Measures (TOMs): AES-256-GCM at
rest; TLS 1.2+ in transit; hash-chained audit log of all token reads,
OAuth events, agent decisions, deletion requests; principle of least
privilege for connector scopes; multi-factor login for Empire personnel;
quarterly access review.

Signed: ________________________________   Date: __________
For Controller (Customer)

Signed: ________________________________   Date: __________
For Processor (Elite AI Empire)

— END OF TEMPLATE —
This document is provided as a starting point. Both parties should have
counsel review before execution.